mosskoi/MKs-Docker-Compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
MKs-Docker-Compose/tools/wireguard/README.md
mk 52af4904da adding untested changes and new dockers
2026-03-11 22:18:38 -03:00

176 lines
3.8 KiB
Markdown
Raw Permalink Blame History

# WireGuard VPN + Traefik Reverse Proxy Setup
## Architecture
```
Internet → VPS → WireGuard tunnel → Home Server → Traefik → Containers
```
## Files Structure
```
wireguard/
├── vps/
│ ├── wg0.conf # WireGuard config for VPS
│ ├── setup.sh # Setup script for VPS
│ └── ports.sh # Iptables update script for new ports
├── home/
│ ├── docker-compose.yml
│ ├── wireguard-config/
│ │ └── wg0.conf # WireGuard config for home
│ ├── traefik/
│ │ ├── traefik.yml # Traefik static config
│ │ └── dynamic.yml # Traefik dynamic config
└── README.md
```
---
## Step 1: Setup VPS (Debian)
1. Copy the `vps/` folder to your VPS
2. Run the setup script:
```bash
chmod +x setup.sh
sudo ./setup.sh
```
3. The script will output your VPS keys. Save them:
- **VPS Private Key** → put in `vps/wg0.conf`
- **VPS Public Key** → put in `home/wireguard-config/wg0.conf`
4. Copy the updated `wg0.conf` to `/etc/wireguard/wg0.conf`
5. Wait for Step 2 to get the home public key before starting WireGuard
---
## Step 2: Setup Home Server (Arch)
1. Copy the `home/` folder to your home server
2. Generate WireGuard keys:
```bash
wg genkey | tee privatekey | wg pubkey > publickey
cat privatekey # → put in home/wireguard-config/wg0.conf
cat publickey # → put in vps/wg0.conf on VPS
```
3. Edit `home/wireguard-config/wg0.conf`:
- Replace `HOME_PRIVATE_KEY` with your private key
- Replace `VPS_PUBLIC_KEY` with the VPS public key from Step 1
4. Start the containers:
```bash
docker compose up -d
```
---
## Step 3: Finish VPS Setup
1. On VPS, edit `/etc/wireguard/wg0.conf`:
- Replace `HOME_PUBLIC_KEY` with your home server's public key
2. Start WireGuard:
```bash
sudo systemctl start wg-quick@wg0
```
3. Test the tunnel:
```bash
ping 10.0.0.2
```
---
## Step 4: Point Your Domain to VPS
Create DNS A records pointing to your VPS IP:
```
exampledomain.com → VPS_IP
*.exampledomain.com → VPS_IP (wildcard for subdomains)
```
---
## Step 5: Configure connections to your Containers
Add Traefik configurations to dynamic.yml, the file comes with a simple example:
```yaml
routers:
example-app: #Define service name
# Rules define the domain and/or subdomain you want to use
rule: "Host(`exampledomain.com`) || Host(`subdomain.exampledomain.com`)"
entryPoints:
- web # use HTTP
- websecure # use HTTPS
example-app: blog
services:
example-app: #Service name
loadBalancer:
servers:
- url: "http://example-docker:80" #Docker IP/name and port to have DNS redirect to
```
See `dynamic.yml` for a complete example and use it for configuration.
---
## Useful Commands
### VPS
```bash
# Check WireGuard status
sudo wg show
# View iptables rules
sudo iptables -t nat -L -n -v
# Restart WireGuard
sudo systemctl restart wg-quick@wg0
```
### Home Server
```bash
# View logs
docker compose logs -f
# Restart services
docker compose restart
# Check WireGuard status inside container
docker exec wireguard wg show
```
---
## Troubleshooting
### Tunnel not connecting
- Check both public keys are correct
- Ensure VPS firewall allows UDP 51820
- Check `PersistentKeepalive` is set (for NAT traversal)
### Traefik not getting certificates
- Ensure port 80 is forwarded through VPS
- Check DNS is pointing to VPS IP
- View Traefik logs: `docker compose logs traefik`
### Traffic not reaching home server
- Test tunnel: `ping 10.0.0.2` from VPS
- Check iptables: `sudo iptables -t nat -L PREROUTING -n -v`
- Ensure ip_forward is enabled: `cat /proc/sys/net/ipv4/ip_forward`
Reference in New Issue View Git Blame Copy Permalink