Helps to setup multi-way site-to-site and manage client configs. Works well for single site too.
-
check for ip conflicts, right now clients start getting assigned with a x.x.x.1 address which is the same as for the site server
-
ipv6 subnets
- each site has to have unique private address space ideally from 192.168.0.0/16 range
- VPN uses 172.16.0.0/16 network
- each site gets a /24 segment assigned, from 172.16.0.0/16 range
- clients get an address at each site, and couple of useful predefined configs:
- local only
- local only, pihole dns
- redirect-all, vpn dns
- redirect-all, pihole dns
Setup has 2 main steps:
- deploy and configure wireguard-manager on local server using docker compose
- configure routing (enable packet forwarding, adjust firewall, add static routes on router)
- (optional) Configure remote sites (create user, setup sshd, configure routing, deploy config)
version: '3'
services:
wireguard:
image: lukasz-karolewski/wireguard-manager
volumes:
- /etc/wireguard:/config
ports:
- "80:80"
- "443:443"
# pihole:
You can configure Ubuntu to reload the WireGuard service whenever the wg0.conf configuration file gets updated by creating a systemd service that monitors the file for changes.
Here are the steps to create the systemd service:
-
Create a new file named /etc/systemd/system/wireguard-reload.service with the following contents:
[Unit] Description=Reload WireGuard when wg0.conf changes [Service] Type=oneshot ExecStart=/bin/systemctl reload wg-quick@wg0.service [Install] WantedBy=multi-user.targetThis service will reload the wg-quick@wg0.service service whenever the wg0.conf file changes.
-
Create a new file named /etc/systemd/system/wireguard-reload.path with the following contents:
[Unit] Description=Watch /etc/wireguard/wg0.conf for changes [Path] PathModified=/etc/wireguard/wg0.conf [Install] WantedBy=multi-user.targetThis file defines a path unit that monitors the wg0.conf file for changes.
-
Reload the systemd daemon to pick up the new service and path units:
sudo systemctl daemon-reload -
Start the path unit to begin monitoring the wg0.conf file:
sudo systemctl start wireguard-reload.pathThis will start the path unit and begin monitoring the wg0.conf file for changes.
-
Enable the path unit to start automatically at boot:
sudo systemctl enable wireguard-reload.path
This will enable the path unit to start automatically at boot time.
That's it! Now whenever the wg0.conf file changes, the WireGuard service will be reloaded automatically.
This is done by creating dedicated user, ssh keys to remote sites and allowing that user to scp new wg config
- Create a new user account:
sudo adduser <username>
- Switch to the new user account:
su - <username>
- Generate an SSH key pair:
ssh-keygen -t rsa
- Copy the public key to the server:
ssh-copy-id <username>@<server>
- Test the SSH connection:
ssh <username>@<server>
- Edit the
/etc/ssh/sshd_configfile:
sudo nano /etc/ssh/sshd_config
- Add the following lines to the end of the file:
Match User <username>
ForceCommand scp /etc/wireguard/wg0.conf
-
Save and close the file.
-
Restart the SSH service:
sudo systemctl restart sshd
Now the user can SSH into the server without a password and can only use SCP to overwrite /etc/wireguard/wg0.conf.
lukasz-karolewski: update all scripts to use username wgmanager
GitHub Copilot: To update all scripts to use the username wgmanager, you can use the following command in the terminal:
find /path/to/scripts -type f -exec sed -i 's/<old_username>/wgmanager/g' {} +
Replace /path/to/scripts with the path to the directory containing your scripts, and <old_username> with the current username that you want to replace.
This command will find all files in the specified directory and its subdirectories, and replace all occurrences of <old_username> with wgmanager. The changes will be made in-place, so make sure to back up your files before running this command.
sql lite db is stored in prod.db file
https://github.com/vx3r/wg-gen-web https://github.com/jamescun/wg-api