WireGuard Easy, or wg-easy, is a convenient way to do wireguard setup on your local & remote machine. It makes vpn-setup a breeze.
Kalle Tolonen
June 23, 2024
Last updated on Aug. 5, 2024
Let's just use the docker container, I made a handy vpn-script for bash:
vpn() {
local server_ip=$1
local password_hash=$2
if [ -z "$server_ip" ] || [ -z "$password_hash" ]; then
echo "Usage: vpn <YOUR_SERVER_IP> <YOUR_ADMIN_PASSWORD_HASH>"
return 1
fi
echo "Setting up wg-easy with the following details:"
echo "Server IP: $server_ip"
echo "Password Hash: $password_hash"
docker run -d \
--name=wg-easy \
-e LANG=en \
-e WG_HOST="$server_ip" \
-e PASSWORD_HASH="$password_hash" \
-e PORT=51821 \
-e WG_PORT=51820 \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
ghcr.io/wg-easy/wg-easy
echo "wg-easy setup complete."
}
Save that to your .bashrc-file's end. It's a dot-file in your home directory, you should be able to edit it with:
cd
nano .bashrc
Then source it:
cd
source .bashrc
After that you should be able to start the console with:
vpn server.ip.goes.here your_hashed_pwd_goes_here
You can generate the hashed pwd with pwgen:
sudo apt update
sudo apt install -y pwgen
pwgen 20 20
This will generate 20 passwords with 20 characters.
Connect to the remote console by ssh-forwarding:
ssh -L 51821:localhost:51821 user@server
After that, you should have the ui available in your browser @ ui. There you can generate Clients, so do that for a machine of you need and copy the .conf-file it generates.
Then, on your local machine, install WireGuard and use the setup file provided by the ui:
sudo apt update
sudo apt install -y wireguard
sudo cp my_conf.conf /etc/wireguard/wg0.conf
Next, and finally, you should be able to start the service:
sudo wg-quick up wg0
Please note that you'll need to use the "vpn ip's" for your ssh-connections too, if you're connecting to a client from another client with the wireguard.
If you need to access the client from a public network, ie. the client is actually a web server, you should allow for it. Here's a handy script for that:
sudo cat /etc/wireguard/apply-routes.sh
#!/bin/bash
# Public IP of the web server
PUBLIC_IP=<the_client_server's_public_ip>
# Default gateway (typically your router's IP)
DEFAULT_GATEWAY=$(ip route | grep default | awk '{print $3}')
# Network interface (e.g., eth0)
INTERFACE=$(ip route | grep default | awk '{print $5}')
# Add routing rule to bypass VPN for the public IP
ip rule add from $PUBLIC_IP table main
ip route add default via $DEFAULT_GATEWAY dev $INTERFACE table main
No published comments yet.
Your comment may be published.