Wireguard

Information

Wireguard is a VPN software/protocol that is known for being newer than OpenVPN and far less complex, providing it with a lower surface area for attack. Outside of security purposes, such as when [[ Torrent|torrenting ]], when behind a CG-NAT, such as with [[ Starlink ]], there is a need for a tunnel to provide a port-forwarded public IP address when self hosting. This creates a unique set of requirements where;

1. The VPN must provide both port forwarding and a static IP, and the port forwarding must allow for low ports (such as 80, 443, etc.) This is usually counter to security needs, so many VPN providers do not offer these features. Currently OVPN is used.
2. The VPN must be run in a way that not all outgoing traffic is routed through it, rather only specific outgoing traffic. This allows for local traffic to be kept locally - especially important for [[ Jellyfin ]] where speed and latency become problematic.
3. Incoming traffic however, needs to be routable to any container. Because of these the final solution is that wireguard is run as a container, with the host OS traffic running normally. Containers that need outgoing traffic routed through the VPN have a network_mode: service:wireguard and their ports added to the Wireguard container instead. This basically causes those container to route traffic through the Wireguard container. [[ NginX Proxy Manager ]] is also attached in this way, as the Wireguard connection has a static public IP address, the reverse proxy can be used as per usual targeting the internal IP for the containers.

   Docker Compose Script

       wireguard:
       image: lscr.io/linuxserver/wireguard
       container_name: wireguard
       cap_add:
         - NET_ADMIN
         - SYS_MODULE
       environment:
         - PUID=1000
         - PGID=1000
         - TZ=Australia/Adelaide
       volumes:
         - /docker/wireguard/config:/config
         - /docker/wireguard/lib/modules:/lib/modules
       ports:
         - 8080:8080
         - 8112:8112
         - 81:81
         - 80:80
         - 443:443
       sysctls:
         - net.ipv4.conf.all.src_valid_mark=1
       restart: unless-stopped
   

   wg0.conf

   ```conf [Interface] PrivateKey = {Provided Private Key} Address = {Provided Address} DNS = {Provided DNS} PostUp = DROUTE=$(ip route | grep default | awk ‘{print $3}’); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o %i -m mark ! –mark $(wg show %i fwmark) -m addrtype ! –dst-type LOCAL -j REJECT PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.18.0.0/12; ip route delete $HOMENET; ip route delete $HOMENET2; ip route delete $HOMENET3; iptables -D OUTPUT ! -o %i -m mark ! –mark $(wg show %i fwmark) -m addrtype ! –dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT

[Peer] PublicKey = {Provided Public Key} AllowedIPs = 0.0.0.0/0 Endpoint = {Provided Endpoint} ```

Setup

1. Add the above to your docker compose script
2. Run sudo nano /docker/wireguard/config/wg0.conf and paste the above conf file, replacing the {Provided x} with those from your VPN provider.
3. Create your docker container

[Type:: Seedling]