WireGuard VPN-Server Docker Installation

Hey all, ich habe hier ein schnellen Weg gefunden eine WG Instanz mit Webinterface per Docker aufzusetzen!

WireGuard VPN-Server Installation – WG-easy Docker Container

Docker Installation

apt install docker.io

Install Wireguard

docker run -d \
  --name=wg-easy \
  -e WG_HOST=<YOUR_SERVER_IP> \
  -e PASSWORD=<YOUR_ADMIN_PASSWORD> \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
 ghcr.io/wg-easy/wg-easy

Done :wink:

Das Webinterface ist dann unter YOUR_SERVER_IP:51821 erreichbar!

Update

docker stop wg-easy
docker rm wg-easy
docker pull weejewel/wg-easy

hier noch ein bsp. fuer Docker Compose inkl. Adminforge DNS Server:

version: "3.5"
services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy
    restart: unless-stopped
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    cap_add:
      - SYS_MODULE
      - NET_ADMIN
    ports:
      - 51821:51821/tcp
      - 51820:51820/udp
    volumes:
      - ./wg-easy:/etc/wireguard
    environment:
      - PASSWORD=<YOUR_ADMIN_PASSWORD>
      - WG_HOST=<YOUR_SERVER_IP>
      - WG_DEFAULT_DNS=176.9.93.198, 176.9.1.117
    container_name: wg-easy

Ihr koennt das Webinterface auch ueber eine Domain erreichbar machen, zb. per NGINX Reverse Proxy:

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name wg.meine.domain;

  access_log off;
  error_log /var/log/nginx/wg.meine.domain.error.log;
  ssl_certificate /etc/ssl/private/wg.meine.domain_ecc/fullchain.cer;
  ssl_certificate_key /etc/ssl/private/wg.meine.domain_ecc/wg.meine.domain.key;
 
  # add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
  add_header X-Xss-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy same-origin;
  proxy_cookie_path / "/; HTTPOnly; Secure";
  # add_header Expect-CT "enforce, max-age=21600";
  add_header Feature-Policy "payment none";
 
  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 0;
 
   location / {
        log_not_found off;
        proxy_cache_valid 200 120m;
        proxy_set_header        Host    $http_host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Scheme $scheme;
        proxy_pass http://127.0.0.1:51821/;
        }

}

greetz :stuck_out_tongue_winking_eye:

hey all, kleines Update, es werden keine Passwörter mehr im Klartext akzeptiert!

hierfuer gibt es ein Howto, womit ihr euren WG-Server nach einem Update wieder Online bekommt:

howto: wg-easy/How_to_generate_an_bcrypt_hash.md at master · wg-easy/wg-easy · GitHub

im Terminal:

docker run ghcr.io/wg-easy/wg-easy wgpw deinwebinterfacepasswort

Output:
PASSWORD_HASH=‚$2a$12$66a0Hf2DyiVBD9M/kONoruu/lKlsVcz1w1DO.BTDpMwU4F2A0KwOK‘

Hinweis: Important : make sure to enclose your password in single quotes when you run docker run command :

Danach den Wert in eure cfg kopieren.

zb.:

docker run -d \
  --name wg-easy \
  --env LANG=de \
  --env WG_HOST=<🚨YOUR_SERVER_IP> \
  --env PASSWORD_HASH='$2a$12$66a0Hf2DyiVBD9M/kONoruu/lKlsVcz1w1DO.BTDpMwU4F2A0KwOK' \
  --env PORT=51821 \
  --env WG_PORT=51820 \
  --volume ~/.wg-easy:/etc/wireguard \
  --publish 51820:51820/udp \
  --publish 51821:51821/tcp \
  --cap-add NET_ADMIN \
  --cap-add SYS_MODULE \
  --sysctl 'net.ipv4.conf.all.src_valid_mark=1' \
  --sysctl 'net.ipv4.ip_forward=1' \
  --restart unless-stopped \
  ghcr.io/wg-easy/wg-easy

oder

docker run -d \
  --name=wg-easy \
  -e WG_HOST=<🚨YOUR_SERVER_IP> \
  -e PASSWORD_HASH='$2a$12$66a0Hf2DyiVBD9M/kONoruu/lKlsVcz1w1DO.BTDpMwU4F2A0KwOK' \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
 ghcr.io/wg-easy/wg-easy

Docker-Compose:

Hinweis: ( Important : Please note: don’t wrap the generated hash password in single quotes when you use docker-compose.yml. Instead, replace each $ symbol with two $ symbols. For example:)

version: "3.5"
services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy
    restart: unless-stopped
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    cap_add:
      - SYS_MODULE
      - NET_ADMIN
    ports:
      - 51821:51821/tcp
      - 51820:51820/udp
    volumes:
      - ./wg-easy:/etc/wireguard
    environment:
      - PASSWORD_HASH=$$2a$$12$$66a0Hf2DyiVBD9M/kONoruu/lKlsVcz1w1DO.BTDpMwU4F2A0KwOK
      - WG_HOST=<YOUR_SERVER_IP>
      - WG_DEFAULT_DNS=176.9.93.198, 176.9.1.117
    container_name: wg-easy

greetz

1 Like