Djeex/docudjeex
1
1
Fork 0
Code Issues Pull Requests Projects Wiki Activity

Wireguard-15

Browse Source
This commit is contained in:
Djeex
2025-10-26 17:59:42 +00:00
parent a53a424399
commit d2b6fbec5e
4 changed files with 347 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

180
content/3.serveex/3.security/1.wireguard.md
View File

@@ -47,21 +47,21 @@ You *can* allow VPN clients to share access to their local networks, but we won
So only VPN-connected devices can communicate with each other on the VPN, not with other local devices outside the VPN.
## Server Side
## Server Setup
---
::alert{type="info"}
📋 __Checklist:__
- Ensure port `51820 UDP` is available and properly forwarded through your router to the server (`Source 51820 UDP -> Destination 51820 UDP -> Server`).
- Ensure port `51821 TCP` is available for the web UI.
📋 **Pre-flight Checklist:**
- Ensure port `51820 UDP` is free on your server and correctly forwarded from your router (`51820 UDP -> Server`).
- Ensure port `51821 TCP` is free for the web UI.
::
::alert{type="warning"}
:::list{type="warning"}
- __Warning:__ This guide uses version `14` of [wg-easy](https://wg-easy.github.io/wg-easy/latest/). Version `15` introduces breaking changes incompatible with this configuration.
- __Warning__: If your IP is not static, use a Dynamic DNS service ([DynDNS](https://en.wikipedia.org/wiki/Dynamic_DNS)). If your ISP uses [CGNAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT), youll need to use an external VPS and connect your local server as a client.
:::
::
Folder structure:
### Folder Structure
```sh
root
@@ -73,104 +73,98 @@ root
└── .env
```
The container runs in `HOST` mode, meaning it uses the hosts network stack directly.
Open Dockge, click **Compose**, and name the stack `wg_easy`.
Open Dockge, click `compose`, and name the stack `wg_easy`.
Paste the following configuration:
Copy the following configuration:
```yaml
---
services:
wg-easy:
network_mode: host
env_file:
- .env
environment:
- LANG=en
- WG_HOST=${HOST}
- PASSWORD_HASH=${PW}
- WG_DEFAULT_ADDRESS=${ADDRESS}
- WG_HIDE_KEYS=never
- WG_ALLOWED_IPS=${IPS}
- WG_DEFAULT_DNS=
- UI_TRAFFIC_STATS=true
- UI_CHART_TYPE=1
image: ghcr.io/wg-easy/wg-easy:14
- INSECURE=true
image: ghcr.io/wg-easy/wg-easy:15
container_name: wg-easy
networks:
wg:
ipv4_address: 10.42.42.42
ipv6_address: fdcc:ad94:bacf:61a3::2a
volumes:
- /docker/wg_easy/config/etc_wireguard:/etc/wireguard
- ./etc_wireguard:/etc/wireguard
- /lib/modules:/lib/modules:ro
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
wg:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 10.42.42.0/24
- subnet: fdcc:ad94:bacf:61a3::/64
```
::alert{type="success"}
__Tip:__
- You can also specify your own wireguard port with `WG_PORT`
- Add the Watchtower label to enable automatic updates
**Tip:**
- You can customize WireGuard and web UI ports.
- Add a Watchtower label for automatic updates:
```yaml
services
services:
wg-easy:
#...
# ...
labels:
- com.centurylinklabs.watchtower.enable=true
```
::
In `.env`:
```properties
HOST=
PW=
ADDRESS=
IPS=
```
| Variable | Description | Example |
|--------------|-------------|---------|
| `HOST` | IP of public access of your host (router ISP's IP if it's at home) | `80.75.137.27` |
| `PW` | Bcrypt password hash, [generate here](https://bcrypt-generator.com/). **NOTE:** Double the `$` characters | `$$2a$$12$$FF6T4QqSP9Ho` |
| `ADDRESS` | VPN DHCP address range, the `x` must remain, others can vary | `10.8.0.x` |
| `IPS` | IPs routed by clients through the VPN. Use `10.8.0.0/24` to only route VPN traffic. To include local LAN, add `192.168.0.0/16` separated by commas. | `10.8.0.0/24` |
Deploy the stack.
### Enable Forwarding on Host
To allow communication between VPN clients, enable:
```sh
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv4.conf.all.src_valid_mark=1
```
### Retrieve Configuration Files
To configure clients, download the config files from the server:
- Visit `http://your-server-ip:51821`
- Create a client
- Download the config file
- Rename it to `wg0.conf`
Deploy the stack and access the local web UI at `http://server-ip:51821`.
::alert{type="danger"}
:::list{type="danger"}
- If it fails, check firewall rules.
- If the deployment fails, check your firewall rules.
:::
::
## On the Client Server
Once connected, follow the web UI instructions to:
- Create your admin account and password.
- Set the host field (use your public IP or domain name).
Then go to *Administrator → Admin Panel → Config*:
- Change `Allowed IPs` from `0.0.0.0/24` to `10.8.0.0/24` for **split tunneling**.
- Remove IPv6 (it often causes unnecessary issues).
### Retrieve Configuration Files
To configure clients:
1. Access the web UI: `http://server-ip:51821`
2. Create a new client
3. Edit the client and add `10.8.0.0/24` to `Server Allowed IPs`
4. (Optional) Set `Persistent Keep Alive` to `25` if its a permanently connected client
5. Save, download, and rename the file to `wg0.conf` (or `wg1.conf`, etc.)
## Client Server Setup
---
::alert{type="info"}
:::list{type="info"}
- Assumes the client is a Linux server with Docker installed
- We assume the client server runs Linux with Docker installed.
:::
::
Folder structure:
### Folder Structure
```sh
root
@@ -181,33 +175,32 @@ root
└── compose.yaml
```
Create the folder `/docker/wireguard/config/wg_confs`:
::alert{type="success"}
__Tip:__ Use [File Browser](/serveex/files/file-browser) to browse and edit files without terminal
::
Create the folder:
```sh
sudo mkdir -p /docker/wireguard/config/wg_confs
```
Copy the `wg0.conf` file downloaded earlier:
::alert{type="success"}
**Tip:** You can use [File Browser](/serveex/files/file-browser) instead of the terminal to edit and upload files.
::
Create the `wg0.conf` file:
```sh
sudo vi /docker/wireguard/config/wg_confs/wg0.conf
```
Enter insert mode (`i`), paste the downloaded configuration, then save (`Esc``:x`).
::alert{type="success"}
__Tip:__ Easiest way is to transfer the file via SFTP to `/home/youruser`, then move it:
**Alternative method:** Transfer the file via SFTP and move it:
```sh
sudo cp ~/wg0.conf /docker/wireguard/config/wg_confs
```
::
Create `compose.yaml` in `/docker/wireguard`:
```sh
sudo vi /docker/wireguard/compose.yaml
```
Press `i` to enter insert mode and paste:
Create the `compose.yaml` file in `/docker/wireguard`:
```yaml
services:
@@ -217,42 +210,39 @@ services:
network_mode: host
cap_add:
- NET_ADMIN
- SYS_MODULE #optional
- SYS_MODULE
environment:
- TZ=Europe/Paris
volumes:
- /docker/wireguard/config:/config
- /lib/modules:/lib/modules #optional
- /lib/modules:/lib/modules
restart: unless-stopped
```
Press `Esc` then type `:x` to save and exit.
Start the container:
```sh
cd /docker/wireguard
sudo docker compose up -d
```
::alert{type="info" icon="exclamation-circle"}
::alert{type="info"}
:::list{type="info"}
- Repeat for each client
- Repeat this setup for each client.
:::
::
## Other Devices
---
- **Phone:** Install Wireguard and scan the QR code from the web UI (`http://your-server-ip:51821`)
- **PC:** Install the Wireguard client and import the config file
- **Mobile:** Install WireGuard and scan the QR code via the web UI (`http://server-ip:51821`)
- **Desktop:** Install the WireGuard client and import the downloaded config file.
::alert{type="warning"}
:::list{type="warning"}
- __Warning:__ If a client device is on the same LAN as the server, edit `wg0.conf` and change the endpoint to the local server IP:
`Endpoint = your-server-ip:51820`
- **Note:** If the client machine is on the same local network as the server, edit the `wg0.conf` file to use the local server IP:
`Endpoint = server-local-ip:51820`
:::
::
And this is the result:
And heres the final setup overview:
![picture](/img/serveex/wireguard.svg)

258
content/Recycled/1.deprecated/1.wireguard-14.md Normal file
View File

@@ -0,0 +1,258 @@
---
navigation: true
title: Wireguard
main:
fluid: false
---
:ellipsis{left=0px width=40rem top=10rem blur=140px}
# Wireguard
::alert{type="info"}
🎯 __Goals:__
- Install Wireguard
- Configure clients
- Access the secure network
::
## Introduction
---
Using a VPN allows remote access to a servers local resources without exposing them to the internet. Its a clean and secure way to access services like SSH without exposing the port publicly. With a VPN, you can securely connect to your network from anywhere and make devices on different networks communicate.
Here we will use [Wireguard](https://www.wireguard.com/), a secure and high-performance VPN server, using containers:
- [wg-easy](https://github.com/wg-easy/wg-easy) as the server, providing a very simple web UI to manage connections and download config files (including QR codes for phones)
- [Wireguard](https://docs.linuxserver.io/images/docker-wireguard/?h=wireguard) as the client for Linux systems
Clients are also available for Windows, macOS, iOS, and Android.
The concept:
- On the internet, anyone can reach any internet box and thus any exposed server.
- Your server is on your local network. It is accessible only locally unless services are explicitly exposed (as we did with Dockge). To access non-exposed resources, you must be on the same local network.
- We want to securely access these unexposed services (like SSH) from anywhere.
- We also want to connect services between servers, like linking two Dockge instances securely.
To achieve this, well create a **Virtual Private Network** (VPN), i.e., a secure tunnel that only connected machines can use. Theyll appear to be on the same private network.
Additionally, you can add your phone, laptop, or other devices to the VPN and securely access your server resources wherever you are.
![picture](/img/serveex/vpn.svg)
In this diagram, machine 1 is part of two networks:
- Its local network (devices behind the same router, e.g. `192.168.x.x` machines 1 and 2)
- The VPN network (VPN devices with a second IP, e.g. `10.8.x.x` machines 1 and 4)
You *can* allow VPN clients to share access to their local networks, but we wont do that here for security and subnet conflict reasons (e.g., if two remote machines use the same local IP like `192.168.1.1`).
So only VPN-connected devices can communicate with each other on the VPN, not with other local devices outside the VPN.
## Server Side
---
::alert{type="info"}
📋 __Checklist:__
- Ensure port `51820 UDP` is available and properly forwarded through your router to the server (`Source 51820 UDP -> Destination 51820 UDP -> Server`).
- Ensure port `51821 TCP` is available for the web UI.
::
::alert{type="warning"}
:::list{type="warning"}
- __Warning:__ This guide uses version `14` of [wg-easy](https://wg-easy.github.io/wg-easy/latest/). Version `15` introduces breaking changes incompatible with this configuration.
:::
::
Folder structure:
```sh
root
└── docker
└── wg-easy
├── config
│ └── etc_wireguard
├── compose.yaml
└── .env
```
The container runs in `HOST` mode, meaning it uses the hosts network stack directly.
Open Dockge, click `compose`, and name the stack `wg_easy`.
Paste the following configuration:
```yaml
---
services:
wg-easy:
network_mode: host
env_file:
- .env
environment:
- LANG=en
- WG_HOST=${HOST}
- PASSWORD_HASH=${PW}
- WG_DEFAULT_ADDRESS=${ADDRESS}
- WG_HIDE_KEYS=never
- WG_ALLOWED_IPS=${IPS}
- WG_DEFAULT_DNS=
- UI_TRAFFIC_STATS=true
- UI_CHART_TYPE=1
image: ghcr.io/wg-easy/wg-easy:14
container_name: wg-easy
volumes:
- /docker/wg_easy/config/etc_wireguard:/etc/wireguard
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
```
::alert{type="success"}
__Tip:__
- You can also specify your own wireguard port with `WG_PORT`
- Add the Watchtower label to enable automatic updates
```yaml
services
wg-easy:
#...
labels:
- com.centurylinklabs.watchtower.enable=true
```
::
In `.env`:
```properties
HOST=
PW=
ADDRESS=
IPS=
```
| Variable | Description | Example |
|--------------|-------------|---------|
| `HOST` | IP of public access of your host (router ISP's IP if it's at home) | `80.75.137.27` |
| `PW` | Bcrypt password hash, [generate here](https://bcrypt-generator.com/). **NOTE:** Double the `$` characters | `$$2a$$12$$FF6T4QqSP9Ho` |
| `ADDRESS` | VPN DHCP address range, the `x` must remain, others can vary | `10.8.0.x` |
| `IPS` | IPs routed by clients through the VPN. Use `10.8.0.0/24` to only route VPN traffic. To include local LAN, add `192.168.0.0/16` separated by commas. | `10.8.0.0/24` |
Deploy the stack.
### Enable Forwarding on Host
To allow communication between VPN clients, enable:
```sh
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv4.conf.all.src_valid_mark=1
```
### Retrieve Configuration Files
To configure clients, download the config files from the server:
- Visit `http://your-server-ip:51821`
- Create a client
- Download the config file
- Rename it to `wg0.conf`
::alert{type="danger"}
:::list{type="danger"}
- If it fails, check firewall rules.
:::
::
## On the Client Server
---
::alert{type="info"}
:::list{type="info"}
- Assumes the client is a Linux server with Docker installed
:::
::
Folder structure:
```sh
root
└── docker
└── wireguard
└── config
│ └── wg_confs
└── compose.yaml
```
Create the folder `/docker/wireguard/config/wg_confs`:
::alert{type="success"}
__Tip:__ Use [File Browser](/serveex/files/file-browser) to browse and edit files without terminal
::
```sh
sudo mkdir -p /docker/wireguard/config/wg_confs
```
Copy the `wg0.conf` file downloaded earlier:
::alert{type="success"}
__Tip:__ Easiest way is to transfer the file via SFTP to `/home/youruser`, then move it:
```sh
sudo cp ~/wg0.conf /docker/wireguard/config/wg_confs
```
::
Create `compose.yaml` in `/docker/wireguard`:
```sh
sudo vi /docker/wireguard/compose.yaml
```
Press `i` to enter insert mode and paste:
```yaml
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
network_mode: host
cap_add:
- NET_ADMIN
- SYS_MODULE #optional
environment:
- TZ=Europe/Paris
volumes:
- /docker/wireguard/config:/config
- /lib/modules:/lib/modules #optional
restart: unless-stopped
```
Press `Esc` then type `:x` to save and exit.
Start the container:
```sh
cd /docker/wireguard
sudo docker compose up -d
```
::alert{type="info"}
:::list{type="info"}
- Repeat for each client
:::
::
## Other Devices
---
- **Phone:** Install Wireguard and scan the QR code from the web UI (`http://your-server-ip:51821`)
- **PC:** Install the Wireguard client and import the config file
::alert{type="warning"}
:::list{type="warning"}
- __Warning:__ If a client device is on the same LAN as the server, edit `wg0.conf` and change the endpoint to the local server IP:
`Endpoint = your-server-ip:51820`
:::
::
And this is the result:
![picture](/img/serveex/wireguard.svg)

2
content/Recycled/1.deprecated/_dir.yaml Normal file
View File

@@ -0,0 +1,2 @@
icon: lucide:trash-2
navigation.title: Deprecated

2
content/Recycled/_dir.yml Normal file
View File

@@ -0,0 +1,2 @@
icon: noto:recycling-symbol
navigation.title: Recycled