WG Easy - open source, self hosted Wireguard server setup tool with a simple, intuitive web UI!
Вставка
- Опубліковано 31 тра 2024
- === Links ===
Show Notes
wiki.opensourceisawesome.com/...
Get the AwesomeOpenSource Merchandise
awesomeopensource.creator-spr...
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
Buy Me a Coffee or Beer
paypal.me/BrianMcGonagill?cou...
=== Timestamps ===
00:00 Beginning
00:08 Introduction to WG-Easy
03:59 Donate to the WG-Easy dev to keep him working on the project
06:04 Setup Our Server
08:29 Create a Non-root User with sudo privileges
=== Contact ===
Twitter: @mickintx
Telegram: @MickInTx
Mastodon: @MickInTx@fosstodon.org
Try out SSDNodes VPS Services! Amazing Specs for incredibly low costs. I'm running a 32 GB RAM / $ CPU Server for only $9 a month! Seriously. FOr long term server usage, this is the way to go!
www.ssdnodes.com/manage/aff.p...
Get a $50.00 credit for Digital Ocean by signing up with this link:
m.do.co/c/a6a61ae55242
Use Hover as your Domain Name Registrar to get some great control over you domains / sub-domains:
hover.com/SHPaiirr
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
What does the money go to?
To Pay for Digital Ocean droplets, donations to open source projects I feature, any hardware I may need to purchase for future episodes (which I will then give to a subscriber in a drawing or contest). - Наука та технологія
I've been using this for some time now and it is very solid. I set mine up to point the clients to my own self-hosted DNS and it works wonderful when connecting from places like airports or hotels; the tunnel is secured and private and I have the added bonus of blocking all the ad-ware nonsense while connected abroad.
Thanks for the easy to follow video!
My pleasure.
I was just about to start setup, and then this video showed up. Thanks!
My pleasure!
Me too
Well done, Brian. You are getting much better at continuity in your videos. 😁😁
Thanks 👍
I just love your videos! Just keep 'em coming...
Regards from Portugal.
I appreciate it and will do!
Personally, I prefer my VPN terminating on my OPNsense firewall rather than on internal networks but it does look nice.
I think there's some Wireguard stuff for OPNSense nowadays.
Nice video, I like this application as a way of securely connecting to my homelab. Just an extra tip to anyone thinking of doing this, I would recommend not having the Web UI publicly accessible, because if that gets compromised then your whole network is compromised. I would place much greater trust in the security of the VPN than the Web UI. It would probably be better to connect to the interface via the VPN connection (of course this then requires being connected to the VPN before you can add additional clients). If you are doing this on a VPS rather than your local network, I guess you could remove external access to the Web UI after you have your first client setup.
Nice tip!
I really appreciate your work, keep up, regards from Brazil
Awesome, thank you!
Well done sir and thank you!
You bet
Thank you for the tutorial boss.
My pleasure.
is there two separate voices in narration or was that some tv/media playing in background at around 07:00 it was more clear to understand some one on a second track is saying "setup" and similarly before that with some other words.
Yes, sorry. Not sure what happened, tried to remove as much as I could during post production.
@@AwesomeOpenSource its fine , just wndering if i was okay or not. thanks for confirming i am not insane. gud luck for future ones.
it's his voice playing twice at different points, like an echo almost
@AwesomeOpenSource are the steps different for a home server VM running docker? I can't seem to get my client to connect to my host.
You would need to port forward through your router if you run the server inside your home network. Ports 51820 and 51821 have to be forwarded to your host machine inside your network.
Is there a way to create split / full tunnels from gui? In the cli creation of the server you can.
No, this is really not meant for that. I'd say Tailscale / Headscale, Netmaker, or Netbird would be more what you want for those kinds of things in the GUI.
@@AwesomeOpenSource Ok thanks.
My wg-easy tunnels fail to work after being disconnected for some time. When that happens, I have to toggle the peer off and on (in the wg-easy web GUI) and the tunnel comes back up immediately. Has anyone figured out why this happens or if there's a way to periodically restart the peers automatically?
In the config on the client, make sure there is a line about "persistent-keep-alive". Something like that. If not, just google it, and you'll see what to add, but that may help.
Thanks for the video. Unfortunately, I cannot change the port numbers. The listened port 51821 is hardcoded in the wg.conf file. I did a rebuild, but it didn't work. I have played with docker before. It's always a pain.
In this section of the docker-compose.yml file,
ports:
- 51820:51820/udp
- 51821:51821/tcp
change the left side port number to any open port on your host machine. leave the right side as 51821 though. Then do
docker-compose up -d
again, and try the new port. This is the port for the web ui, but it should work.
@@AwesomeOpenSource Thanks for your reply. I did all that stuff. The problem is that the wg0.conf file overwrites it. That file cannot be edited. This line is the problem: ListenPort = 51820.
you are not allone.. i tried it to.. for hours 😵💫with no success💀
@@MagicMaschtRoom Try headscale/tailscale instead.
How did you setup wireguard port (51820) behind nginx proxy manager ??? I'm stuck with it since hours and found no solution
Didn't setup the port behind NPM. That has to have the port open to the server (port forwarded if behind a firewall). In my case I setup on Digital Ocean, so just allowed UDP traffic to the part in the cloud firewall. The web interface runs on 51821, so that one you need to setup on NPM.
@@AwesomeOpenSourcethanks for the answer. i feared that too. i did a few research on my side and it seems that wireguard easy absolutely can't be behind NPM. that's sad but it seems that there's no solution abouth this. Headscale in opposition can 100% be used behind NPM.
If you can i would be very grateful of a updated tutorial about a full setup of headscale with a recent webui like admin ui or another one (new updates of headscale made your previous tutorial impossible to use and the webui is si old that 50% of it result gives server error messages)
When using VPN with over LAN network, why I can't access SMB on window with NetBIOS name ?
You need to make sure the VPN (if I'm understanding correctly) can resolve machines by hostname.
@@AwesomeOpenSource Right !! , I think so too. But how to can check which it can resolve hostname ?
You said the connection is peer-to-peer after it has been established? as in Tailscale or Zerotier?
Yes. The server acts as a configuration portal. It will provide configs to allow peer to peer communication on the Wireguard network. You can, of course open the comics and modify them as you see fit though.
@@AwesomeOpenSourceInteresting, I'll dig into it, thanks for the video.
thanks.
My pleasure.
So did not work for me... Not sure what I'm missing.. I have done the same steps, have wg-easy running, have NPM configured, can access the web UI, got my samsung s21 added on the wg-easy UI and in the wg app but it's not connecting in the web UI. I also disabled my ufw and tested again but still no luck... Also for me the QR code did not generate had to email myself the conf file to get it added in the app. Any suggestions? Update also tried changing the Ip addresses and the DNS of the added clients but still could not get working. When I activate the connection on my windows laptop it loses internet access however I'm on my phones hotspot.
Sorry you're having so much trouble. Sometimes, depending on the OS, you need to restarrt networking for the internet to start working again. You can also add another environment variable to the docker-compose.yml file to open all traffic through the VPN. In fact, you can add several. Sorry, should add these to my show notes. Didn't mention this in the video.
Set the IP addresses mask you want for your VPN
- WG_DEFAULT_ADDRESS=10.8.0.x
Set the DNS for your devices to use
- WG_DEFAULT_DNS=1.1.1.1
Set the MTU
- WG_MTU=1420
Set the allowed IPs (for all traffic to go through VPN set this to 0.0.0.0/0)
- WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
Make sure the connection checks in to keep it alive
- WG_PERSISTENT_KEEPALIVE=25
Welp added what you suggested and still could not get it working. I rebooted the VM, recreated client, redownloaded conf file and still nothing... in the app it says its sending data but not receiving anything. This is on my phone again. UFW is disabled.
WG_DEFAULT_ADDRESS=192.168.0.85
WG_DEFAULT_DNS=192.168.0.167 (Pi-hole server)
WG_MTU=1420
WG_ALLOWED_IPS=192.168.0.0/24
WG_PERSISTENT_KEEPALIVE=25
@@AwesomeOpenSource
Love your content! I just tried running your Installation of Docker-CE and Docker Compose via a Simple Script on my Oracle Cloud free instance using their Ampere A1 ARM64 processor. I ran your script as the option for ARM64 / raspbian os thinking that may be the closest option. Unfortunately just about everything errored out during the install. Any ideas? Keep up the great content, I'm learning a TON!
Hmmmm. Haven't thought of a non RPi arm setup yet. I'll have to see if I can get that added. Sorry it didn't work for you.
love your videos. is there a way of using wireguard and nginx proxy manager to host sites. I want to make sites on my home computer public but cant open ports due to double nat. Is there a way of using wireguard with vps to make this happen. I'd like to use a domain I have as well. Want it to be similar to cloudflare tunnels but self hosted.
Yes. Put the reverse proxy on the VPS, then use your Wireguard IP of the server in your home in the proxy host entry. As long as Wireguard is up and the machines can communicate it will work just like a LAN.
Amazing. I did what you said and it worked perfect. You should do a video on this. Super easy to setup. Completely replaces cloudflare tunnel especially if you use oracle free tier.
@@gsgorveatt glad it worked. I did one on this type setup using NetMaker last year. This makes it a bit easier as you only need the one VPS for sure.
yes i watched your netmaker video and because i was using oracle free tier had issues.@@AwesomeOpenSource
Hi Brian love the video. Just a question can this application be used as a subnet router.
If you're asking if you could connect to a LAN through one node on that network, technically you can do that, but you'd have to modify the compose file,a nd be careful where you put the nodes outside of that LAN. WG Easy itself isn't designed for that as far as I can tell.
Can I create new users without giving them admin access, so they can only download their specific config file and not access others?
I'd say Wg-Easy isn't really meant for that. I'd say maybe Netmaker, Netbird, or Headscale with Tailscale clients might be the route you want to go. I have videos on all of those solutions as well.
@@AwesomeOpenSource Will check.. Thankyou soo much
Instead of using a digital ocean server how could it be configure on a home server to vpn in to a home network? Do you have a past video on your docker script install. I like to learn about the other services installed like the proxy. Also could you explain what app to use to update a domain name when the home ip address changes? The video has some great insights. thank you
me too, I tried setting mine up from my home server and I just can't get my client to connect to the host VM.
From what I understand the point of this video is to show how to create a VPN tunnel from outside your home network to inside your home network without port forwarding. If your wireguard server is inside your network you would need to port forward your home router to the wireguard server on your network. This would negate any advantages of using wireguard in the first place.
@anagnale000 said it correctly. The idea behind using something like this is 1. a VPN between your devices, but also to allow you to get back to the devices / services on your home network without having to open any ports on your home network. If you setup this part inside your network at home, you have to open ports for the traffic to get to the server, and now you're not really gaining much from that setup. If, however, you want to do it, you'll have to port forward ports 51820 and 51821 on your router to your server host running the WG-Easy docker setup.
In that case it would be cheaper to use von provider like NordVPN or Express VPN. Digital Ocean can get very expensive. Your response seems bias such Digital Ocean is your sponsor.
you saved my life ... that exactly i am looking for
Aweseom! Glad I could help.
do you recommend this for production infrastructure ?
It depends on your use case really. Wireguard is Wireguard. The way you generate configurations is the only difference here. If you just need a flat (LAN-like) network where all machines can reach all other machines, this is great.
how if i want to use it to mikrotik ?
Hmm, this is really very(!) simple, but I totally miss setup for the overall network, as well as setting up, which networks should be routed. Does it by default only route 0.0.0.0/0? And what about IPv6? Which DNS is used here? So, I see this working pretty easy, but I also have quite some open questions. Would have been nice, if you could have shown the contents of the downloaded conf file to get an impression, what happened behind the scenes in there.
Anyhow it is a nice video to start wg with, I really like your slow detailed videos, they are usually pretty good to reproduce :-).
You can set 0.0.0.0/0 if you want to, but you can also just set the WG network. it's kind of up to you. You have to edit the configs manually for a lot of the more advanced stuff you might want though.
Is love to see a video about ferrumgate please.
Bookmarked the site so I can look into it more.
@@AwesomeOpenSource not sure how it compares to netmaker but looks pretty good.
Does this have to be done in Docker?
It's the preferred way to install it, but I'm sure it can be setup natively as well.
I never had any luck with this
Sorry to hear that. With my instructions specifically, or just WG Easy in general?
@@AwesomeOpenSource with wg on opnsense and a second attempt with wg-easy. I might give it a third shot with your instructions, but my problem was that while clients and servers show that my tunnels are up, I don’t pass traffic, can’t ping, etc. Sounded like firewall rules but after hours messing with ufw or iptables I ended up going a different less performative routes like ipsec.
@@duduoson1306 Same issue here but with PFSense. I have had luck with running the terminal version of WG on a pi but WG-easy has eluded me since i found out about it. Would love to get it to work because its much easier to add clients than the latter. Post/DM if you figure it out.
Thank you for the great videos. If you are interested, can you do a comparison of object storage file systems ? I just tried juicefs with wasabi and i love it and i was wondering if there is something better. almost nobody talks about it. I save so much money with that.
Let me learn more about them. I did setup a MinIO system to mess with, but didn't really grasp the benefit of it over just using an NFS share. So, I need to learn mroe.
@eOpenSource well if i was to compare juicefs to a nfs share from my novice point of view, i would say that visually it looks the same, you get a folder with files inside. But underneath that, with juicefs, every file is chunked and encrypted before they are sent to the cloud storage so they never gets the decryption keys even if cloud is compromised. You can also tell juicefs to store the encrypted chunks on the local disk and then sync the encrypted chunks with another software to whatever cloud. But yeah juicefs is a bit too much cpu intensive for small servers and also encryption is really slow with small files so i was kinda hoping to find better.
Awesome video but can you do one with port forwarding like an easy port forwarding one with wireguard easy?
TIA
Do you mean to run the server inside your LAN, or to forward traffic to your services over WG-Easy?
Hello sir, its awesome, could you please share how to configure IPV6 with this setup
I apologize, I'm not an IPv6 expert thus far. But, you can find the info on their github README here github.com/burghardt/easy-wg-quick/blob/master/README.md#enabling-ipv6. Hope it helps.
@@AwesomeOpenSource Thank you so much, lets try..
would it be possible to update the script
Which script?
I must be missing something here but I used Tailscale to connect 3 NAS's and 3 Windows computer with nowhere near the complexity of this. It may be that I'm not using all of the features. I just need the various NAS's and PC's to share files and to access them from anywhere. Tailscale just works and is setup in minutes. Thanks for the video though; it's always nice to see what our options are. Really well explained.
1. Some people get nervous about letting another company have that level of access to their internal network. Much of this channel is how to self-host and not rely on someone else.
2. Tailscale requires you to use a third-party SSO. That's a single point of failure that could make someone want to self -host instead
100% what @unselfless said. It's about running your own server. Tailscale kind of owns all the setup. I'm 1 step down with a VPS. You could even go all the way self hosted like I do with Headscale and host it at home.
@@AwesomeOpenSource And my education continues. Many thanks to you both.
@@DavidM2002 not to worry. I learn new things on a daily basis. It’s what keeps all of this so interesting.
isnt there some echo around 6:20 kind of annoying
Sorry, not sure what happened there. Tried to filter it as much as I could in post production.
Second 🎉
Indeed!
I tried this the other day but had no luck. Difference with me is that I needed wg-easy installed without docker. I already have vanilla wireguard setup in a VM in Proxmox, so I just need to overlay a GUI on top of that without having to install Docker.
a lot of these that require docker are a quick way to know not to bother running the software. It's unfortunate so many do.
The idea here is that this uses the Wireguard install on the server if it's already there I think. Docker is just a really thin virtualized machine that runs the software. The benefit is that it runs the same on any OS that supports Docker.
Great video, but the chatter/video running in the background is really distracting - especially for those who are hearing impaired. Kind regards.
Yeah, sorry. Not sure what happened there. I tried to remove it as much as I could. Some sort of weird feedback loop or something.
In my mind I can't help reading commands as wuhgee quick up lol
I like it! much faster than 'dubelew-gee'
FIRST!!!!
Winner!
will this able to add a client for site to site or point to site?
You have to setup the Allowed IPs in the config file properly, adn there's not really a way to do that through the UI on this setup. I'd say Tailscale / Headscale, Netmaker, or Netbird would be better for that setup.