apt install wireguard wireguard-tools sqlite3 sqlite3-tools # wireguard-dkms wg --version sqlite3 --version modprobe ip_tables #modprobe ip6_tables modprobe wireguard
as user
password=`tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1`
privkey=`wg genkey`
mkdir -p /data/wg-access-server-data/
cat > /data/wg-access-server-data/config.yaml <<EOF
# https://www.freie-netze.org/wg-access-server/2-configuration/
loglevel: info
adminPassword: "$password"
storage: sqlite3:///data/db.sqlite3
wireguard:
privateKey: "$privkey"
# the forwarders to proxy (possibly internal)
# defaults to existing nameservers
#dns:
# upstream:
# #- "INTERNAL-DNS-HERE"
# - "208.67.222.222"
# - "208.67.220.220"
vpn:
# routing we are offering
allowedIPs:
- "10.0.0.0/8"
# so that large corporation end-users won't attack each other
clientIsolation: true
# delete after 6 month unused (default is 1 year)
enableInactiveDeviceDeletion: true
inactiveDeviceGracePeriod: 4380h
EOF
note latest won’t do as it takes some older release
– choose master instead
docker rm -f wg-access-server docker run -d –name wg-access-server \ –cap-add NET_ADMIN –device /dev/net/tun:/dev/net/tun \ -v /data/wg-access-server-data:/data \ -e “WG_VPN_CIDRV6=0” \ -e “WG_CONFIG=/data/config.yaml” \ -p 127.0.0.1:8000:8000 \ -p 0.0.0.0:51820:51820/udp \ ghcr.io/freifunkmuc/wg-access-server:master docker logs wg-access-server docker exec -ti wg-access-server bash
ps
D ```
vi /etc/dehydrated/domains-http01
wireguard.demo.nethence.com
dehydrated --cron --keep-going
dehydrated --cron --keep-going --algo prime256v1 --out /etc/dehydrated/certs/ECC
vi /etc/nginx/conf.d/wireguard.conf
...
location / {
proxy_pass http://127.0.0.1:8000/;
}
...
nginx -t
nginx -s reload
from a remote workstation
as root
curl -I https://wireguard.demo.nethence.com/signin nmap -sU -p 51820 wireguard.demo.nethence.com
register a vpn peer device
as user
https://wireguard.demo.nethence.com/signin admin / $password (add device)
add the config file system-wide
as root
mv -i ~USER/Downloads/WireGuard.conf /etc/wireguard/EXAMPLE.conf vi /etc/wireguard/EXAMPLE.conf (check AllowedIPs points to internal CIDR)
now reach the insider network
wg-quick up EXAMPLE ifconfig EXAMPLE ping -c3 10.44.0.1
and make sure your access to public network doesn’t go through the newly configured vpn access
traceroute opendns.com
moar options
#adminUsername: SOME-USERNAME #externalHost: wireguard.example.net
http: proxy error: dial tcp 127.0.0.1:3000: connect: connection refused
==> looks like it’s calling the dev website internally
==> do NOT set WORKDIR
https://www.freie-netze.org/wg-access-server/
https://www.freie-netze.org/wg-access-server/2-configuration/
https://www.freie-netze.org/wg-access-server/3-storage/
https://www.freie-netze.org/wg-access-server/deployment/1-docker/
https://github.com/freifunkMUC/wgkex/blob/main/docker-compose.yml
https://github.com/freifunkMUC/wg-access-server-chart/tags
https://github.com/freifunkMUC/wg-access-server-chart
https://pascal-bergeron.com/en/posts/docker-expose-ports-local-network/
https://stackoverflow.com/questions/29957143/make-docker-use-ipv4-for-port-binding ==> ipv4 only
https://denbeke.be/blog/software/configuring-wireguard-vpn-with-wg-access-server/ ==> cool guide