apt install wireguard wireguard-tools sqlite3 sqlite3-tools # wireguard-dkms wg --version sqlite3 --version modprobe ip_tables #modprobe ip6_tables modprobe wireguard
password=`tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1`
privkey=`wg genkey`
domain=vmetrics.nethence.com
mkdir -p /data/wg-access-server-data/
cat > /data/wg-access-server-data/config.yaml <<EOF
externalHost: $domain
wireguard:
port: 51821
# https://www.freie-netze.org/wg-access-server/2-configuration/
loglevel: info
adminPassword: "$password"
storage: sqlite3:///data/db.sqlite3
wireguard:
privateKey: "$privkey"
# the forwarders to proxy (possibly internal)
# defaults to embedded nameserver
#dns:
# upstream:
# - "INTERNAL-DNS-HERE"
# - "208.67.222.222"
# - "208.67.220.220"
vpn:
# routing we are offering
allowedIPs:
- "10.7.7.0/24"
#- "0.0.0.0/0" # exit node?
# so that large corporation end-users won't attack each other
clientIsolation: true
# delete after 6 months unused
enableInactiveDeviceDeletion: true
inactiveDeviceGracePeriod: 4380h
EOF
choose –either– latest
(latest release)
–or– master (some snapshot?)
tag=latest
docker image pull ghcr.io/freifunkmuc/wg-access-server:$tag
docker rm -f wg-access-server
docker run -d --name wg-access-server \
--cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \
-v /data/wg-access-server-data:/data \
-e "WG_VPN_CIDRV6=0" -e "WG_CONFIG=/data/config.yaml" \
-p 127.0.0.1:8000:8000 \
-p 0.0.0.0:51821:51821/udp \
ghcr.io/freifunkmuc/wg-access-server:$tag
docker logs wg-access-server -f
^C
docker exec -ti wg-access-server bash
ps
netstat -lntup
# make sure the container reaches external network
ping -c1 opendns.com
apk update
apk add tcpdump
tcpdump -ni eth0 udp port 51821 -vvv
^C
watch wg show
^C ^D
domain=vmetrics.nethence.com
echo $domain >> /etc/dehydrated/domains-http01
dehydrated --cron --keep-going
dehydrated --cron --keep-going --algo prime256v1 --out /var/lib/dehydrated/certs/ECC
vi /etc/nginx/conf.d/wireguard.conf
...
location / {
# without trailing-slash
proxy_pass http://127.0.0.1:8000;
}
...
nginx -t
nginx -s reload
nmap -p 443 $domain curl -I https://$domain/signin nmap -sU -p 51821 $domain
register some vpn peer devices
https://$domain/signin admin / $password (add device)
add the config file system-wide
as root
mv -i ~USER/Downloads/WireGuard.conf /etc/wireguard/EXAMPLE.conf vi /etc/wireguard/EXAMPLE.conf (check AllowedIPs points to internal CIDR)
now reach the insider network
wg-quick up EXAMPLE ifconfig EXAMPLE ping -c3 10.44.0.1
and make sure your access to public network doesn’t go through the newly configured vpn access
traceroute opendns.com
QR code...
sniff
on the server
tcpdump -ni any udp port 51821 -vvv
moar options
#adminUsername: SOME-USERNAME #externalHost: wireguard.example.net
http: proxy error: dial tcp 127.0.0.1:3000: connect: connection refused
==> looks like it’s calling the dev website internally
==> do NOT set WORKDIR
https://www.freie-netze.org/wg-access-server/
https://www.freie-netze.org/wg-access-server/2-configuration/
https://www.freie-netze.org/wg-access-server/3-storage/
https://www.freie-netze.org/wg-access-server/deployment/1-docker/
https://github.com/freifunkMUC/wgkex/blob/main/docker-compose.yml
https://github.com/freifunkMUC/wg-access-server-chart/tags
https://github.com/freifunkMUC/wg-access-server-chart
https://pascal-bergeron.com/en/posts/docker-expose-ports-local-network/
https://stackoverflow.com/questions/29957143/make-docker-use-ipv4-for-port-binding ==> ipv4 only
https://denbeke.be/blog/software/configuring-wireguard-vpn-with-wg-access-server/ ==> cool guide