I just used the variables to make it workable. All traffic is routed to the server, you need to add WG_ALLOWED_IPS to only route specific networks to the VPN and to browse the web locally.
Please tell me which variables are important to add to the server manager UI.
In ../systemd/user/wg-easy-app.service the line --env-file=%S/state/environment adds the environment file variables, they should be persistent AFAIK.
WEBUI_HOST defines the web UI binding, it didn’t work using localhost so I’d keep the default. Wrong URLs are filtered by traefik anyway. PASSWORD and WG_HOST are already implemented in the web UI.
As regards WG_DEVICE, I don’t think we need to change the network device in the container…
The WG_PORT and WG_DEFAULT_ADDRESS variables could also be interesting to have more instances on one node but I’d put it to advanced settings in the UI. Same for WG_DEFAULT_DNS. WG_ALLOWED_IP seems really important as it sets the VPN client routes.
A language selector would be nice…
The UI_TRAFFIC_STATS are already implemented and set to true. This way the traffic transferred in total is shown.
Thanks for the work !!
I installed Wg-Easy from you repo.
Unfortunately it is not starting.
Error log below:
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] Started Podman wg-easy-app.service.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.594Z Server Listening on http://0.0.0.0:51821
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.596Z WireGuard Loading configuration...
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.603Z WireGuard Configuration loaded.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.604Z WireGuard Config saving...
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.605Z WireGuard Config saved.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] $ wg-quick down wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] $ wg-quick up wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] Error: Command failed: wg-quick up wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#]
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link add wg0 type wireguard
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] wg setconf wg0 /dev/fd/63
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip -4 address add 10.8.0.1/24 dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link set mtu 1420 up dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] iptables v1.8.10 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] Perhaps iptables or your kernel needs to be upgraded.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link delete dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] at ChildProcess.exithandler (node:child_process:422:12)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] at ChildProcess.emit (node:events:517:28)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] at maybeClose (node:internal/child_process:1098:16)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] at ChildProcess._handle.onexit (node:internal/child_process:303:5) {
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] code: 3,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] killed: false,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] signal: null,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] cmd: 'wg-quick up wg0'
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] }
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Main process exited, code=exited, status=1/FAILURE
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy2] 16052c52ee8aa8431de654c0933be1f9d70f9904235e28f43e614599e407ea17
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Failed with result 'exit-code'.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Scheduled restart job, restart counter is at 15.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopped Podman wg-easy-app.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopping Podman wg-easy.service...
2024-05-12T18:03:10+02:00 [1:wg-easy2:podman] ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Removed slice cgroup user-libpod_pod_ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67.slice.
2024-05-12T18:03:10+02:00 [1:wg-easy2:podman] ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopped Podman wg-easy.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy.service: Start request repeated too quickly.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy.service: Failed with result 'start-limit-hit'.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Failed to start Podman wg-easy.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Dependency failed for Podman wg-easy-app.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Job wg-easy-app.service/start failed with result 'dependency'.
The errors above disappeared by running at the command line:
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
I’m not sure if all 3 commands are needed. I will check this and let you know.
After the installation i was not able to open the WG-Easy Web UI.
The Firewall setting at the cluster shows 51821 UDP.
I guess for the WG-Easy Web UI it should be TCP.
IIRC I didn’t need them during testing…which distro are you using for NS8?
I need to recheck…
Thanks in advance!
It should be reachable under the hostname/FQDN you set in the app settings like https://wg-easy.domain.tld
The WireGuard VPN uses port 51820 UDP so the firewall should open that port.
The wg-easy container publishes port 51821 TCP for the web UI.
If you need to use another wireguard vpn port than the default 51820/udp you can define something like WG_PORT=23232 but you’d need to open the right firewall port manually.
I’m going to add the port to the UI so it’s changeable if already in use.
What if I want to close off ALL services to be accessed from the outside world, and ONLY provide availability to users that are connected through the VPN? This goes for all modules/apps.
In future I’m going to provide updated releases in Software Center.
Thanks guys. As regards RH-based distros, they don’t autoload iptable_nat anymore as for example Debian still does. So the solution for now is manually adding it as explained by @LayLow to make it persistent.
The iptables command runs in the provided container where nft is not available. I think I need to change/extend the container and add nft as proposed here. I’ll give it a try…