[How-to] Install Wireguard on RaspberryPi using OMV5 - OMV-Extras – Docker

  • The scope of this guide is for you to be able to connect to your home shared folder from anywhere, using a secure method, provided by the Wireguard VPN server.


    About me: I’m not an expert, this is the first time that I’ve used RaspberryPi, OMV, Docker, Wireguard. So if you find something wrong or that can be done easier or better, please share your comments.


    A bit of context: the first approach I’ve tried was to use Nextcloud & Swag & MariaDB docker containers, but after several errors generated by Nextcloud and, after solving almost all of those errors, seeing that it takes too damn long (8-10seconds) to fully load the Nextcloud Files or Photos page (with no personal files added yet, only the default demo ones), I gave up on it and tried the SharedFolder+Wireguard approach. Also, I’ve found no up-to-date & working docker container + a working guide for Seafile on RaspberryPi.



    This guide assumes that:

    • you have a RaspberryPi (tested on RaspberrryPi 4B, 4GB RAM) and you have installed OMV5 on it (tested with OMV 5.5.23-1 (Usul) )
    • your RaspberryPi has a fixed/static internal IP address
    • you use a windows laptop/pc
    • you can login to your RaspberryPi via SSH (for example using Putty)
    • a HDD/SSD is attached to your RaspberryPi, formatted as a Linux filesystem (tested with ext4), which is mounted on OMV5 – Storage – File Systems
    • a Shared Folder/SMB share created from OMV5, which resides on the attached HDD/SSD
    • your shared folder is already accessible (read/write) from computers/other devices on your home network
    • on OMV5 – System – OMV Extras, you have installed Docker and maybe Portainer



    These are the required steps for installing & configuring & using Wireguard on your RaspberryPi:

    1. Create a duckdns.org subdomain, configure duckdns IP updates & port forwarding
    2. Create a docker1 user from OMV5 and get its UID and GID
    3. Create required folders & files on your RaspberryPi
    4. Create Wireguard docker container
    5. Configure peers to be able to connect to your Wireguard server
    6. Test your VPN connection & remote access to your local shared folder
    7. Add more peers


    1. Create a duckdns.org subdomain, configure duckdns IP updates & port forwarding

    • create a duckdns.org subdomain.
    • then, from https://www.duckdns.org/install.jsp:
      • from the Operating Systems section click on “pi” black button
      • select your newly created domain from the “first step - choose a domain” section
      • and the bellow section will be populated with instructions about how to configure this domain for your RaspberryPi. Please follow the instructions presented there.


    Next, go to your router’s Admin page (some instructions here) and forward the port used by Wireguard, 51820, to the internal IP of your RaspberryPi (a general port forwarding guide here).


    For example, this is how the needed port forwarding looks like for a TP-Link router:




    2. Create a docker1 user from OMV5 and get its UID and GID


    From OMV5’s left side menu, go to:

    Services – SMB/CIFS – make sure that the Enable toggle button is active



    And that your samba share is enabled:



    Access Rights Management – Users – click Add



    In the General tab

    • Name = docker1
    • Add a password
    • Shell = bin/bash


    In the Groups tab - check these groups:

    • users
    • docker

    Click Save


    Login to your RaspberryPi via SSH using Putty (for example) and run this command:


    Code
    id docker1

    then copy its uid and gid to some other file



    3. Create required folders & files on your RaspberryPi


    Create docker1 folder and go to that folder:

    Code
    cd /home/docker1
    mkdir wireguard
    cd wireguard


    Copy this example of docker-compose.yml file content and update it with your info.


    Many thanks to OMV team for this very useful app and to linuxserver.io team for their work! – this info is retrieved from here.



    Update it with your info – I’m only mentioning the details that you have to change:


    environment:

    - PUID=XXX (enter here the uid value for your docker1 user – see step 2)

    - PGID=XXX ((enter here the gid value for your docker1 user – see step 2)


    For example, if:

    the output for command

    Code
    id docker1

    is

    uid=1001(docker1) gid=100(users) groups=100(users)…


    then the PUID and PGID will be

    Code
    environment:
          - PUID=1001
          - PGID=100



    - TZ=Europe/Berlin should be updated with your timezone, use this command to see which is it:

    Code
    cat /etc/timezone


    - SERVERURL=blabla.duckdns.org should be updated with your duckdns domain – see step 1



    - PEERS=3 #optional => Peer means some other device that you use to connect to your Wireguard server; instead of 3, you can enter the number of devices that you need to be able to connect to your Wireguard VPN server. In my case, I’ve used 3 because I want to be able to login using my phone, my tablet and my laptop, so 3 devices in total.


    volumes:

    - /srv/dev-disk-by-uuid-XXX/wireguard_folder/config:/config

    - /lib/modules:/lib/modules


    The SSD/HDD connected to your RaspberryPi is mounted under /srv/dev-disk-by-uuid-XXX where XXX is some ID what was generated when the SSD/HDD was mounted (via OMV5). For example, you can see this name when you run this command:

    Code
    lsblk


    So you should update

    - /srv/dev-disk-by-uuid-XXX/wireguard_folder/config:/config

    with the name from your setup


    Also, do not change this line:

    - /lib/modules:/lib/modules


    Then go to your mounted SSD/HDD folder and create the wireguard_folder:


    Code
    cd /srv/dev-disk-by-uuidXXX
    mkdir wireguard_folder


    Move back to docker1 home

    Code
    cd /home/docker1/


    And create a docker-compose.yml file required to create the Wireguard docker container:

    Code
    nano docker-compose.yml


    Now paste (right click) the updated example of docker-compose.yml file content


    After pasting, press CTRL+O then press Enter then press CTRL+X



    4. Create Wireguard docker container


    Make sure you’re in this location, where you have the docker-compose.yml file:

    Code
    cd /home/docker1/wireguard


    Then run

    Code
    docker-compose up -d


    You should see a green Done, as the final output of this command.


    Wait 2-3minutes (in my case, the required files were not created immediately after this command has successfully ended).



    5. Configure peers to be able to connect to your Wireguard server


    If you want to see more details, go to your Wireguard config folder:


    Before navigating to this folder, switch to root user

    Code
    sudo su –


    then

    Code
    cd /srv/dev-disk-by-uuidXXX/wireguard_folder/config
    ls

    The output of the ls command:

    coredns peer1 peer2 peer3 server templates wg0.conf


    So a folder for each peer has been created, along with the server config files.


    If we go to peer1 folder

    we can see that the folder content is this:

    peer1.conf peer1.png privatekey-peer1 publickey-peer1

    These are the config files needed by peer1.



    6. Test your VPN connection & remote access to your local shared folder


    Let’s say you want to login from your phone, to your Wireguard server on your RaspberryPi, using peer1 details.


    First you need to install Wireguard app on your phone.


    Open the QR code for peer1, from your ssh console:

    Code
    docker exec -it wireguard /app/show-peer 1


    Then open Wireguard app on your phone, click on that + button and select Scan from QR code and scan the code you see in your RaspberryPi console.


    Enable the newly created tunnel. To test this, you should disable phone's WIFI, make sure the Mobile Data is enabled, then open your file explorer app that you use on your phone and go to that RaspberryPi shared folder.


    For configuring the connection from your laptop, if you want to use peer2, you can use the peer2.conf from the peer2 folder.

    Code
    cd /srv/dev-disk-by-uuidXXX/wireguard_folder/config/peer2
    cp peer2.conf /home/pi/
    cd /home/pi
    chown 777 peer2.conf


    Now, you need to copy this peer2.conf file from your RaspberryPi to your laptop, using WinSCP.


    Configure WinSCP to connect to the IP of your RaspberryPI using port 22, user pi and its password.


    Copy peer2.conf from /home/pi to your Desktop, for example.


    Install Wireguard on your laptop, from here.


    To test your new Wireguard connection, you can disable home WIFI on your laptop (if your at home), start the Mobile Hotspot from your phone and connect to that hotspot. Open Wireguard app on your laptop and click on Add tunnel and add your peer2.conf file. Click Activate. That’s it.



    7. Add more peers


    If in the future, if you need more to have more peers, the easiest way is to edit the docker-compose.yml file and recreate the Wireguard container.


    So you will have to update this line and increment the number of peers:


    - PEERS=3 #optional


    The command for this is:

    Code
    nano /home/docker1/wireguard/docker-compose.yml


    Let’s say you have changed the peers number to 4.


    To save your changes - CTRL+O, press Enter, CTRL+X.


    Now we need to recreate the Wireguard container and only the changes will be applied, the existing peerX folders will not be modified so your existing devices configuration will still work.


    From the /home/docker1/wireguard folder, run this command

    Code
    docker-compose up -d wireguard 


    The output of this command should be:

    Code
    Recreating wireguard ... done


    Now you can check peer4 config files under /srv/dev-disk-by-uuidXXX/wireguard_folder/config/peer4



    Sorry if this guide is too long but I wanted to make it easier for beginners.

    I hope that this guide is useful for at least one person 😊

  • KM0201

    Approved the thread.
  • Can you explain why you created a new user, rather than using an existing one?

    This is, somewhat, the standard of the guides here on the forum.

    Main reason is to have an unpriviledge user running docker containers and for simplicity.


    If you have another user already in your system, and you add it to docker group (given docker priviledges, it will be the same (just don't use someone with id under 1000)


    kostin

    First of all, thank you for the guide.

    Really well written and explains in detail "HowTo".


    Now, just a smal "runt" about running Wireguard via docker (and this is just a personal opinion):

    For me, it makes no sense in running it via docker mainly because, if your docker crashes, you loose VPN access to your LAN.

    And the point of Wireguard is to connect to your LAN as if you were there).


    To explain further: All access from outside the LAN (from WAN) is blocked except the port for Wireguard.

    When client connects to Wireguard, it's seen on LAN as if it was there and can "ssh" to any other computers (if allowed to).

    Can access OMV via GUI with LAN IP or hostname, etc.

    You have a secure connection to your LAN.


    But, if docker crashes, you're SOL.

    You only have 2 solutions: either physical or "ssh" access on same LAN to reboot or restart it.


    Or you can also have a port open to "ssh" to the server (a portforward on the router from WAN :xxxx --> OMV IP:22) but this kills all the purpose of Wireguard.


    Since I spend most of the time, away from my home, I have this as an experience: can only "ssh" my server, if Wireguard is running.

    That is why, the Wireguard is under docker (running with the OS (RPiOS)).

    Even if docker crashes (it happened before, and, once in a while, it happens again), I still have access to the system to restart docker, kill PIDs, reboot, etc...


    Well, this is just my opinion but, as the great "Inspector Callahan" (Clint Eastwood) said: "Opinions are like a**holes; everybody has one" :saint:

  • Soma, sometime this year I decided to simplify my setup.

    I had to install Wireguard on another RPI for another location and I've used PiVPN with Wireguard. Then I've removed Docker from my RPI, installed PiVPN with Wireguard and reinstalled OMV.

    • Official Post

    kostin I was unaware of the existence of this thread. I just found out after your comment. The search engine in this forum unfortunately does not work as well as it could be. Maybe if you had posted in the guides section it would be easier to find.


    In any case a few days ago I published a guide to install Wireguard in docker. I see that there are not many differences with yours.


    [How-To] Install Wireguard (VPN) in docker, server mode


    I have added a couple of points to the published guide based on your post. I hope you do not mind. ;)


    You did a great job, congratulations.

  • Hello


    Thank you for these precise instructions which allowed me to successfully install Wireguard despite my limited knowledge of the subject. I managed to get the 2 QR codes (peer 1 and 2) for my mobile devices (with command : docker exec -it wireguard / app / show-peer 1 ( ”and 2”) and successfully scan them.


    However, I have a problem with my laptop, I can't find a way to copy the configuration file for peer3 with the following commands:


    cd / srv / dev-disk-by-uuidXXX / wireguard_folder / config / peer3


    cp peer3.conf / home / pi /


    cd / home / pi


    chown 777 peer3.conf


    I get the following error message:” chown: cannot access 'peer3.conf: No such file or directory”


    Is there any other way to locate and copy the peer3 file?


    thank you


    Jack

  • Thanks for your answer, but even with sudo it doesn't work.


    ls command on folder give me the following:


    pi@raspberrypi:/srv/dev-disk-by-uuid-.........../wireguard_folder/config $ ls

    coredns peer1 peer3 peer6 peer9 wg0.conf

    custom-cont-init.d peer10 peer4 peer7 server

    custom-services.d peer2 peer5 peer8 templates


    Now from there how can I retreive and copy the following peer3 config file ?


    thanks


    jack

  • You can simplify it by reading the QR code on the phone for peer3 and then on the Wireguard app of the phone, click the 3 dots on the top right corner and select export tunnels to zip.


    Send the zip to the PC and select the conf that you want on the PC app.

  • So ive installed all how written and it works. I get an QR Code and the App is showing that connection is there but Im not able to see any folder or data. Ive got an Lenovo Duet with ChromeOS and I need to know the Adress of the Folder to get connected. Also is the Folder connected to all my shared files automaticly?

    • Official Post

    So ive installed all how written and it works. I get an QR Code and the App is showing that connection is there but Im not able to see any folder or data. Ive got an Lenovo Duet with ChromeOS and I need to know the Adress of the Folder to get connected. Also is the Folder connected to all my shared files automaticly?

    To view shared folders with samba you need a file manager with the ability to connect to shared resources with samba. You will have to investigate the options that your ChromeOS offers. Sorry, I don't use this operating system.

    Once you connect to your shared folder, you will be able to see the files that are inside this shared folder.

  • To view shared folders with samba you need a file manager with the ability to connect to shared resources with samba. You will have to investigate the options that your ChromeOS offers. Sorry, I don't use this operating system.

    Once you connect to your shared folder, you will be able to see the files that are inside this shared folder.

    That means, I have to put the shared Folders of my NAS into the permissions of the docker1 user? For me its not clear how that user should be able to get acess to all files...

    • Official Post

    No. The only thing that Wireguard does is create a connection with your server, or with your local network. Once connected you can access your network and connect to your services and shared resources. Shares will continue to have the same permissions with Wireguard or without Wireguard.

  • Ahhh okay. So then my problem is, that I dont know what Path to put in the filemanager to find the files. Witch Ip of wireguard is the one I need?

    • Official Post

    That's it. Your connection will have been established in a subnet, something like: 10.13.13.1 Depending on how you have configured the Wireguard connection, it is possible that the IP of your server in that subnet is the same. Or it could be the same one you use on your LAN.

  • Yeah, well no of these IPs seems to be working....I tried all Interface Ips, the User Ip and the Endpoint adress witch referes to my duckdns adress..Any suggestions?

    • Official Post

    If you have any service on your LAN from the server (Jellyfin, Plex, ...) try to access it through a browser. This will confirm that the connection is working and you can verify what the IP is. Then I would move on to the problem of connecting the shared folder, perhaps the problem is of another nature than just finding out the IP.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!