Updated documentation (#640)

Include pass about systemd networkd managing foreign routes and deleting them on restart. Signed-off-by: Tim <tim@tuimz.nl> Co-authored-by: Tim Aerdts <tim@teaminova.nl>
2026-03-24 00:56:26 +00:00 · 2026-03-17 18:33:57 +01:00
parent 59d6263fef
commit 9c56e92443
1 changed files with 8 additions and 0 deletions
--- a/docs/documentation/getting-started/docker.md
+++ b/docs/documentation/getting-started/docker.md
@@ -35,6 +35,14 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d
   > :warning: If host networking is used, the WireGuard Portal UI will be accessible on all the host's IP addresses if the listening address is set to `:8888` in the configuration file.
   To avoid this, you can bind the listening address to a specific IP address, for example, the loopback address (`127.0.0.1:8888`). It is also possible to deploy firewall rules to restrict access to the WireGuard Portal UI.

+   > :warning: If the host is running **systemd-networkd**, routes managed by WireGuard Portal may be removed whenever systemd-networkd restarts, as it will clean up routes it considers "foreign". To prevent this, add the following to your host's network configuration (e.g. `/etc/systemd/networkd.conf` or a drop-in file):
+   > ```ini
+   > [Network]
+   > ManageForeignRoutingPolicyRules=no
+   > ManageForeignRoutes=no
+   > ```
+   > After editing, reload the configuration with `sudo systemctl restart systemd-networkd`. For more information refer to the [systemd-networkd documentation](https://www.freedesktop.org/software/systemd/man/latest/networkd.conf.html#ManageForeignRoutes=).
+
 - **Within the WireGuard Portal Docker container**: 
   WireGuard interfaces can be managed directly from within the WireGuard Portal container itself.
   This is the recommended approach when running WireGuard Portal via Docker, as it encapsulates all functionality in a single, portable container without requiring a separate WireGuard host or image.