# WireGuard VPN + Traefik Reverse Proxy Setup

## Architecture

```
Internet → VPS → WireGuard tunnel → Home Server → Traefik → Containers
```

## Files Structure

```
wireguard/
├── vps/
│   ├── wg0.conf          # WireGuard config for VPS
│   ├── setup.sh          # Setup script for VPS
│   └── ports.sh          # Iptables update script for new ports
├── home/
│   ├── docker-compose.yml
│   ├── wireguard-config/
│   │   └── wg0.conf      # WireGuard config for home
│   ├── traefik/
│   │   ├── traefik.yml   # Traefik static config
│   │   └── dynamic.yml   # Traefik dynamic config
└── README.md
```

---

## Step 1: Setup VPS (Debian)

1. Copy the `vps/` folder to your VPS

2. Run the setup script:

    ```bash
    chmod +x setup.sh
    sudo ./setup.sh
    ```

3. The script will output your VPS keys. Save them:
    - **VPS Private Key** → put in `vps/wg0.conf`
    - **VPS Public Key** → put in `home/wireguard-config/wg0.conf`

4. Copy the updated `wg0.conf` to `/etc/wireguard/wg0.conf`

5. Wait for Step 2 to get the home public key before starting WireGuard

---

## Step 2: Setup Home Server (Arch)

1. Copy the `home/` folder to your home server

2. Generate WireGuard keys:

    ```bash
    wg genkey | tee privatekey | wg pubkey > publickey
    cat privatekey  # → put in home/wireguard-config/wg0.conf
    cat publickey   # → put in vps/wg0.conf on VPS
    ```

3. Edit `home/wireguard-config/wg0.conf`:
    - Replace `HOME_PRIVATE_KEY` with your private key
    - Replace `VPS_PUBLIC_KEY` with the VPS public key from Step 1

4. Start the containers:
    ```bash
    docker compose up -d
    ```

---

## Step 3: Finish VPS Setup

1. On VPS, edit `/etc/wireguard/wg0.conf`:
    - Replace `HOME_PUBLIC_KEY` with your home server's public key

2. Start WireGuard:

    ```bash
    sudo systemctl start wg-quick@wg0
    ```

3. Test the tunnel:
    ```bash
    ping 10.0.0.2
    ```

---

## Step 4: Point Your Domain to VPS

Create DNS A records pointing to your VPS IP:

```
exampledomain.com      → VPS_IP
*.exampledomain.com    → VPS_IP   (wildcard for subdomains)
```

---

## Step 5: Configure connections to your Containers

Add Traefik configurations to dynamic.yml, the file comes with a simple example:

```yaml
routers:
    example-app: #Define service name
        # Rules define the domain and/or subdomain you want to use
        rule: "Host(`exampledomain.com`) || Host(`subdomain.exampledomain.com`)"
        entryPoints:
            - web # use HTTP
            - websecure # use HTTPS
        example-app: blog

services:
    example-app: #Service name
        loadBalancer:
            servers:
                - url: "http://example-docker:80" #Docker IP/name and port to have DNS redirect to
```

See `dynamic.yml` for a complete example and use it for configuration.

---

## Useful Commands

### VPS

```bash
# Check WireGuard status
sudo wg show

# View iptables rules
sudo iptables -t nat -L -n -v

# Restart WireGuard
sudo systemctl restart wg-quick@wg0
```

### Home Server

```bash
# View logs
docker compose logs -f

# Restart services
docker compose restart

# Check WireGuard status inside container
docker exec wireguard wg show
```

---

## Troubleshooting

### Tunnel not connecting

- Check both public keys are correct
- Ensure VPS firewall allows UDP 51820
- Check `PersistentKeepalive` is set (for NAT traversal)

### Traefik not getting certificates

- Ensure port 80 is forwarded through VPS
- Check DNS is pointing to VPS IP
- View Traefik logs: `docker compose logs traefik`

### Traffic not reaching home server

- Test tunnel: `ping 10.0.0.2` from VPS
- Check iptables: `sudo iptables -t nat -L PREROUTING -n -v`
- Ensure ip_forward is enabled: `cat /proc/sys/net/ipv4/ip_forward`