Difference between revisions of "Wireguard"

From wiki.bastelbude.grade.de
Jump to: navigation, search
(nginx)
(wireguard-ui)
Line 78: Line 78:
 
** Post Up Script <code>iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE</code>
 
** Post Up Script <code>iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE</code>
 
** Post Down Script <code>iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE</code>
 
** Post Down Script <code>iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE</code>
 +
* add clients
 +
* apply config

Revision as of 08:45, 21 October 2023

plesk, docker, wireguard

prerequisite

Plesk

  • watch out for plesk-default-firewall-rules! System policy for traffic forwarding = Deny forwarding of all other traffic
    • change to Allow ...
  • add firewall-rule Allow incoming from all on port 51820/udp
  • add Plesk Docker Extension
  • add Additional nginx directives
location / {
	proxy_pass http://localhost:5000;
}

shell

  • apt install docker-compose
  • edit /etc/sysctl.conf net.ipv4.ip_forward=1
    • reload sysctl -p
  • check kernel module modprobe wireguard

docker compose

  • mkdir /var/www/vhosts/guard.grade.de/wireguard
  • cd /var/www/vhosts/guard.grade.de/wireguard
  • docker-compose.yaml
version: "3"

services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/config
    ports:
      # port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports
      - "5000:5000"
      # port of the wireguard server
      - "51820:51820/udp"

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    # use the network of the 'wireguard' service. this enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=admin
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard
  • testing docker-compose up
  • production docker-compose up -d

wireguard-ui

  • https://guard.grade.de/global-settings
    • check Endpoint Address
    • edit Wireguard Config File Path: /etc/wireguard/wg_confs/wg0.conf
  • https://guard.grade.de/wg-server
    • Post Up Script iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
    • Post Down Script iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
  • add clients
  • apply config
Retrieved from "https://bastelbude.grade.de/mediawiki/index.php?title=Wireguard&oldid=3292"