update
This commit is contained in:
parent
a77ce22e7c
commit
32fd99f6f0
|
@ -83,12 +83,12 @@ DOCKER_MY_NETWORK=caddy_net
|
||||||
TZ=Europe/Bratislava
|
TZ=Europe/Bratislava
|
||||||
|
|
||||||
# BITWARDEN
|
# BITWARDEN
|
||||||
|
DOMAIN=https://passwd.example.com
|
||||||
ADMIN_TOKEN=YdLo1TM4MYEQ948GOVZ29IF4fABSrZMpk9
|
ADMIN_TOKEN=YdLo1TM4MYEQ948GOVZ29IF4fABSrZMpk9
|
||||||
SIGNUPS_ALLOWED=false
|
SIGNUPS_ALLOWED=false
|
||||||
WEBSOCKET_ENABLED=true
|
WEBSOCKET_ENABLED=true
|
||||||
|
|
||||||
# USING SENDGRID FOR SENDING EMAILS
|
# USING SENDGRID FOR SENDING EMAILS
|
||||||
DOMAIN=https://passwd.example.com
|
|
||||||
SMTP_SSL=true
|
SMTP_SSL=true
|
||||||
SMTP_EXPLICIT_TLS=true
|
SMTP_EXPLICIT_TLS=true
|
||||||
SMTP_HOST=smtp.sendgrid.net
|
SMTP_HOST=smtp.sendgrid.net
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# Purpose & Overview
|
# Purpose & Overview
|
||||||
|
|
||||||
Reverse proxy setup that allows hosting many services and access them
|
Reverse proxy setup that allows hosting many services and access them
|
||||||
based on the host name.</br>
|
based on the host name.<br>
|
||||||
For example `nextcloud.example.com` takes you to your nextcloud file sharing,
|
For example `nextcloud.example.com` takes you to your nextcloud file sharing,
|
||||||
and `bitwarden.example.com` takes you to your password manager,
|
and `bitwarden.example.com` takes you to your password manager,
|
||||||
all hosted on your local network.
|
all hosted on your local network.
|
||||||
|
@ -24,13 +24,13 @@ all hosted on your local network.
|
||||||
* [Github](https://github.com/caddyserver/caddy)
|
* [Github](https://github.com/caddyserver/caddy)
|
||||||
|
|
||||||
Caddy is a powerful, enterprise-ready, open source web server with automatic
|
Caddy is a powerful, enterprise-ready, open source web server with automatic
|
||||||
HTTPS written in Go.</br>
|
HTTPS written in Go.<br>
|
||||||
|
|
||||||
Web servers are build to deal with http traffic, so they are an obvious choice
|
Web servers are build to deal with http traffic, so they are an obvious choice
|
||||||
for the function of reverse proxy.
|
for the function of reverse proxy.
|
||||||
|
|
||||||
In this setup Caddy is used mostly as
|
In this setup Caddy is used mostly as
|
||||||
[a TLS termination proxy](https://www.youtube.com/watch?v=H0bkLsUe3no).</br>
|
[a TLS termination proxy](https://www.youtube.com/watch?v=H0bkLsUe3no).<br>
|
||||||
Https encrypted tunel ends with it, so that the traffic can be analyzed
|
Https encrypted tunel ends with it, so that the traffic can be analyzed
|
||||||
and dealt with based on the settings in `Caddyfile`.
|
and dealt with based on the settings in `Caddyfile`.
|
||||||
|
|
||||||
|
@ -85,7 +85,7 @@ or machines on the network.
|
||||||
* `Caddyfile` - the Caddy configuration file
|
* `Caddyfile` - the Caddy configuration file
|
||||||
* `docker-compose.yml` - a docker compose file, telling docker how to run containers
|
* `docker-compose.yml` - a docker compose file, telling docker how to run containers
|
||||||
|
|
||||||
You only need to provide the three files.</br>
|
You only need to provide the three files.<br>
|
||||||
The directories are created by docker compose on the first run,
|
The directories are created by docker compose on the first run,
|
||||||
the content of these is visible only as root of the docker host.
|
the content of these is visible only as root of the docker host.
|
||||||
|
|
||||||
|
@ -119,7 +119,7 @@ Often variable should be available also inside the running container.
|
||||||
For that it must be declared in the `environment` section of the compose file,
|
For that it must be declared in the `environment` section of the compose file,
|
||||||
as can be seen next in Caddie's `docker-compose.yml`
|
as can be seen next in Caddie's `docker-compose.yml`
|
||||||
|
|
||||||
*extra info:*</br>
|
*extra info:*<br>
|
||||||
`docker-compose config` shows how compose will look
|
`docker-compose config` shows how compose will look
|
||||||
with the variables filled in.
|
with the variables filled in.
|
||||||
|
|
||||||
|
@ -177,28 +177,28 @@ b.{$MY_DOMAIN} {
|
||||||
|
|
||||||
`a` and `b` are the subdomains, can be named whatever.
|
`a` and `b` are the subdomains, can be named whatever.
|
||||||
For them to work they must have type-A DNS record
|
For them to work they must have type-A DNS record
|
||||||
pointing at your public ip set on Cloudflare, or wherever the domains DNS is managed.</br>
|
pointing at your public ip set on Cloudflare, or wherever the domains DNS is managed.<br>
|
||||||
Can also be a wild card `*.example.com -> 104.17.436.89`
|
Can also be a wild card `*.example.com -> 104.17.436.89`
|
||||||
|
|
||||||
The value of `{$MY_DOMAIN}` is provided by the compose and the `.env` file.</br>
|
The value of `{$MY_DOMAIN}` is provided by the compose and the `.env` file.<br>
|
||||||
The subdomains point at docker containers by their **hostname** and **exposed port**.
|
The subdomains point at docker containers by their **hostname** and **exposed port**.
|
||||||
So every docker container you spin should have hostname definied.</br>
|
So every docker container you spin should have hostname definied.<br>
|
||||||
Commented out is the staging url for let's encrypt, useful for testing.
|
Commented out is the staging url for let's encrypt, useful for testing.
|
||||||
|
|
||||||
### - Setup some docker containers
|
### - Setup some docker containers
|
||||||
|
|
||||||
Something light and easy to setup to route to.</br>
|
Something light and easy to setup to route to.<br>
|
||||||
Assuming for this testing these compose files are in the same directory with Caddy,
|
Assuming for this testing these compose files are in the same directory with Caddy,
|
||||||
so they make use of the same `.env` file and so be on the same network.
|
so they make use of the same `.env` file and so be on the same network.
|
||||||
|
|
||||||
Note the lack of published/mapped ports in the compose,
|
Note the lack of published/mapped ports in the compose,
|
||||||
as they will be accessed only through Caddy, which has it's ports published.</br>
|
as they will be accessed only through Caddy, which has it's ports published.<br>
|
||||||
And since the containers and Caddy are all on the same bridge docker network,
|
And since the containers and Caddy are all on the same bridge docker network,
|
||||||
they can access each other on any port.</br>
|
they can access each other on any port.<br>
|
||||||
Exposed ports are just documentation,
|
Exposed ports are just documentation,
|
||||||
[don't confuse expose and publish](https://maximorlov.com/exposing-a-port-in-docker-what-does-it-do/).
|
[don't confuse expose and publish](https://maximorlov.com/exposing-a-port-in-docker-what-does-it-do/).
|
||||||
|
|
||||||
*extra info:*</br>
|
*extra info:*<br>
|
||||||
To know which ports containers have exposed - `docker ps`, or
|
To know which ports containers have exposed - `docker ps`, or
|
||||||
`docker port <container-name>`, or use [ctop](https://github.com/bcicen/ctop).
|
`docker port <container-name>`, or use [ctop](https://github.com/bcicen/ctop).
|
||||||
|
|
||||||
|
@ -236,8 +236,8 @@ networks:
|
||||||
### - editing hosts file
|
### - editing hosts file
|
||||||
|
|
||||||
You are on your local network and you are likely running the docker host
|
You are on your local network and you are likely running the docker host
|
||||||
inside the same network.</br>
|
inside the same network.<br>
|
||||||
If that's the case then shit will not work without editing the hosts file.</br>
|
If that's the case then shit will not work without editing the hosts file.<br>
|
||||||
Reason being that when you write that `a.example.com` in to your browser,
|
Reason being that when you write that `a.example.com` in to your browser,
|
||||||
you are asking google's DNS for `a.example.com` IP address.
|
you are asking google's DNS for `a.example.com` IP address.
|
||||||
It will give you your own public IP, and most routers/firewalls wont allow
|
It will give you your own public IP, and most routers/firewalls wont allow
|
||||||
|
@ -253,10 +253,10 @@ adding whatever is the local IP of the docker host and the hostname:
|
||||||
```
|
```
|
||||||
|
|
||||||
If it is just quick testing one can use Opera browser
|
If it is just quick testing one can use Opera browser
|
||||||
and enable the build in VPN.</br>
|
and enable the build in VPN.<br>
|
||||||
|
|
||||||
One can also run a dns/dhcp server on the network, to solve this for all
|
One can also run a dns/dhcp server on the network, to solve this for all
|
||||||
devices.</br>
|
devices.<br>
|
||||||
Here's a [guide-by-example for dnsmasq](
|
Here's a [guide-by-example for dnsmasq](
|
||||||
https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/dnsmasq).
|
https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/dnsmasq).
|
||||||
|
|
||||||
|
@ -274,7 +274,7 @@ Services
|
||||||
Give it time to get certificates, checking `docker logs caddy` as it goes,
|
Give it time to get certificates, checking `docker logs caddy` as it goes,
|
||||||
then visit the urls. It should lead to the services with https working.
|
then visit the urls. It should lead to the services with https working.
|
||||||
|
|
||||||
If something is fucky use `docker logs caddy` to see what is happening.</br>
|
If something is fucky use `docker logs caddy` to see what is happening.<br>
|
||||||
Restarting the container `docker container restart caddy` can help.
|
Restarting the container `docker container restart caddy` can help.
|
||||||
Or investigate inside `docker exec -it caddy /bin/sh`.
|
Or investigate inside `docker exec -it caddy /bin/sh`.
|
||||||
For example trying to ping hosts that are suppose to be reachable,
|
For example trying to ping hosts that are suppose to be reachable,
|
||||||
|
@ -282,7 +282,7 @@ For example trying to ping hosts that are suppose to be reachable,
|
||||||
|
|
||||||
There's also other possible issues, like bad port forwarding towards docker host.
|
There's also other possible issues, like bad port forwarding towards docker host.
|
||||||
|
|
||||||
*extra info:*</br>
|
*extra info:*<br>
|
||||||
`docker exec -w /etc/caddy caddy caddy reload` reloads config
|
`docker exec -w /etc/caddy caddy caddy reload` reloads config
|
||||||
if you made changes and want them to take effect.
|
if you made changes and want them to take effect.
|
||||||
|
|
||||||
|
@ -304,7 +304,7 @@ would also not hurt, it is very well written.
|
||||||
|
|
||||||
### Routing traffic to other machines on the LAN
|
### Routing traffic to other machines on the LAN
|
||||||
|
|
||||||
If not targeting a docker container but a dedicated machine on the network.</br>
|
If not targeting a docker container but a dedicated machine on the network.<br>
|
||||||
Nothing really changes, if you can ping the machine from Caddy container
|
Nothing really changes, if you can ping the machine from Caddy container
|
||||||
by its hostname or its IP, it will work.
|
by its hostname or its IP, it will work.
|
||||||
|
|
||||||
|
@ -332,7 +332,7 @@ localhost:55414 {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
Prometheus entry uses short-hand notation.</br>
|
Prometheus entry uses short-hand notation.<br>
|
||||||
TLS is automatically disabled in localhost use.
|
TLS is automatically disabled in localhost use.
|
||||||
|
|
||||||
But for this to work Caddy's compose file needs to have those ports **published** too.
|
But for this to work Caddy's compose file needs to have those ports **published** too.
|
||||||
|
@ -372,15 +372,15 @@ and `192.168.1.222:9090` gets to prometheus.
|
||||||
### Named matchers and IP filtering
|
### Named matchers and IP filtering
|
||||||
|
|
||||||
Caddy has [matchers](https://caddyserver.com/docs/caddyfile/matchers)
|
Caddy has [matchers](https://caddyserver.com/docs/caddyfile/matchers)
|
||||||
which allow you to define how to deal with incoming requests.</br>
|
which allow you to define how to deal with incoming requests.<br>
|
||||||
`reverse_proxy server-blue:80` is a matcher that matches all requests
|
`reverse_proxy server-blue:80` is a matcher that matches all requests
|
||||||
and sends them somewhere.</br>
|
and sends them somewhere.<br>
|
||||||
But if more control is desired, path matchers and named matchers come to play.
|
But if more control is desired, path matchers and named matchers come to play.
|
||||||
|
|
||||||
What if you want to block all traffic coming from the outside world,
|
What if you want to block all traffic coming from the outside world,
|
||||||
but local network be allowed through?</br>
|
but local network be allowed through?<br>
|
||||||
Well, the [remote_ip](https://caddyserver.com/docs/caddyfile/matchers#remote-ip)
|
Well, the [remote_ip](https://caddyserver.com/docs/caddyfile/matchers#remote-ip)
|
||||||
matcher comes to play, which enables you to filter requests by their IP.</br>
|
matcher comes to play, which enables you to filter requests by their IP.<br>
|
||||||
|
|
||||||
Named matchers are defined by `@` and can be named whatever you like.
|
Named matchers are defined by `@` and can be named whatever you like.
|
||||||
|
|
||||||
|
@ -403,7 +403,7 @@ b.{$MY_DOMAIN} {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
`@fuck_off_world` matches all IPs except the local network IP range.</br>
|
`@fuck_off_world` matches all IPs except the local network IP range.<br>
|
||||||
Requests matching that rule get the response 403 - forbidden.
|
Requests matching that rule get the response 403 - forbidden.
|
||||||
|
|
||||||
### Snippets
|
### Snippets
|
||||||
|
@ -411,9 +411,9 @@ Requests matching that rule get the response 403 - forbidden.
|
||||||
What if you need to have the same matcher in several site-blocks and
|
What if you need to have the same matcher in several site-blocks and
|
||||||
would prefer for config to look cleaner?
|
would prefer for config to look cleaner?
|
||||||
|
|
||||||
Here comes the [snippets](https://caddyserver.com/docs/caddyfile/concepts#snippets).</br>
|
Here comes the [snippets](https://caddyserver.com/docs/caddyfile/concepts#snippets).<br>
|
||||||
Snippets are defined under the global options block,
|
Snippets are defined under the global options block,
|
||||||
using parentheses, named whatever you like.</br>
|
using parentheses, named whatever you like.<br>
|
||||||
They then can be used inside any site-block with simple `import <snippet name>`
|
They then can be used inside any site-block with simple `import <snippet name>`
|
||||||
|
|
||||||
Now would be a good time to look again at that concept picture above.
|
Now would be a good time to look again at that concept picture above.
|
||||||
|
@ -447,7 +447,7 @@ b.{$MY_DOMAIN} {
|
||||||
Some containers might be set to communicate only through https 443 port.
|
Some containers might be set to communicate only through https 443 port.
|
||||||
But since they are behind proxy, their certificates wont be singed, wont be trusted.
|
But since they are behind proxy, their certificates wont be singed, wont be trusted.
|
||||||
|
|
||||||
Caddies sub-directive `transport` sets how to communicate with the backend.</br>
|
Caddies sub-directive `transport` sets how to communicate with the backend.<br>
|
||||||
Setting the upstream's scheme to `https://`
|
Setting the upstream's scheme to `https://`
|
||||||
or declaring the `tls` transport subdirective makes it use https.
|
or declaring the `tls` transport subdirective makes it use https.
|
||||||
Setting `tls_insecure_skip_verify` makes Caddy ignore errors due to
|
Setting `tls_insecure_skip_verify` makes Caddy ignore errors due to
|
||||||
|
@ -467,7 +467,7 @@ whatever.{$MY_DOMAIN} {
|
||||||
|
|
||||||
Running NextCloud behind any proxy likely shows few warning on its status page.
|
Running NextCloud behind any proxy likely shows few warning on its status page.
|
||||||
It requires some redirects for service discovery to work and would like
|
It requires some redirects for service discovery to work and would like
|
||||||
if [HSTS](https://www.youtube.com/watch?v=kYhMnw4aJTw) would be set.</br>
|
if [HSTS](https://www.youtube.com/watch?v=kYhMnw4aJTw) would be set.<br>
|
||||||
Like so:
|
Like so:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -484,7 +484,7 @@ nextcloud.{$MY_DOMAIN} {
|
||||||
This example is with bitwarden_rs password manager, which comes with its reverse proxy
|
This example is with bitwarden_rs password manager, which comes with its reverse proxy
|
||||||
[recommendations](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples).
|
[recommendations](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples).
|
||||||
|
|
||||||
`encode gzip` enables compression.</br>
|
`encode gzip` enables compression.<br>
|
||||||
This lowers the bandwith use and speeds up loading of the sites.
|
This lowers the bandwith use and speeds up loading of the sites.
|
||||||
It is often set on the webserver running inside the docker container,
|
It is often set on the webserver running inside the docker container,
|
||||||
but if not it can be enabled on caddy.
|
but if not it can be enabled on caddy.
|
||||||
|
@ -495,7 +495,7 @@ By default, Caddy passes through Host header and adds X-Forwarded-For
|
||||||
for the client IP. This means that 90% of the time a simple config
|
for the client IP. This means that 90% of the time a simple config
|
||||||
is all that is needed but sometimes some extra headers might be desired.
|
is all that is needed but sometimes some extra headers might be desired.
|
||||||
|
|
||||||
Here we see bitwarden make use of some extra headers.</br>
|
Here we see bitwarden make use of some extra headers.<br>
|
||||||
We can also see its use of websocket protocol for notifications at port 3012.
|
We can also see its use of websocket protocol for notifications at port 3012.
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -523,12 +523,12 @@ bitwarden.{$MY_DOMAIN} {
|
||||||
|
|
||||||
### Basic authentication
|
### Basic authentication
|
||||||
|
|
||||||
[Official documentation.](https://caddyserver.com/docs/caddyfile/directives/basicauth)</br>
|
[Official documentation.](https://caddyserver.com/docs/caddyfile/directives/basicauth)<br>
|
||||||
Directive `basicauth` can be used when one needs to add
|
Directive `basicauth` can be used when one needs to add
|
||||||
a username/password check before accessing a service.
|
a username/password check before accessing a service.
|
||||||
|
|
||||||
Password is [bcrypt](https://www.devglan.com/online-tools/bcrypt-hash-generator) hashed
|
Password is [bcrypt](https://www.devglan.com/online-tools/bcrypt-hash-generator) hashed
|
||||||
and then [base64](https://www.base64encode.org/) encoded.</br>
|
and then [base64](https://www.base64encode.org/) encoded.<br>
|
||||||
You can use the [`caddy hash-password`](https://caddyserver.com/docs/command-line#caddy-hash-password)
|
You can use the [`caddy hash-password`](https://caddyserver.com/docs/command-line#caddy-hash-password)
|
||||||
command to hash passwords for use in the config.
|
command to hash passwords for use in the config.
|
||||||
|
|
||||||
|
@ -546,7 +546,7 @@ b.{$MY_DOMAIN} {
|
||||||
|
|
||||||
### Logging
|
### Logging
|
||||||
|
|
||||||
[Official documentation.](https://caddyserver.com/docs/caddyfile/directives/log)</br>
|
[Official documentation.](https://caddyserver.com/docs/caddyfile/directives/log)<br>
|
||||||
If access logs for specific site are desired
|
If access logs for specific site are desired
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -574,9 +574,9 @@ so your public IP is exposed.
|
||||||
|
|
||||||
It could be also useful in security,
|
It could be also useful in security,
|
||||||
as Cloudflare offers 5 firewall rules in the free tier.
|
as Cloudflare offers 5 firewall rules in the free tier.
|
||||||
Which means one can geoblock any traffic that is not from your own country.</br>
|
Which means one can geoblock any traffic that is not from your own country.<br>
|
||||||
But I assume Caddy's default HTTP challenge would be also blocked,
|
But I assume Caddy's default HTTP challenge would be also blocked,
|
||||||
so no certification renewal.</br>
|
so no certification renewal.<br>
|
||||||
But with DNS challenge the communication is entirely between Let's Encrypt
|
But with DNS challenge the communication is entirely between Let's Encrypt
|
||||||
and Cloudflare servers.
|
and Cloudflare servers.
|
||||||
|
|
||||||
|
@ -585,18 +585,18 @@ and Cloudflare servers.
|
||||||
On Cloudflare create a new API Token with two permsisions,
|
On Cloudflare create a new API Token with two permsisions,
|
||||||
[pic of it here](https://i.imgur.com/YWxgUiO.png)
|
[pic of it here](https://i.imgur.com/YWxgUiO.png)
|
||||||
|
|
||||||
* zone/zone/read</br>
|
* zone/zone/read<br>
|
||||||
* zone/dns/edit</br>
|
* zone/dns/edit<br>
|
||||||
|
|
||||||
Include all zones needs to be set.
|
Include all zones needs to be set.
|
||||||
|
|
||||||
### - Create Dockerfile
|
### - Create Dockerfile
|
||||||
|
|
||||||
To add support, Caddy needs to be compiled with
|
To add support, Caddy needs to be compiled with
|
||||||
[Cloudflare DNS plugin](https://github.com/caddy-dns/cloudflare).</br>
|
[Cloudflare DNS plugin](https://github.com/caddy-dns/cloudflare).<br>
|
||||||
This is done by using your own Dockerfile, using the `builder` image.
|
This is done by using your own Dockerfile, using the `builder` image.
|
||||||
|
|
||||||
Create a directory `dns-dockerfile` in the caddy directory.</br>
|
Create a directory `dns-dockerfile` in the caddy directory.<br>
|
||||||
Inside create a file named `Dockerfile`.
|
Inside create a file named `Dockerfile`.
|
||||||
|
|
||||||
`Dockerfile`
|
`Dockerfile`
|
||||||
|
@ -625,7 +625,7 @@ CLOUDFLARE_API_TOKEN=<cloudflare api token goes here>
|
||||||
|
|
||||||
### - Edit docker-compose.yml
|
### - Edit docker-compose.yml
|
||||||
|
|
||||||
`image` replaced with `build` option pointing at the `Dockerfile` location</br>
|
`image` replaced with `build` option pointing at the `Dockerfile` location<br>
|
||||||
and `CLOUDFLARE_API_TOKEN` variable added.
|
and `CLOUDFLARE_API_TOKEN` variable added.
|
||||||
|
|
||||||
`docker-compose.yml`
|
`docker-compose.yml`
|
||||||
|
|
|
@ -0,0 +1,155 @@
|
||||||
|
# WireGuard
|
||||||
|
|
||||||
|
# Work in progress
|
||||||
|
|
||||||
|
###### guide-by-example
|
||||||
|
|
||||||
|
![logo](https://i.imgur.com/IRgkp2o.png)
|
||||||
|
|
||||||
|
# Purpose & Overview
|
||||||
|
|
||||||
|
VPN.<br>
|
||||||
|
When you need to connect to a machine/network over the internet, securely.<br>
|
||||||
|
|
||||||
|
* [Official site](https://www.wireguard.com/)
|
||||||
|
* [Github](https://github.com/WireGuard)
|
||||||
|
* [Arch wiki](https://wiki.archlinux.org/index.php/WireGuard)
|
||||||
|
|
||||||
|
WireGuard is an opensource extremely simple, fast and modern VPN.
|
||||||
|
Written in C, with userspace implementation written in Go.<br>
|
||||||
|
WireGuard is included in linux kernel version 5.6 and newer.
|
||||||
|
|
||||||
|
While with WireGuard there is no server-clients model, there are just peers
|
||||||
|
connecting to each other, this setup will consider peer_A a server,
|
||||||
|
and clients will be connecting to it.
|
||||||
|
|
||||||
|
This setup runs directly on the host machine, not in a container.<br>
|
||||||
|
Most of the stuff here is based on Arch wiki and
|
||||||
|
[this tutorial](https://securityespresso.org/tutorials/2019/03/22/vpn-server-using-wireguard-on-ubuntu/).
|
||||||
|
|
||||||
|
# Files and directory structure
|
||||||
|
|
||||||
|
```
|
||||||
|
/etc/
|
||||||
|
└── wireguard/
|
||||||
|
└── wg0.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
# Installation
|
||||||
|
|
||||||
|
### on linux server
|
||||||
|
|
||||||
|
Install `wireguard-tools` or whatever is the equivalent in your distro.<br>
|
||||||
|
The package should provide two command line utilities
|
||||||
|
|
||||||
|
* `wg` - utility for configuration and management of WireGuard tunnel interfaces
|
||||||
|
* `wg-quick` - script for bringing up or down a WireGuard interface
|
||||||
|
|
||||||
|
### on linux client
|
||||||
|
|
||||||
|
Same as server
|
||||||
|
|
||||||
|
### on Windows or macOS clients
|
||||||
|
|
||||||
|
[Install the official application.](https://www.wireguard.com/install/)
|
||||||
|
|
||||||
|
*extra info:*<br>
|
||||||
|
Might be of interest server setup on
|
||||||
|
[Windows](https://www.henrychang.ca/how-to-setup-wireguard-vpn-server-on-windows/)
|
||||||
|
|
||||||
|
### on Android or iOS
|
||||||
|
|
||||||
|
Install the official app from the stores.
|
||||||
|
|
||||||
|
|
||||||
|
# Configuration on linux server
|
||||||
|
|
||||||
|
* switch to root and go in to in /etc/wireguard<br>
|
||||||
|
`su`<br>
|
||||||
|
`cd /etc/wireguard`
|
||||||
|
* generate a private key<br>
|
||||||
|
`wg genkey > peer_A.key`
|
||||||
|
* create a public key from the private key<br>
|
||||||
|
`wg pubkey < peer_A.key > peer_A.pub`
|
||||||
|
|
||||||
|
Use the generated keys in the wg0.conf, in the `[Interface]` section.
|
||||||
|
|
||||||
|
`wg0.conf`
|
||||||
|
```bash
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = AA9q7CkUG3MuKP1eyyJFGgKzACIJ1rRIkkWYAi3p3WM=
|
||||||
|
# PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
|
||||||
|
Address = 10.200.200.1/24
|
||||||
|
ListenPort = 51820
|
||||||
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||||
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
# TESTER-1
|
||||||
|
# PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
|
||||||
|
PublicKey = eVolUbiYj1kY8neKiDnA+NPB2hhCcsGs7LNIhMvUYj0=
|
||||||
|
AllowedIPs = 10.200.200.2/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
# TESTER-2
|
||||||
|
# PrivateKey = QNc0dunuRQAjuKpFmRPqvPAysqpklctcdblqrazUT0o=
|
||||||
|
PublicKey = CAt7g42pPxgU5Lcc3uyNh5BmkITJS1K6XAoFbkhN6Qk=
|
||||||
|
AllowedIPs = 10.200.200.3/32
|
||||||
|
```
|
||||||
|
|
||||||
|
This configuration when run creates a new network interface on the machine.
|
||||||
|
|
||||||
|
* PrivateKey - the key that was generated, will be used to encrypt traffic
|
||||||
|
* \# PublicKey - just a note, what is the public key of the private key
|
||||||
|
* Address - IP address on the created wireguard interface network,
|
||||||
|
`/24` defines its mask as `255.255.255.0`
|
||||||
|
* ListenPort - port
|
||||||
|
* PostUp/PostDown - define what should be done after interface is turned on and off
|
||||||
|
in this case firewall rules to let traffic through,
|
||||||
|
only ipv4 in this setup
|
||||||
|
* [Peer] - section defining a peer, its public key
|
||||||
|
* AllowedIPs -
|
||||||
|
|
||||||
|
### Start and enable the service
|
||||||
|
|
||||||
|
`sudo systemctl enable --now wg-quick@wg0`
|
||||||
|
|
||||||
|
# Configuration on clients
|
||||||
|
|
||||||
|
`TESTER-1.conf`
|
||||||
|
```bash
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
|
||||||
|
Address = 10.200.200.2/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
|
||||||
|
AllowedIPs = 10.200.200.0/24, 192.168.5.0/24
|
||||||
|
Endpoint = 63.123.113.495:51820
|
||||||
|
PersistentKeepalive = 25
|
||||||
|
```
|
||||||
|
|
||||||
|
![windows-client](https://i.imgur.com/T5oA2No.png)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Troubleshooting
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Update
|
||||||
|
|
||||||
|
During host linux packages update.
|
||||||
|
|
||||||
|
# Backup and restore
|
||||||
|
|
||||||
|
#### Backup
|
||||||
|
|
||||||
|
Using [borg](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/borg_backup)
|
||||||
|
that makes daily snapshot of the /etc directory which contains the config file.
|
||||||
|
|
||||||
|
#### restore
|
||||||
|
|
||||||
|
Replace the content of the config file with the one from the backup.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue