Difference between revisions of "Wireguard"

From wiki.bastelbude.grade.de
Jump to: navigation, search
(plesk, wireguard)
(plesk, wireguard)
 
(One intermediate revision by the same user not shown)
Line 91: Line 91:
 
== plesk, wireguard ==
 
== plesk, wireguard ==
 
running wireguard inside docker failed, new approach: runnung wireguard on host!
 
running wireguard inside docker failed, new approach: runnung wireguard on host!
* apt install wireguard
+
* <code>apt install wireguard</code>
* sysctl -p
+
* edit <code>/etc/sysctl.conf</code> : add <code>net.ipv4.ip_forward=1</code>
* systemctl enable wg-quick@wg0
+
* apply changes <code>sysctl -p</code>
* systemctl start wg-quick@wg0.service
+
* <code>systemctl enable wg-quick@wg0</code>
 +
* <code>systemctl start wg-quick@wg0.service</code>
 +
* <code>systemctl status wg-quick@wg0.service</code>
 +
* <code>systemctl stop wg-quick@wg0.service</code>
 +
 
  
 
=== docker-wireguard-ui ===
 
=== docker-wireguard-ui ===
 
* https://adminforge.de/linux-allgemein/vpn/wireguard-vpn-server-mit-web-interface-einrichten/
 
* https://adminforge.de/linux-allgemein/vpn/wireguard-vpn-server-mit-web-interface-einrichten/

Latest revision as of 11:47, 21 October 2023

plesk, docker, wireguard

how-to

prerequisite

Plesk

  • watch out for plesk-default-firewall-rules! System policy for traffic forwarding = Deny forwarding of all other traffic
    • change to Allow ...
  • add firewall-rule Allow incoming from all on port 51820/udp
  • add Plesk Docker Extension
  • add Additional nginx directives
location / {
	proxy_pass http://localhost:5000;
}

shell

  • apt install docker-compose
  • edit /etc/sysctl.conf net.ipv4.ip_forward=1
    • reload sysctl -p
  • check kernel module modprobe wireguard

docker compose

  • mkdir /var/www/vhosts/guard.grade.de/wireguard
  • cd /var/www/vhosts/guard.grade.de/wireguard
  • docker-compose.yaml
version: "3"

services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/config
    ports:
      # port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports
      - "5000:5000"
      # port of the wireguard server
      - "51820:51820/udp"

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    # use the network of the 'wireguard' service. this enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=admin
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard
  • testing docker-compose up
  • production docker-compose up -d
  • stopping docker-compose down

wireguard-ui

  • https://guard.grade.de/global-settings
    • check Endpoint Address
    • edit Wireguard Config File Path: /etc/wireguard/wg_confs/wg0.conf
  • https://guard.grade.de/wg-server
    • Post Up Script iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
    • Post Down Script iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
  • https://guard.grade.de/profile change
    • change password
  • add clients
  • apply config


plesk, wireguard

running wireguard inside docker failed, new approach: runnung wireguard on host!

  • apt install wireguard
  • edit /etc/sysctl.conf : add net.ipv4.ip_forward=1
  • apply changes sysctl -p
  • systemctl enable wg-quick@wg0
  • systemctl start wg-quick@wg0.service
  • systemctl status wg-quick@wg0.service
  • systemctl stop wg-quick@wg0.service


docker-wireguard-ui