Home Wireguard a fast & lightweight VPN
Post
Cancel

Wireguard a fast & lightweight VPN

Posted Sep 24, 2022
Wireguard a fast & lightweight VPN.
Wireguard a fast & lightweight VPN.
By r3dspace
4 min read

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.

Depemdemcies

For everything to work out you will need to make sure that you have the following requirements:

If this is the case, we can carry on creating the compose stack.

It is recomended to clone the GitHub repo home-lab for the most up to date configuration of this service.

Setting up wireguard network & compose stack

Use a predefined docker network if you would like to make other containers accessable throught the VPN tunnel. An example usecase would be a mgmt network, where you can access webinterfaces (e.g. Portainer), without exposing the mgmt interface to the web. This will increase your security, by decreases your attack surface from the web.

If you just want WG server for your clients to connect to, you can skip this step. If you do want to add other containers to the WG server you will need to create a docker network called wireguard_network.

1
2
3
4
5
6

sudo docker network create \
    --driver=bridge \
    --subnet=172.155.0.0/16 \
    --ip-range=172.155.5.0/24 \
    --gateway=172.155.5.254 \
    wireguard_network

Create a directory for your docker-compose.yml file and copy the data below into that file.

If you have chosen to make other containers accessible through the VPN tunnel, you will need to enable the networks variables!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

version: '3.9'

# Enable external network when connecting other containers
# ---
# networks:
  # wg:
    # external:
      # name: wireguard_network

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    restart: always
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      # Seting server in the client config. 'auto' uses the host
      # ---
      - SERVERURL=auto
      - SERVERPORT=51820
      # Set WG configs for c2s
      # ---
      - PEERS=user1,user2,site1 
      # Set dns provider for clients. 'auto' uses the host
      # ---
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0 
      # Allowed IPs for clients. Calculator tool: https://bit.ly/3xOZP1b
      # ---
      - ALLOWEDIPS=0.0.0.0/0
      # Creates QR-config-code
      # ---
      - LOG_CONFS=true   
    volumes:
      - /opt/docker/volumes/wireguard/config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    # Enable external network when connecting other containers
    # ---
    # networks:
      # wg:
        # Enable when you want to set a custom container IP. Make sure IP matches your created network circles IP!
        # ipv4_address: 172.155.5.250

Managing the compose stack

The following commands should be run in the same directory as the docker compose file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Start the compose stack
# ---
sudo docker compose up -d

# Stop the compose stack
# ---
sudo docker compose down

# Rebuild / restart the compose stack
# ---
sudo docker compose up -d --force-recreate

# View the compose stack logs
# ---
sudo docker compose logs portainer

You can use a script I have created to print the QR code, or run the following command with your relevant values for CONTAINER_NAME and PEER_NAME.

1
2
3

# Add your relevant values for CONTAINER_NAME and PEER_NAME
# ---
sudo docker exec -it CONTAINER_NAME /app/show-peer PEER_NAME

Linux client

If you want to connect your linux client to your freshly created WG server, you will first of all need to install it. Run the installation command for your distro.

Debian / Ubuntu

1

sudo apt install wireguard resolvconf

Fedora

1

sudo dnf install wireguard-tools

Arch

1

sudo pacman -S wireguard-tools

Setup WG client

Import your WG peer config into the directory /etc/wireguard/. You can import your peer config by running the following command with your information.

1
2
3

# Replace USERNAME, HOST, PEER_PATH and PEER_NAME with your information
# ---
scp USERNMAE@HOST:PEER_PATH/PEER_NAME.conf /etc/wireguard

After you have successfully importet your peer config file, you can now use your WG client. Here are the following commands to manage your wireguard client.

1
2
3
4
5
6
7
8
9
10
11

# Start the VPN tunnel
# ---
sudo wg-quick up PEER_NAME

# Stop the VPN tunnel
# ---
sudo wg-quick down PEER_NAME

# Inspect WG
# ---
sudo wg

Windows, Mac, Android & iOS clients

The download link to your relevant system can be found here. To import your peer config on your phone just scan the QR code in the WG app. To import your peer config on your OS (Windows and Mac) open a terminal and run the following command with your values.

1
2
3
4

# Replace USERNAME, HOST, PEER_PATH, PEER_NAME and CLIENT_DOWNLOAD_PATH
# with your information
# ---
scp USERNMAE@HOST:PEER_PATH/PEER_NAME.conf CLIENT_DOWNLOAD_PATH


⚙️ If you see something that needs to be fixed, this documentation is open source! Feel free to open an issue here.

⭐ If you enjoied the post I would appreciate a star on GitHub

docker, compose
vpn security managment
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents