Wireguard installation on docker in server mode. This will allow outside access to your internal network at home through an encrypted connection.
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
The architectures supported by this image are: x86-64, arm64, and armhf.
The following WireGuard installation on OMV using docker in server mode provides access to all our LAN services from the outside through an encrypted connection tunnel. In addition, it will encrypt all the client's internet traffic through the server (optionally).
For a client mode configuration you can consult here https://hub.docker.com/r/linuxserver/wireguard
1. Initial System Preparation
- General preparation of the OMV system to install applications in docker, create user for docker and create folder for application configuration. You can do it by following this guide [How to] Prepare OMV to install docker applications
- If you have followed the guide your user will be "userapp" and its folder will be "/SSD/config" . You can customize it if you want. Define your UID and GID of "appuser", see how to do it in the previous link.
2. Define required parameters in Wireguard
- Access path: To access our network from outside we will need to know our public IP, consult your Internet Service Provider. Or alternatively have a domain that points to our server, you can get a free one here https://www.duckdns.org/
- Port forwarding on your router (see your router's user manual on how to do it)
- External port 51820 UDP to internal port 51820 (IP of your NAS)
- Number of clients: We must know how many clients (smartphone, laptop, server in a different location ...) we want to configure with access to our LAN. In the docker stack it corresponds to the PEERS value. You can set the number of clients you need, in this example we define two, therefore PEERS=2.
3. Install Wireguard on Docker
- Fit and implement the following stack in Portainer, you can see how to do it in the link in point 1. Note: Verify on the official page that this stack has not changed before installing it. https://hub.docker.com/r/linuxserver/wireguard
version: "2.1" services: wireguard: image: lscr.io/linuxserver/wireguard container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1000 #See point 1. - PGID=100 #See point 1. - TZ=Europe/Madrid #Should be adjusted according to your location - SERVERURL=your.domain.com #See point 2. - SERVERPORT=51820 #To change see next post - PEERS=2 #See point 2. Number of clients you want to configure - PEERDNS=auto - INTERNAL_SUBNET=10.13.13.0 #Only change if it conflicts - ALLOWEDIPS=0.0.0.0/0 volumes: - /SSD/config:/config #See point 1. - /lib/modules:/lib/modules ports: - 51820:51820/udp #To change see next post sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped
- Run the stack; this will download the necessary images and start the container. You can see how to do it in the link in point 1.
SSH (Putty or WinSCP or ...) navigate to the Wireguard "config"
folder that we just created. Inside there will be two folders (in
this example PEER = 2, see point 2) called peer1 and peer2. Each folder has the files necessary to configure a client. We download them to our PC. Depending on the client we want to configure, one or more of the files will be necessary.
- If you need more clients you can stop the container and modify the stack, change the PEER variable to the number of clients you need. Deploy the changes and restart the container.
4. Configuration of a client in android
- From our smartphone we go to the google app store, find and install the WireGuard app.
- We open the app and press the "+" button to add a tunnel. It gives us three options, we choose the second, "scan from QR code".
- Among the files that we have just downloaded to our PC, we choose the file with the .png format and open it.
- We scan the image from the smartphone and assign whatever name we want to the tunnel, for example "home". We already have the smartphone configured to access our home network.
- To test the connection, we deactivate the Wi-Fi on our smartphone and enable the data connection. The "home" network should appear on the Wireguard screen, press the button on the right and give it permission to access. We should already be connected to our home LAN and we should be able to access services as if we were at home with an encrypted connection. We can check it by opening a browser and accessing the IP of any service on our LAN.
- Also, all internet traffic on the smartphone will be routed through our VPN with an encrypted connection. If you don't want this see the next post.
5. Configuration of a client other systems
- To install clients on windows, ubuntu, etc. see the following link: https://www.wireguard.com/install/