Differences

This shows you the differences between two versions of the page.

--- docker_notes:vpn [2024-12-07 Sat wk49 10:05] – created baumkp
+++ docker_notes:vpn [2024-12-28 Sat wk52 11:23] (current) – [Wireguard] baumkp
@@ Line 1: / Line 1: @@
+{{tag>linux docker wireguard openvpn}}
+======Private LAN VPN Access======
+The scope here concerns use of VPN (Virtual Private Network) to gain secure access from the public network to a local private network.  It relates to private secure access and use from the public network.  It does not consider public VPNs setup for public use.
+There have been considered 3 different levels of access as described by the applications used:
+  *Wireguard - A VPN server
+  *Tailscale
+  *Headscale
+  *OpenVPN (Old)
-<- docker_notes:docker-dns|Back ^ docker_notes:index|Start page ^ docker_notes:fileshare|Next ->
+These applications and their scope are described further below.
+=====Wireguard=====
+I previously successfully setup [[https://wiki.kptree.net/doku.php?id=linux_router:wireguard|KPTree wireguard]] on my router.  This was installed on "bare metal" as was the nftable based router firewall. I later installed Bind9 DNS and Kea DHCP programs in Docker containers.  I always run Docker in a VM to prevent Docker's packet filtering from affecting the bare metal firewall rules.  Until recently I did not move Wireguard to a Docker container as I did not have the need or time.
+Using Docker [[https://github.com/linuxserver/docker-wireguard|wireguard]] from linuxserver.io is much easier than the manual "bare-metal" setup on my router.  The docker setup is below:
+++++docker-compose.yml|
+<code yaml>---
+services:
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: wireguard
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE #optional
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Australia/Perth
+      - SERVERURL=kptree.net #optional
+      - SERVERPORT=51820 #optional
+      - PEERS=2 #optional
+      - PEERDNS=auto #optional
+      - INTERNAL_SUBNET=10.13.13.0 #optional
+      - ALLOWEDIPS=0.0.0.0/0 #optional
+      - PERSISTENTKEEPALIVE_PEERS=all #optional
+      - LOG_CONFS=true #optional
+    volumes:
+      - ./config:/config
+      #- /lib/modules:/lib/modules #optional
+    ports:
+      - 51820:51820/udp
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    restart: unless-stopped</code>
+++++
+The Wireguard container [[https://github.com/linuxserver/docker-wireguard#server-mode|Server Mode]] documentation give some key points on usage:
+  *Variables ''SERVERURL'', ''SERVERPORT'', ''INTERNAL_SUBNET'', ''PEERDNS'', ''INTERFACE, ALLOWEDIPS'' and ''PERSISTENTKEEPALIVE_PEERS'' are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
+  *To add more peers/clients later on, you increment the ''PEERS'' environment variable or add more elements to the list and recreate the container.
+  *To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: ''docker exec -it wireguard /app/show-peer 1 4 5'' or ''docker exec -it wireguard /app/show-peer myPC myPhone myTablet'' (Keep in mind that the QR codes are also stored as PNGs in the config folder).
+====References=====
+  *[[https://hub.docker.com/r/headscale/headscale/tags|Wireguard]]
+  * xdeb.org [[https://xdeb.org/post/2019/09/26/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/|Setting up a server firewall with nftables that support WireGuard VPN]]
+  * [[https://engineerworkshop.com/blog/how-to-set-up-a-wireguard-vpn-server-on-ubuntu-linux/|How To Set Up a WireGuard VPN Server on Ubuntu Linux]]
+  * [[https://github.com/pirate/wireguard-docs|Some Unofficial WireGuard Documentation]]
+  * [[https://securityespresso.org/tutorials/2019/03/22/vpn-server-using-wireguard-on-ubuntu/|How to setup your own VPN server using WireGuard on Ubuntu]]
+  * [[https://wiki.archlinux.org/index.php/WireGuard|Archlinux Wireguard]]
+  * [[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/|Wireguard VPN: Typical Setup]]
+  * [[https://try.popho.be/vpn.html|OpenVPN FAQ]]
+  * [[https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/#insert-replace-or-delete-iptables-rules|A Tutorial for Controlling Network Traffic with iptables]]
+  * [[https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/|How To Set Up WireGuard Firewall Rules in Linux]]
+  * [[https://serversideup.net/courses/gain-flexibility-and-increase-privacy-with-wireguard-vpn/|Gain flexibility & increase privacy with WireGuard VPN]]
+=====Tailscale=====
+See Headscale.
+====Reference====
+  *[[https://tailscale.com/|Tailscale]]:
+    *[[https://tailscale.com/kb/1017/install|Tailscale quickstart]]
+    *[[https://tailscale.com/kb/1282/docker|Using Tailscale with Docker]]
+    *[[https://github.com/tailscale-dev|github Tailscale Community]]
+      *[[https://github.com/tailscale-dev/docker-guide-code-examples|tailscale-dev / docker-guide-code-examples]]
+=====Headscale=====
+For my use case Headscale was too complicated to setup.  I am also concerned about the effort to maintain.  So I have decided not to use at this time.
+https://github.com/juanfont/headscale/releases
+====Reference====
+  *[[https://headscale.net/stable/|headscale]]
+    *[[https://headscale.net/0.23.0/setup/install/container/|Running headscale in a container]]
+  *[[https://github.com/juanfont/headscale/releases|github headscale]]
+  *[[https://github.com/JamesTurland/JimsGarage/tree/main/Headscale2|JimsGarage Headscale2]]
+  *[[https://hub.docker.com/r/headscale/headscale/tags|Dockerhub headscale]]
+----
+<- docker_notes:docker-dhcp|Back ^ docker_notes:index|Start page ^ docker_notes:fileshare|Next ->