Difference between revisions of "Wireguard"
(→shell) |
(→plesk, wireguard) |
||
| (18 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== plesk, docker, wireguard == | == plesk, docker, wireguard == | ||
| + | === how-to === | ||
| + | * https://linuxiac.com/how-to-set-up-wireguard-vpn-with-docker/ | ||
| + | * https://github.com/ngoduykhanh/wireguard-ui | ||
| + | * https://docs.linuxserver.io/images/docker-wireguard | ||
=== prerequisite === | === prerequisite === | ||
==== Plesk ==== | ==== Plesk ==== | ||
| − | * watch out for plesk-default-firewall-rules! | + | * watch out for plesk-default-firewall-rules! <code>System policy for traffic forwarding = Deny forwarding of all other traffic</code> |
| − | + | ** change to <code>Allow ...</code> | |
| − | + | * add firewall-rule <code>Allow incoming from all on port 51820/udp</code> | |
| − | * add firewall-rule < | + | * add Plesk Docker Extension |
| − | * add | + | * add Additional nginx directives |
| + | <pre> | ||
| + | location / { | ||
| + | proxy_pass http://localhost:5000; | ||
| + | } | ||
| + | </pre> | ||
==== shell ==== | ==== shell ==== | ||
* <code>apt install docker-compose</code> | * <code>apt install docker-compose</code> | ||
* edit /etc/sysctl.conf <code>net.ipv4.ip_forward=1</code> | * edit /etc/sysctl.conf <code>net.ipv4.ip_forward=1</code> | ||
| − | ** <code>sysctl -p</code> | + | ** reload <code>sysctl -p</code> |
| − | <code>modprobe wireguard</code> | + | * check kernel module <code>modprobe wireguard</code> |
<code></code> | <code></code> | ||
| + | |||
| + | ==== docker compose ==== | ||
| + | * <code>mkdir /var/www/vhosts/guard.grade.de/wireguard</code> | ||
| + | * <code>cd /var/www/vhosts/guard.grade.de/wireguard</code> | ||
| + | * docker-compose.yaml | ||
| + | <pre> | ||
| + | version: "3" | ||
| + | |||
| + | services: | ||
| + | wireguard: | ||
| + | image: linuxserver/wireguard:latest | ||
| + | container_name: wireguard | ||
| + | cap_add: | ||
| + | - NET_ADMIN | ||
| + | volumes: | ||
| + | - ./config:/config | ||
| + | ports: | ||
| + | # port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports | ||
| + | - "5000:5000" | ||
| + | # port of the wireguard server | ||
| + | - "51820:51820/udp" | ||
| + | |||
| + | wireguard-ui: | ||
| + | image: ngoduykhanh/wireguard-ui:latest | ||
| + | container_name: wireguard-ui | ||
| + | depends_on: | ||
| + | - wireguard | ||
| + | cap_add: | ||
| + | - NET_ADMIN | ||
| + | # use the network of the 'wireguard' service. this enables to show active clients in the status page | ||
| + | network_mode: service:wireguard | ||
| + | environment: | ||
| + | - SENDGRID_API_KEY | ||
| + | - EMAIL_FROM_ADDRESS | ||
| + | - EMAIL_FROM_NAME | ||
| + | - SESSION_SECRET | ||
| + | - WGUI_USERNAME=admin | ||
| + | - WGUI_PASSWORD=admin | ||
| + | - WG_CONF_TEMPLATE | ||
| + | - WGUI_MANAGE_START=true | ||
| + | - WGUI_MANAGE_RESTART=true | ||
| + | logging: | ||
| + | driver: json-file | ||
| + | options: | ||
| + | max-size: 50m | ||
| + | volumes: | ||
| + | - ./db:/app/db | ||
| + | - ./config:/etc/wireguard | ||
| + | </pre> | ||
| + | * testing <code>docker-compose up</code> | ||
| + | * production <code>docker-compose up -d</code> | ||
| + | * stopping <code>docker-compose down</code> | ||
| + | |||
| + | ==== wireguard-ui ==== | ||
| + | * https://guard.grade.de/global-settings | ||
| + | ** check Endpoint Address | ||
| + | ** edit Wireguard Config File Path: <code>/etc/wireguard/wg_confs/wg0.conf</code> | ||
| + | * https://guard.grade.de/wg-server | ||
| + | ** Post Up Script <code>iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE</code> | ||
| + | ** Post Down Script <code>iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE</code> | ||
| + | * https://guard.grade.de/profile change | ||
| + | ** change password | ||
| + | * add clients | ||
| + | * apply config | ||
| + | |||
| + | |||
| + | == plesk, wireguard == | ||
| + | running wireguard inside docker failed, new approach: runnung wireguard on host! | ||
| + | * <code>apt install wireguard</code> | ||
| + | * edit <code>/etc/sysctl.conf</code> : add <code>net.ipv4.ip_forward=1</code> | ||
| + | * apply changes <code>sysctl -p</code> | ||
| + | * <code>systemctl enable wg-quick@wg0</code> | ||
| + | * <code>systemctl start wg-quick@wg0.service</code> | ||
| + | * <code>systemctl status wg-quick@wg0.service</code> | ||
| + | * <code>systemctl stop wg-quick@wg0.service</code> | ||
| + | |||
| + | |||
| + | === docker-wireguard-ui === | ||
| + | * https://adminforge.de/linux-allgemein/vpn/wireguard-vpn-server-mit-web-interface-einrichten/ | ||
Latest revision as of 11:47, 21 October 2023
Contents
plesk, docker, wireguard
how-to
- https://linuxiac.com/how-to-set-up-wireguard-vpn-with-docker/
- https://github.com/ngoduykhanh/wireguard-ui
- https://docs.linuxserver.io/images/docker-wireguard
prerequisite
Plesk
- watch out for plesk-default-firewall-rules!
System policy for traffic forwarding = Deny forwarding of all other traffic- change to
Allow ...
- change to
- add firewall-rule
Allow incoming from all on port 51820/udp - add Plesk Docker Extension
- add Additional nginx directives
location / {
proxy_pass http://localhost:5000;
}
shell
apt install docker-compose- edit /etc/sysctl.conf
net.ipv4.ip_forward=1- reload
sysctl -p
- reload
- check kernel module
modprobe wireguard
docker compose
mkdir /var/www/vhosts/guard.grade.de/wireguardcd /var/www/vhosts/guard.grade.de/wireguard- docker-compose.yaml
version: "3"
services:
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
volumes:
- ./config:/config
ports:
# port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports
- "5000:5000"
# port of the wireguard server
- "51820:51820/udp"
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
# use the network of the 'wireguard' service. this enables to show active clients in the status page
network_mode: service:wireguard
environment:
- SENDGRID_API_KEY
- EMAIL_FROM_ADDRESS
- EMAIL_FROM_NAME
- SESSION_SECRET
- WGUI_USERNAME=admin
- WGUI_PASSWORD=admin
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
logging:
driver: json-file
options:
max-size: 50m
volumes:
- ./db:/app/db
- ./config:/etc/wireguard
- testing
docker-compose up - production
docker-compose up -d - stopping
docker-compose down
wireguard-ui
- https://guard.grade.de/global-settings
- check Endpoint Address
- edit Wireguard Config File Path:
/etc/wireguard/wg_confs/wg0.conf
- https://guard.grade.de/wg-server
- Post Up Script
iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE - Post Down Script
iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
- Post Up Script
- https://guard.grade.de/profile change
- change password
- add clients
- apply config
plesk, wireguard
running wireguard inside docker failed, new approach: runnung wireguard on host!
apt install wireguard- edit
/etc/sysctl.conf: addnet.ipv4.ip_forward=1 - apply changes
sysctl -p systemctl enable wg-quick@wg0systemctl start wg-quick@wg0.servicesystemctl status wg-quick@wg0.servicesystemctl stop wg-quick@wg0.service
