{{tag>linux docker wireguard openvpn}}
======Private LAN VPN Access======
The scope here concerns use of VPN (Virtual Private Network) to gain secure access from the public network to a local private network.  It relates to private secure access and use from the public network.  It does not consider public VPNs setup for public use.

There have been considered 3 different levels of access as described by the applications used:
  *Wireguard - A VPN server
  *Tailscale
  *Headscale
  *OpenVPN (Old)

These applications and their scope are described further below.

=====Wireguard=====
I previously successfully setup [[https://wiki.kptree.net/doku.php?id=linux_router:wireguard|KPTree wireguard]] on my router.  This was installed on "bare metal" as was the nftable based router firewall. I later installed Bind9 DNS and Kea DHCP programs in Docker containers.  I always run Docker in a VM to prevent Docker's packet filtering from affecting the bare metal firewall rules.  Until recently I did not move Wireguard to a Docker container as I did not have the need or time.

Using Docker [[https://github.com/linuxserver/docker-wireguard|wireguard]] from linuxserver.io is much easier than the manual "bare-metal" setup on my router.  The docker setup is below:
++++docker-compose.yml|
<code yaml>---
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Australia/Perth
      - SERVERURL=kptree.net #optional
      - SERVERPORT=51820 #optional
      - PEERS=2 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - PERSISTENTKEEPALIVE_PEERS=all #optional
      - LOG_CONFS=true #optional
    volumes:
      - ./config:/config
      #- /lib/modules:/lib/modules #optional
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped</code>
++++

The Wireguard container [[https://github.com/linuxserver/docker-wireguard#server-mode|Server Mode]] documentation give some key points on usage:
  *Variables ''SERVERURL'', ''SERVERPORT'', ''INTERNAL_SUBNET'', ''PEERDNS'', ''INTERFACE, ALLOWEDIPS'' and ''PERSISTENTKEEPALIVE_PEERS'' are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
  *To add more peers/clients later on, you increment the ''PEERS'' environment variable or add more elements to the list and recreate the container.
  *To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: ''docker exec -it wireguard /app/show-peer 1 4 5'' or ''docker exec -it wireguard /app/show-peer myPC myPhone myTablet'' (Keep in mind that the QR codes are also stored as PNGs in the config folder).
====References=====
  *[[https://hub.docker.com/r/headscale/headscale/tags|Wireguard]]
  * xdeb.org [[https://xdeb.org/post/2019/09/26/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/|Setting up a server firewall with nftables that support WireGuard VPN]]
  * [[https://engineerworkshop.com/blog/how-to-set-up-a-wireguard-vpn-server-on-ubuntu-linux/|How To Set Up a WireGuard VPN Server on Ubuntu Linux]]
  * [[https://github.com/pirate/wireguard-docs|Some Unofficial WireGuard Documentation]]
  * [[https://securityespresso.org/tutorials/2019/03/22/vpn-server-using-wireguard-on-ubuntu/|How to setup your own VPN server using WireGuard on Ubuntu]]
  * [[https://wiki.archlinux.org/index.php/WireGuard|Archlinux Wireguard]]
  * [[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/|Wireguard VPN: Typical Setup]]
  * [[https://try.popho.be/vpn.html|OpenVPN FAQ]]
  * [[https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/#insert-replace-or-delete-iptables-rules|A Tutorial for Controlling Network Traffic with iptables]]
  * [[https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/|How To Set Up WireGuard Firewall Rules in Linux]]
  * [[https://serversideup.net/courses/gain-flexibility-and-increase-privacy-with-wireguard-vpn/|Gain flexibility & increase privacy with WireGuard VPN]]

=====Tailscale=====
See Headscale.
====Reference====
  *[[https://tailscale.com/|Tailscale]]:
    *[[https://tailscale.com/kb/1017/install|Tailscale quickstart]]
    *[[https://tailscale.com/kb/1282/docker|Using Tailscale with Docker]]
    *[[https://github.com/tailscale-dev|github Tailscale Community]]
      *[[https://github.com/tailscale-dev/docker-guide-code-examples|tailscale-dev / docker-guide-code-examples]]
=====Headscale=====
For my use case Headscale was too complicated to setup.  I am also concerned about the effort to maintain.  So I have decided not to use at this time.

https://github.com/juanfont/headscale/releases
====Reference====
  *[[https://headscale.net/stable/|headscale]]
    *[[https://headscale.net/0.23.0/setup/install/container/|Running headscale in a container]]
  *[[https://github.com/juanfont/headscale/releases|github headscale]]
  *[[https://github.com/JamesTurland/JimsGarage/tree/main/Headscale2|JimsGarage Headscale2]]
  *[[https://hub.docker.com/r/headscale/headscale/tags|Dockerhub headscale]]
----

<- docker_notes:docker-dhcp|Back ^ docker_notes:index|Start page ^ docker_notes:fileshare|Next ->