Wireguard is without a doubt one of the best VPN Implementations out there. to quote the Wireguard website
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.wireguard.org
It can however be a bit of a pain to set up..
This however is the Internet, and just like Dinosaur DNA in Jurassic Park, “the Internet will find a way”
Step forward wg-easy on GitLab
So this is basically a Docker container which sets up Wireguard, provides a web interface for managing accounts and makes your life easy.
Step 1 – Install Docker
Head over to https://docs.docker.com/get-docker/ and choose your OS, follow the instructions then come back here
or as the wg-easy website states
curl -sSL https://get.docker.com | sh sudo usermod -aG docker $(whoami) exit
Step 2 – Install wg-easy
Setting up the wg-easy docker container is pretty simple and can be done by a docker run command.
docker run -d \ --name=wg-easy \ -e WG_HOST=🚨YOUR_SERVER EXTERNAL_IP \ -e PASSWORD=🚨YOUR_ADMIN_PASSWORD \ -v ~/.wg-easy:/etc/wireguard \ -p 51820:51820/udp \ -p 51821:51821/tcp \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --sysctl="net.ipv4.ip_forward=1" \ --restart unless-stopped \ weejewel/wg-easy
So what does all this mean?
|–name=wg-easy||The name of the docker container we are about the build|
|-e WG_HOST||you’ll need to add the public (not NAT) IP you’ll be connecting to from the internet here.|
|-e PASSWORD||This is the password for the admin web interface|
|-v ~/.wg-easy:/etc/wireguard||this mounts the folder /etc/wireguard in the docker container onto the folder /home/<username>/.wg-easy on your host.|
|-p 51820:51820/udp||This is the UDP port Wireguard will connect to on the WG_HOST IP Address|
|-p 51821:51821/tcp||This is the TCP Port you open the Web Interface internally on (don’t access this from the internet)|
|–cap-add=NET_ADMIN||Setting up the Docker Network Module|
|–cap-add=SYS_MODULE||Setting up the Docker Network Module|
|–sysctl=”net.ipv4.conf.all.src_valid_mark=1″||setting up a sysconfig entry to allow IP Source addresses|
|–sysctl=”net.ipv4.ip_forward=1″||Sets up port forwarding on the docker nic|
|–restart unless-stopped||Unless we run the docker stop command for the container the container will restart if it has a problem|
|weejewel/wg-easy||name of the docker repo|
Having run the command if successful you should see the running container using
docker ps -a
Depending on your Distro you may need to use firewalld, iptables or ufw to open port 51821/TCP once you do the web interface is accessible via
http://server name or ip:51821
Step 3 – Open up your Wan (the only hard bit)
This is something I can’t help with you’ll need to know your own network and understand how port forwarding works if you’re doing this at home or firewall works if you’re hosting on a cloud provider.
What you need to do is allow from your public facing IP address anything which comes in on 51820/UDP to have its traffic passed to the server wg-easy is installed on or none of this will work.
Step 4 – Add a device
Login to the Web Interface
Click on New in the top right.
Give the new client a name and click on create
The Newly created endpoint will appear in the list and you have the option to either use a QR code or a config (.conf) file to install on the phone or laptop you want to run Wireguard on to connect to the server.
Thats it, there are many ways to get Wireguard up and running, if you search this site I’ve covered a couple of others on this blog. This however is the easiest way to do this if you need to manage all but a few accounts.
Go say thank you to the developer..