mash-playbook/docs/services/wg-easy.md

3.9 KiB

WireGuard Easy

WireGuard Easy is the easiest way to run WireGuard VPN + Web-based Admin UI.

Another more powerful alternative for a self-hosted WireGuard VPN server is Firezone. WireGuard Easy is easier, lighter and more compatible with various ARM devices.

Dependencies

This service requires the following other services:

  • a Traefik reverse-proxy server
  • a modern Linux kernel which supports WireGuard

Configuration

To enable this service, add the following configuration to your vars.yml file and re-run the installation process:

########################################################################
#                                                                      #
# wg-easy                                                              #
#                                                                      #
########################################################################

wg_easy_enabled: true

wg_easy_hostname: mash.example.com

wg_easy_path_prefix: /wg-easy

wg_easy_environment_variables_additional_variable_wg_host: mash.example.com

# Put a strong password below, generated with `pwgen -s 64 1` or in another way
wg_easy_environment_variables_additional_variable_password: ''

# The default WireGuard port is 51820.
# Uncomment and change the lines below to use another one.
#
# The port that wg-easy advertises for WireGuard connectivity in profile files.
# wg_easy_environment_variables_additional_variable_wg_port: 51820
#
# The port that is actually published from the container.
# wg_easy_container_wireguard_bind_port: 51820

# The default DNS is 1.1.1.1.
# Uncomment and change the line below to use another one.
# wg_easy_environment_variables_additional_variable_wg_default_dns: 1.1.1.1

########################################################################
#                                                                      #
# /wg-easy                                                             #
#                                                                      #
########################################################################

URL

In the example configuration above, we configure the service to be hosted at https://mash.example.com/wg-easy.

You can remove the wg_easy_path_prefix variable definition, to make it default to /, so that the service is served at https://mash.example.com/.

Networking

In addition to ports 80 and 443 exposed by the Traefik reverse-proxy, the following ports will be exposed by the WireGuard containers on all network interfaces:

  • 51820 over UDP, controlled by wg_easy_environment_variables_additional_variable_wg_port and wg_easy_container_wireguard_bind_port - used for Wireguard connections

Docker automatically opens these ports in the server's firewall, so you likely don't need to do anything. If you use another firewall in front of the server, you may need to adjust it.

Additional configuration

For additional configuration options, see the upstream documentation's Options section.

You can inject additional environment variables with this additional configuration:

wg_easy_environment_variables_additional_variables: |
  WG_DEFAULT_ADDRESS: 10.6.0.x
  WG_MTU: 1420  

Usage

After installation, you can go to the WireGuard Easy URL, as defined in wg_easy_hostname and wg_easy_path_prefix.

You can authenticate with the password set in wg_easy_environment_variables_additional_variable_password.

You can then create various Clients and import the configuration for them onto your devices - either by downloading a file or by scanning a QR code.

  • AdGuard Home - A network-wide DNS software for blocking ads & tracking