Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docker_notes:vpn [2024-12-07 Sat wk49 10:21] baumkpdocker_notes:vpn [2024-12-28 Sat wk52 11:23] (current) – [Wireguard] baumkp
Line 3: Line 3:
 The scope here concerns use of VPN (Virtual Private Network) to gain secure access from the public network to a local private network.  It relates to private secure access and use from the public network.  It does not consider public VPNs setup for public use. The scope here concerns use of VPN (Virtual Private Network) to gain secure access from the public network to a local private network.  It relates to private secure access and use from the public network.  It does not consider public VPNs setup for public use.
  
-There have been considered 3 different levels of access as described by the applications used. +There have been considered 3 different levels of access as described by the applications used: 
-  * Nextcloud a full privately hosted publicly accessible file shareing application, with many additional features +  *Wireguard A VPN server 
-  * Privatebin - An encrypted file publicly accessible file sharing server +  *Tailscale 
-  * Wireguard - A VPN server+  *Headscale 
 +  *OpenVPN (Old)
  
 +These applications and their scope are described further below.
 +
 +=====Wireguard=====
 +I previously successfully setup [[https://wiki.kptree.net/doku.php?id=linux_router:wireguard|KPTree wireguard]] on my router.  This was installed on "bare metal" as was the nftable based router firewall. I later installed Bind9 DNS and Kea DHCP programs in Docker containers.  I always run Docker in a VM to prevent Docker's packet filtering from affecting the bare metal firewall rules.  Until recently I did not move Wireguard to a Docker container as I did not have the need or time.
 +
 +Using Docker [[https://github.com/linuxserver/docker-wireguard|wireguard]] from linuxserver.io is much easier than the manual "bare-metal" setup on my router.  The docker setup is below:
 +++++docker-compose.yml|
 +<code yaml>---
 +services:
 +  wireguard:
 +    image: lscr.io/linuxserver/wireguard:latest
 +    container_name: wireguard
 +    cap_add:
 +      - NET_ADMIN
 +      - SYS_MODULE #optional
 +    environment:
 +      - PUID=1000
 +      - PGID=1000
 +      - TZ=Australia/Perth
 +      - SERVERURL=kptree.net #optional
 +      - SERVERPORT=51820 #optional
 +      - PEERS=2 #optional
 +      - PEERDNS=auto #optional
 +      - INTERNAL_SUBNET=10.13.13.0 #optional
 +      - ALLOWEDIPS=0.0.0.0/0 #optional
 +      - PERSISTENTKEEPALIVE_PEERS=all #optional
 +      - LOG_CONFS=true #optional
 +    volumes:
 +      - ./config:/config
 +      #- /lib/modules:/lib/modules #optional
 +    ports:
 +      - 51820:51820/udp
 +    sysctls:
 +      - net.ipv4.conf.all.src_valid_mark=1
 +    restart: unless-stopped</code>
 +++++
 +
 +The Wireguard container [[https://github.com/linuxserver/docker-wireguard#server-mode|Server Mode]] documentation give some key points on usage:
 +  *Variables ''SERVERURL'', ''SERVERPORT'', ''INTERNAL_SUBNET'', ''PEERDNS'', ''INTERFACE, ALLOWEDIPS'' and ''PERSISTENTKEEPALIVE_PEERS'' are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
 +  *To add more peers/clients later on, you increment the ''PEERS'' environment variable or add more elements to the list and recreate the container.
 +  *To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: ''docker exec -it wireguard /app/show-peer 1 4 5'' or ''docker exec -it wireguard /app/show-peer myPC myPhone myTablet'' (Keep in mind that the QR codes are also stored as PNGs in the config folder).
 +====References=====
 +  *[[https://hub.docker.com/r/headscale/headscale/tags|Wireguard]]
 +  * xdeb.org [[https://xdeb.org/post/2019/09/26/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/|Setting up a server firewall with nftables that support WireGuard VPN]]
 +  * [[https://engineerworkshop.com/blog/how-to-set-up-a-wireguard-vpn-server-on-ubuntu-linux/|How To Set Up a WireGuard VPN Server on Ubuntu Linux]]
 +  * [[https://github.com/pirate/wireguard-docs|Some Unofficial WireGuard Documentation]]
 +  * [[https://securityespresso.org/tutorials/2019/03/22/vpn-server-using-wireguard-on-ubuntu/|How to setup your own VPN server using WireGuard on Ubuntu]]
 +  * [[https://wiki.archlinux.org/index.php/WireGuard|Archlinux Wireguard]]
 +  * [[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/|Wireguard VPN: Typical Setup]]
 +  * [[https://try.popho.be/vpn.html|OpenVPN FAQ]]
 +  * [[https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/#insert-replace-or-delete-iptables-rules|A Tutorial for Controlling Network Traffic with iptables]]
 +  * [[https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/|How To Set Up WireGuard Firewall Rules in Linux]]
 +  * [[https://serversideup.net/courses/gain-flexibility-and-increase-privacy-with-wireguard-vpn/|Gain flexibility & increase privacy with WireGuard VPN]]
 +
 +=====Tailscale=====
 +See Headscale.
 +====Reference====
 +  *[[https://tailscale.com/|Tailscale]]:
 +    *[[https://tailscale.com/kb/1017/install|Tailscale quickstart]]
 +    *[[https://tailscale.com/kb/1282/docker|Using Tailscale with Docker]]
 +    *[[https://github.com/tailscale-dev|github Tailscale Community]]
 +      *[[https://github.com/tailscale-dev/docker-guide-code-examples|tailscale-dev / docker-guide-code-examples]]
 +=====Headscale=====
 +For my use case Headscale was too complicated to setup.  I am also concerned about the effort to maintain.  So I have decided not to use at this time.
 +
 +https://github.com/juanfont/headscale/releases
 +====Reference====
 +  *[[https://headscale.net/stable/|headscale]]
 +    *[[https://headscale.net/0.23.0/setup/install/container/|Running headscale in a container]]
 +  *[[https://github.com/juanfont/headscale/releases|github headscale]]
 +  *[[https://github.com/JamesTurland/JimsGarage/tree/main/Headscale2|JimsGarage Headscale2]]
 +  *[[https://hub.docker.com/r/headscale/headscale/tags|Dockerhub headscale]]
 ---- ----
  
 <- docker_notes:docker-dhcp|Back ^ docker_notes:index|Start page ^ docker_notes:fileshare|Next -> <- docker_notes:docker-dhcp|Back ^ docker_notes:index|Start page ^ docker_notes:fileshare|Next ->