Difference between revisions of "Wireguard"

From wiki.bastelbude.grade.de
Jump to: navigation, search
(docker compose)
(plesk, wireguard)
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== plesk, docker, wireguard ==
 
== plesk, docker, wireguard ==
 +
=== how-to ===
 +
* https://linuxiac.com/how-to-set-up-wireguard-vpn-with-docker/
 +
* https://github.com/ngoduykhanh/wireguard-ui
 +
* https://docs.linuxserver.io/images/docker-wireguard
 
=== prerequisite ===
 
=== prerequisite ===
 
==== Plesk ====
 
==== Plesk ====
Line 6: Line 10:
 
* add firewall-rule <code>Allow incoming from all on port 51820/udp</code>
 
* add firewall-rule <code>Allow incoming from all on port 51820/udp</code>
 
* add Plesk Docker Extension
 
* add Plesk Docker Extension
 +
* add Additional nginx directives
 +
<pre>
 +
location / {
 +
proxy_pass http://localhost:5000;
 +
}
 +
</pre>
  
 
==== shell ====
 
==== shell ====
Line 64: Line 74:
 
* testing <code>docker-compose up</code>
 
* testing <code>docker-compose up</code>
 
* production <code>docker-compose up -d</code>
 
* production <code>docker-compose up -d</code>
 +
* stopping <code>docker-compose down</code>
 +
 +
==== wireguard-ui ====
 +
* https://guard.grade.de/global-settings
 +
** check Endpoint Address
 +
** edit Wireguard Config File Path: <code>/etc/wireguard/wg_confs/wg0.conf</code>
 +
* https://guard.grade.de/wg-server
 +
** Post Up Script <code>iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE</code>
 +
** Post Down Script <code>iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE</code>
 +
* https://guard.grade.de/profile change
 +
** change password
 +
* add clients
 +
* apply config
 +
 +
 +
== plesk, wireguard ==
 +
running wireguard inside docker failed, new approach: runnung wireguard on host!
 +
* <code>apt install wireguard</code>
 +
* edit <code>/etc/sysctl.conf</code> : add <code>net.ipv4.ip_forward=1</code>
 +
* apply changes <code>sysctl -p</code>
 +
* <code>systemctl enable wg-quick@wg0</code>
 +
* <code>systemctl start wg-quick@wg0.service</code>
 +
* <code>systemctl status wg-quick@wg0.service</code>
 +
* <code>systemctl stop wg-quick@wg0.service</code>
 +
  
==== nginx ====
+
=== docker-wireguard-ui ===
 +
* https://adminforge.de/linux-allgemein/vpn/wireguard-vpn-server-mit-web-interface-einrichten/

Latest revision as of 11:47, 21 October 2023

plesk, docker, wireguard

how-to

prerequisite

Plesk

  • watch out for plesk-default-firewall-rules! System policy for traffic forwarding = Deny forwarding of all other traffic
    • change to Allow ...
  • add firewall-rule Allow incoming from all on port 51820/udp
  • add Plesk Docker Extension
  • add Additional nginx directives
location / {
	proxy_pass http://localhost:5000;
}

shell

  • apt install docker-compose
  • edit /etc/sysctl.conf net.ipv4.ip_forward=1
    • reload sysctl -p
  • check kernel module modprobe wireguard

docker compose

  • mkdir /var/www/vhosts/guard.grade.de/wireguard
  • cd /var/www/vhosts/guard.grade.de/wireguard
  • docker-compose.yaml
version: "3"

services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/config
    ports:
      # port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports
      - "5000:5000"
      # port of the wireguard server
      - "51820:51820/udp"

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    # use the network of the 'wireguard' service. this enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=admin
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard
  • testing docker-compose up
  • production docker-compose up -d
  • stopping docker-compose down

wireguard-ui

  • https://guard.grade.de/global-settings
    • check Endpoint Address
    • edit Wireguard Config File Path: /etc/wireguard/wg_confs/wg0.conf
  • https://guard.grade.de/wg-server
    • Post Up Script iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
    • Post Down Script iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
  • https://guard.grade.de/profile change
    • change password
  • add clients
  • apply config


plesk, wireguard

running wireguard inside docker failed, new approach: runnung wireguard on host!

  • apt install wireguard
  • edit /etc/sysctl.conf : add net.ipv4.ip_forward=1
  • apply changes sysctl -p
  • systemctl enable wg-quick@wg0
  • systemctl start wg-quick@wg0.service
  • systemctl status wg-quick@wg0.service
  • systemctl stop wg-quick@wg0.service


docker-wireguard-ui