Djeex/docudjeex
1
1
Fork 0
Code Issues Pull Requests Projects Wiki Activity

Wireguard-15

Browse Source
This commit is contained in:
Djeex
2025-10-26 17:59:42 +00:00
parent a53a424399
commit d2b6fbec5e
4 changed files with 347 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

180
content/3.serveex/3.security/1.wireguard.md
View File

@@ -47,21 +47,21 @@ You *can* allow VPN clients to share access to their local networks, but we won
So only VPN-connected devices can communicate with each other on the VPN, not with other local devices outside the VPN.
## Server Side
## Server Setup
---
::alert{type="info"}
📋 __Checklist:__
- Ensure port `51820 UDP` is available and properly forwarded through your router to the server (`Source 51820 UDP -> Destination 51820 UDP -> Server`).
- Ensure port `51821 TCP` is available for the web UI.
📋 **Pre-flight Checklist:**
- Ensure port `51820 UDP` is free on your server and correctly forwarded from your router (`51820 UDP -> Server`).
- Ensure port `51821 TCP` is free for the web UI.
::
::alert{type="warning"}
:::list{type="warning"}
- __Warning:__ This guide uses version `14` of [wg-easy](https://wg-easy.github.io/wg-easy/latest/). Version `15` introduces breaking changes incompatible with this configuration.
- __Warning__: If your IP is not static, use a Dynamic DNS service ([DynDNS](https://en.wikipedia.org/wiki/Dynamic_DNS)). If your ISP uses [CGNAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT), youll need to use an external VPS and connect your local server as a client.
:::
::
Folder structure:
### Folder Structure
```sh
root
@@ -73,104 +73,98 @@ root
└── .env
```
The container runs in `HOST` mode, meaning it uses the hosts network stack directly.
Open Dockge, click **Compose**, and name the stack `wg_easy`.
Open Dockge, click `compose`, and name the stack `wg_easy`.
Paste the following configuration:
Copy the following configuration:
```yaml
---
services:
wg-easy:
network_mode: host
env_file:
- .env
environment:
- LANG=en
- WG_HOST=${HOST}
- PASSWORD_HASH=${PW}
- WG_DEFAULT_ADDRESS=${ADDRESS}
- WG_HIDE_KEYS=never
- WG_ALLOWED_IPS=${IPS}
- WG_DEFAULT_DNS=
- UI_TRAFFIC_STATS=true
- UI_CHART_TYPE=1
image: ghcr.io/wg-easy/wg-easy:14
- INSECURE=true
image: ghcr.io/wg-easy/wg-easy:15
container_name: wg-easy
networks:
wg:
ipv4_address: 10.42.42.42
ipv6_address: fdcc:ad94:bacf:61a3::2a
volumes:
- /docker/wg_easy/config/etc_wireguard:/etc/wireguard
- ./etc_wireguard:/etc/wireguard
- /lib/modules:/lib/modules:ro
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
wg:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 10.42.42.0/24
- subnet: fdcc:ad94:bacf:61a3::/64
```
::alert{type="success"}
__Tip:__
- You can also specify your own wireguard port with `WG_PORT`
- Add the Watchtower label to enable automatic updates
**Tip:**
- You can customize WireGuard and web UI ports.
- Add a Watchtower label for automatic updates:
```yaml
services
services:
wg-easy:
#...
# ...
labels:
- com.centurylinklabs.watchtower.enable=true
```
::
In `.env`:
```properties
HOST=
PW=
ADDRESS=
IPS=
```
| Variable | Description | Example |
|--------------|-------------|---------|
| `HOST` | IP of public access of your host (router ISP's IP if it's at home) | `80.75.137.27` |
| `PW` | Bcrypt password hash, [generate here](https://bcrypt-generator.com/). **NOTE:** Double the `$` characters | `$$2a$$12$$FF6T4QqSP9Ho` |
| `ADDRESS` | VPN DHCP address range, the `x` must remain, others can vary | `10.8.0.x` |
| `IPS` | IPs routed by clients through the VPN. Use `10.8.0.0/24` to only route VPN traffic. To include local LAN, add `192.168.0.0/16` separated by commas. | `10.8.0.0/24` |
Deploy the stack.
### Enable Forwarding on Host
To allow communication between VPN clients, enable:
```sh
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv4.conf.all.src_valid_mark=1
```
### Retrieve Configuration Files
To configure clients, download the config files from the server:
- Visit `http://your-server-ip:51821`
- Create a client
- Download the config file
- Rename it to `wg0.conf`
Deploy the stack and access the local web UI at `http://server-ip:51821`.
::alert{type="danger"}
:::list{type="danger"}
- If it fails, check firewall rules.
- If the deployment fails, check your firewall rules.
:::
::
## On the Client Server
Once connected, follow the web UI instructions to:
- Create your admin account and password.
- Set the host field (use your public IP or domain name).
Then go to *Administrator → Admin Panel → Config*:
- Change `Allowed IPs` from `0.0.0.0/24` to `10.8.0.0/24` for **split tunneling**.
- Remove IPv6 (it often causes unnecessary issues).
### Retrieve Configuration Files
To configure clients:
1. Access the web UI: `http://server-ip:51821`
2. Create a new client
3. Edit the client and add `10.8.0.0/24` to `Server Allowed IPs`
4. (Optional) Set `Persistent Keep Alive` to `25` if its a permanently connected client
5. Save, download, and rename the file to `wg0.conf` (or `wg1.conf`, etc.)
## Client Server Setup
---
::alert{type="info"}
:::list{type="info"}
- Assumes the client is a Linux server with Docker installed
- We assume the client server runs Linux with Docker installed.
:::
::
Folder structure:
### Folder Structure
```sh
root
@@ -181,33 +175,32 @@ root
└── compose.yaml
```
Create the folder `/docker/wireguard/config/wg_confs`:
::alert{type="success"}
__Tip:__ Use [File Browser](/serveex/files/file-browser) to browse and edit files without terminal
::
Create the folder:
```sh
sudo mkdir -p /docker/wireguard/config/wg_confs
```
Copy the `wg0.conf` file downloaded earlier:
::alert{type="success"}
**Tip:** You can use [File Browser](/serveex/files/file-browser) instead of the terminal to edit and upload files.
::
Create the `wg0.conf` file:
```sh
sudo vi /docker/wireguard/config/wg_confs/wg0.conf
```
Enter insert mode (`i`), paste the downloaded configuration, then save (`Esc``:x`).
::alert{type="success"}
__Tip:__ Easiest way is to transfer the file via SFTP to `/home/youruser`, then move it:
**Alternative method:** Transfer the file via SFTP and move it:
```sh
sudo cp ~/wg0.conf /docker/wireguard/config/wg_confs
```
::
Create `compose.yaml` in `/docker/wireguard`:
```sh
sudo vi /docker/wireguard/compose.yaml
```
Press `i` to enter insert mode and paste:
Create the `compose.yaml` file in `/docker/wireguard`:
```yaml
services:
@@ -217,42 +210,39 @@ services:
network_mode: host
cap_add:
- NET_ADMIN
- SYS_MODULE #optional
- SYS_MODULE
environment:
- TZ=Europe/Paris
volumes:
- /docker/wireguard/config:/config
- /lib/modules:/lib/modules #optional
- /lib/modules:/lib/modules
restart: unless-stopped
```
Press `Esc` then type `:x` to save and exit.
Start the container:
```sh
cd /docker/wireguard
sudo docker compose up -d
```
::alert{type="info" icon="exclamation-circle"}
::alert{type="info"}
:::list{type="info"}
- Repeat for each client
- Repeat this setup for each client.
:::
::
## Other Devices
---
- **Phone:** Install Wireguard and scan the QR code from the web UI (`http://your-server-ip:51821`)
- **PC:** Install the Wireguard client and import the config file
- **Mobile:** Install WireGuard and scan the QR code via the web UI (`http://server-ip:51821`)
- **Desktop:** Install the WireGuard client and import the downloaded config file.
::alert{type="warning"}
:::list{type="warning"}
- __Warning:__ If a client device is on the same LAN as the server, edit `wg0.conf` and change the endpoint to the local server IP:
`Endpoint = your-server-ip:51820`
- **Note:** If the client machine is on the same local network as the server, edit the `wg0.conf` file to use the local server IP:
`Endpoint = server-local-ip:51820`
:::
::
And this is the result:
And heres the final setup overview:
![picture](/img/serveex/wireguard.svg)