Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docker_notes:vpn [2024-12-27 Fri wk52 19:51] – [Headscale] baumkpdocker_notes:vpn [2024-12-28 Sat wk52 11:23] (current) – [Wireguard] baumkp
Line 12: Line 12:
  
 =====Wireguard===== =====Wireguard=====
-I previously successfully setup [[https://wiki.kptree.net/doku.php?id=linux_router:wireguard|KPTree wireguard]] on my router.  This was installed on "bare metal" as was the nftable based router firewall. I later installed Bind9 DNS and Kea DHCP programs in Docker containers.  I always run Docker in a VM to prevent Docker's packet filtering from affecting the bare metal firewall rules.  I did not move Wireguard to a Docker container as I did not have the need at the time.+I previously successfully setup [[https://wiki.kptree.net/doku.php?id=linux_router:wireguard|KPTree wireguard]] on my router.  This was installed on "bare metal" as was the nftable based router firewall. I later installed Bind9 DNS and Kea DHCP programs in Docker containers.  I always run Docker in a VM to prevent Docker's packet filtering from affecting the bare metal firewall rules.  Until recently I did not move Wireguard to a Docker container as I did not have the need or time.
  
 +Using Docker [[https://github.com/linuxserver/docker-wireguard|wireguard]] from linuxserver.io is much easier than the manual "bare-metal" setup on my router.  The docker setup is below:
 +++++docker-compose.yml|
 +<code yaml>---
 +services:
 +  wireguard:
 +    image: lscr.io/linuxserver/wireguard:latest
 +    container_name: wireguard
 +    cap_add:
 +      - NET_ADMIN
 +      - SYS_MODULE #optional
 +    environment:
 +      - PUID=1000
 +      - PGID=1000
 +      - TZ=Australia/Perth
 +      - SERVERURL=kptree.net #optional
 +      - SERVERPORT=51820 #optional
 +      - PEERS=2 #optional
 +      - PEERDNS=auto #optional
 +      - INTERNAL_SUBNET=10.13.13.0 #optional
 +      - ALLOWEDIPS=0.0.0.0/0 #optional
 +      - PERSISTENTKEEPALIVE_PEERS=all #optional
 +      - LOG_CONFS=true #optional
 +    volumes:
 +      - ./config:/config
 +      #- /lib/modules:/lib/modules #optional
 +    ports:
 +      - 51820:51820/udp
 +    sysctls:
 +      - net.ipv4.conf.all.src_valid_mark=1
 +    restart: unless-stopped</code>
 +++++
 +
 +The Wireguard container [[https://github.com/linuxserver/docker-wireguard#server-mode|Server Mode]] documentation give some key points on usage:
 +  *Variables ''SERVERURL'', ''SERVERPORT'', ''INTERNAL_SUBNET'', ''PEERDNS'', ''INTERFACE, ALLOWEDIPS'' and ''PERSISTENTKEEPALIVE_PEERS'' are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
 +  *To add more peers/clients later on, you increment the ''PEERS'' environment variable or add more elements to the list and recreate the container.
 +  *To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: ''docker exec -it wireguard /app/show-peer 1 4 5'' or ''docker exec -it wireguard /app/show-peer myPC myPhone myTablet'' (Keep in mind that the QR codes are also stored as PNGs in the config folder).
 ====References===== ====References=====
   *[[https://hub.docker.com/r/headscale/headscale/tags|Wireguard]]   *[[https://hub.docker.com/r/headscale/headscale/tags|Wireguard]]
Line 28: Line 64:
  
 =====Tailscale===== =====Tailscale=====
 +See Headscale.
 ====Reference==== ====Reference====
   *[[https://tailscale.com/|Tailscale]]:   *[[https://tailscale.com/|Tailscale]]:
Line 36: Line 72:
       *[[https://github.com/tailscale-dev/docker-guide-code-examples|tailscale-dev / docker-guide-code-examples]]       *[[https://github.com/tailscale-dev/docker-guide-code-examples|tailscale-dev / docker-guide-code-examples]]
 =====Headscale===== =====Headscale=====
 +For my use case Headscale was too complicated to setup.  I am also concerned about the effort to maintain.  So I have decided not to use at this time.
  
 https://github.com/juanfont/headscale/releases https://github.com/juanfont/headscale/releases