NS8-wg-easy App (WireGuard VPN)

Hello,

please test wg-easy for NS8:

EDIT:

Usable environment variables: GitHub - wg-easy/wg-easy: The easiest way to run WireGuard VPN + Web-based Admin UI.

For now you can manage them in the environment file by running

runagent -m wg-easy1 nano environment

and restarting the service:

runagent -m wg-easy1 systemctl --user restart wg-easy

I just used the variables to make it workable. All traffic is routed to the server, you need to add WG_ALLOWED_IPS to only route specific networks to the VPN and to browse the web locally.
Please tell me which variables are important to add to the server manager UI.

Please also check the license (non-commercial) that unfortunately I noticed too late.

Wow Markuz, thank you for this…

I noticed that the Env variables you mentioned have not been defined in your module.

from my understanding ths far, these migh tnot be persistent, you might need to actually define them in the module itself…

you can just take the most important ones and pre-define those, the rest could be added with subsequent updates, if members reuire them.

image760×346 17.6 KB

image747×172 6.87 KB

image772×147 4.72 KB

i think these are the most important ones.

the rest maybe very secondary.

in these above, there are those you can have pr-defined with defaults.

Thanks for your feedback.

In ../systemd/user/wg-easy-app.service the line --env-file=%S/state/environment adds the environment file variables, they should be persistent AFAIK.

WEBUI_HOST defines the web UI binding, it didn’t work using localhost so I’d keep the default. Wrong URLs are filtered by traefik anyway.
PASSWORD and WG_HOST are already implemented in the web UI.
As regards WG_DEVICE, I don’t think we need to change the network device in the container…
The WG_PORT and WG_DEFAULT_ADDRESS variables could also be interesting to have more instances on one node but I’d put it to advanced settings in the UI. Same for WG_DEFAULT_DNS.
WG_ALLOWED_IP seems really important as it sets the VPN client routes.
A language selector would be nice…
The UI_TRAFFIC_STATS are already implemented and set to true. This way the traffic transferred in total is shown.

Thanks for the work !!
I installed Wg-Easy from you repo.
Unfortunately it is not starting.
Error log below:

2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] Started Podman  wg-easy-app.service.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.594Z Server Listening on http://0.0.0.0:51821
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.596Z WireGuard Loading configuration...
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.603Z WireGuard Configuration loaded.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.604Z WireGuard Config saving...
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.605Z WireGuard Config saved.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] $ wg-quick down wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] $ wg-quick up wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] Error: Command failed: wg-quick up wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#]
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link add wg0 type wireguard
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] wg setconf wg0 /dev/fd/63
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip -4 address add 10.8.0.1/24 dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link set mtu 1420 up dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] iptables v1.8.10 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] Perhaps iptables or your kernel needs to be upgraded.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link delete dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]     at ChildProcess.exithandler (node:child_process:422:12)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]     at ChildProcess.emit (node:events:517:28)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]     at maybeClose (node:internal/child_process:1098:16)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]     at ChildProcess._handle.onexit (node:internal/child_process:303:5) {
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]   code: 3,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]   killed: false,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]   signal: null,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]   cmd: 'wg-quick up wg0'
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] }
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Main process exited, code=exited, status=1/FAILURE
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy2] 16052c52ee8aa8431de654c0933be1f9d70f9904235e28f43e614599e407ea17
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Failed with result 'exit-code'.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Scheduled restart job, restart counter is at 15.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopped Podman  wg-easy-app.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopping Podman wg-easy.service...
2024-05-12T18:03:10+02:00 [1:wg-easy2:podman] ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Removed slice cgroup user-libpod_pod_ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67.slice.
2024-05-12T18:03:10+02:00 [1:wg-easy2:podman] ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopped Podman wg-easy.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy.service: Start request repeated too quickly.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy.service: Failed with result 'start-limit-hit'.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Failed to start Podman wg-easy.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Dependency failed for Podman  wg-easy-app.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Job wg-easy-app.service/start failed with result 'dependency'.

The errors above disappeared by running at the command line:

1. modprobe ip_tables
2. modprobe iptable_filter
3. modprobe iptable_nat

I’m not sure if all 3 commands are needed. I will check this and let you know.

After the installation i was not able to open the WG-Easy Web UI.
The Firewall setting at the cluster shows 51821 UDP.
I guess for the WG-Easy Web UI it should be TCP.

Again Thanks for your work.

Thanks for testing!

IIRC I didn’t need them during testing…which distro are you using for NS8?
I need to recheck…

Thanks in advance!

It should be reachable under the hostname/FQDN you set in the app settings like https://wg-easy.domain.tld

The WireGuard VPN uses port 51820 UDP so the firewall should open that port.
The wg-easy container publishes port 51821 TCP for the web UI.

If you need to use another wireguard vpn port than the default 51820/udp you can define something like WG_PORT=23232 but you’d need to open the right firewall port manually.
I’m going to add the port to the UI so it’s changeable if already in use.

Same here.

This is the only command I used that got the issues resolved. Using Rocky 9.4

HTH

I did a fresh install of nethserver 8 on Rocky 9.4.
Added your repo and installed WG-Easy.

Configured
settings.wg-easy_fqdn,
settings.wghost,
settings.password.

Left settings.lets_encrypt disabled, settings.http_to_https disabled.

After Saving, cluster UI shows wg-easy-app inactive, disabled and wg-easy failed, inactive, disabled.

Then on command line modprobe iptable_nat (thanks LayLow)

Saving settings in wg-easy → settings again.
The UI shows:
wg-easy-app active, disabled
wg-easy active, enabled

The wg-easy UI is accessible !

Hope that helps.

A word of caution, the kernel module (iptable_nat) is not loaded permanently. After a reboot, it must be loaded manually again. (cc @mrmarkuz )

What would be the best/most efficient way to load the module at boot time using /etc/modules.d or /etc/modules or /etc/modules.conf etc.

using rc.local is not my desired route for I consider that as a last resort when all other methods fail.

edit:

For now I simply created /etc/modules-load.d/iptable_nat.conf with 1 line only

iptable_nat

Now the module loads automatically at boot time. However, I d agree with @davidep on:

It would be nice without those modules. Wireguard is already installed by NS8, and iptables could be replaced by nft with equivalent commands.

as a reference

@mrmarkuz , what to do best pls?

image1642×378 31.8 KB

ps. The update button leads to:

Hi all,

What if I want to close off ALL services to be accessed from the outside world, and ONLY provide availability to users that are connected through the VPN? This goes for all modules/apps.

TIA

For now you can do the following to get the new image:

runagent -m wg-easy1 bash -c "systemctl --user stop wg-easy && podman rmi wg-easy && systemctl --user start wg-easy"

In future I’m going to provide updated releases in Software Center.

Thanks guys. As regards RH-based distros, they don’t autoload iptable_nat anymore as for example Debian still does. So the solution for now is manually adding it as explained by @LayLow to make it persistent.

The iptables command runs in the provided container where nft is not available. I think I need to change/extend the container and add nft as proposed here. I’ll give it a try…

I must say, the VPN simply works. Tried Android, MAC, Windows, Google Chromecast, Firestick

@mrmarkuz could it be there needs additional performance finetuning to be done?

Without wg-easy vpn active I have a throughput of 300/300Mbps, and with wg-easy vpn active I only get around 20/20Mpbs performance, a HUGE difference.

I can confirm about 20/20Mbps over Wireguard VPN using different devices.

Currently wireguard is configured to send all traffic to the vpn, this can be changed by the WG_ALLOWED_IPS env variable.
It seems changing the MTU can increase performance a lot, see also https://www.reddit.com/r/WireGuard/comments/153jgzw/wireguard_slows_1gbps_internet_down_to_30mbps/

Here are some perfomance tuning hints, we need to test them:

A little bit off topic, but see here: How do I prevent the administration page from being accessible from the Internet?

I guess you have to add the Wireguard network to the relevant files.

Thanks, I tried that already, ranging from 1300 up to 1500 in small steps. If at all a change, it is for the worst.

The difference with normal non VPN performance is so huge, it must be something obvious. Unfortunately I’n not a VPN/WG expert