WireGuard Easy, or wg-easy, is a convenient way to do wireguard setup on your local & remote machine. It makes vpn-setup a breeze.
Let's just use the docker container, I made a handy vpn-script for bash:
vpn() { local server_ip=$1 local password_hash=$2 if [ -z "$server_ip" ] || [ -z "$password_hash" ]; then echo "Usage: vpn <YOUR_SERVER_IP> <YOUR_ADMIN_PASSWORD_HASH>" return 1 fi echo "Setting up wg-easy with the following details:" echo "Server IP: $server_ip" echo "Password Hash: $password_hash" docker run -d \ --name=wg-easy \ -e LANG=en \ -e WG_HOST="$server_ip" \ -e PASSWORD_HASH="$password_hash" \ -e PORT=51821 \ -e WG_PORT=51820 \ -v ~/.wg-easy:/etc/wireguard \ -p 51820:51820/udp \ -p 51821:51821/tcp \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --sysctl="net.ipv4.ip_forward=1" \ --restart unless-stopped \ ghcr.io/wg-easy/wg-easy echo "wg-easy setup complete." }
Save that to your .bashrc-file's end. It's a dot-file in your home directory, you should be able to edit it with:
cd nano .bashrc
Then source it:
cd source .bashrc
After that you should be able to start the console with:
vpn server.ip.goes.here your_hashed_pwd_goes_here
You can generate the hashed pwd with pwgen:
sudo apt update sudo apt install -y pwgen pwgen 20 20
This will generate 20 passwords with 20 characters.
Connect to the remote console by ssh-forwarding:
ssh -L 51821:localhost:51821 user@server
After that, you should have the ui available in your browser @ ui. There you can generate Clients, so do that for a machine of you need and copy the .conf-file it generates.
Then, on your local machine, install WireGuard and use the setup file provided by the ui:
sudo apt update sudo apt install -y wireguard sudo cp my_conf.conf /etc/wireguard/wg0.conf
Next, and finally, you should be able to start the service:
sudo wg-quick up wg0
Please note that you'll need to use the "vpn ip's" for your ssh-connections too, if you're connecting to a client from another client with the wireguard.
If you need to access the client from a public network, ie. the client is actually a web server, you should allow for it. Here's a handy script for that:
sudo cat /etc/wireguard/apply-routes.sh #!/bin/bash # Public IP of the web server PUBLIC_IP=<the_client_server's_public_ip> # Default gateway (typically your router's IP) DEFAULT_GATEWAY=$(ip route | grep default | awk '{print $3}') # Network interface (e.g., eth0) INTERFACE=$(ip route | grep default | awk '{print $5}') # Add routing rule to bypass VPN for the public IP ip rule add from $PUBLIC_IP table main ip route add default via $DEFAULT_GATEWAY dev $INTERFACE table main
Your comment may be published.
Name:
Email:
Message: