In ../systemd/user/wg-easy-app.service the line --env-file=%S/state/environment adds the environment file variables, they should be persistent AFAIK.
WEBUI_HOST defines the web UI binding, it didn’t work using localhost so I’d keep the default. Wrong URLs are filtered by traefik anyway. PASSWORD and WG_HOST are already implemented in the web UI.
As regards WG_DEVICE, I don’t think we need to change the network device in the container…
The WG_PORT and WG_DEFAULT_ADDRESS variables could also be interesting to have more instances on one node but I’d put it to advanced settings in the UI. Same for WG_DEFAULT_DNS. WG_ALLOWED_IP seems really important as it sets the VPN client routes.
A language selector would be nice…
The UI_TRAFFIC_STATS are already implemented and set to true. This way the traffic transferred in total is shown.
Thanks for the work !!
I installed Wg-Easy from you repo.
Unfortunately it is not starting.
Error log below:
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] Started Podman wg-easy-app.service.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.594Z Server Listening on http://0.0.0.0:51821
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.596Z WireGuard Loading configuration...
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.603Z WireGuard Configuration loaded.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.604Z WireGuard Config saving...
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.605Z WireGuard Config saved.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] $ wg-quick down wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] $ wg-quick up wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] Error: Command failed: wg-quick up wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#]
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link add wg0 type wireguard
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] wg setconf wg0 /dev/fd/63
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip -4 address add 10.8.0.1/24 dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link set mtu 1420 up dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] iptables v1.8.10 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] Perhaps iptables or your kernel needs to be upgraded.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link delete dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] at ChildProcess.exithandler (node:child_process:422:12)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] at ChildProcess.emit (node:events:517:28)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] at maybeClose (node:internal/child_process:1098:16)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] at ChildProcess._handle.onexit (node:internal/child_process:303:5) {
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] code: 3,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] killed: false,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] signal: null,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] cmd: 'wg-quick up wg0'
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] }
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Main process exited, code=exited, status=1/FAILURE
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy2] 16052c52ee8aa8431de654c0933be1f9d70f9904235e28f43e614599e407ea17
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Failed with result 'exit-code'.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Scheduled restart job, restart counter is at 15.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopped Podman wg-easy-app.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopping Podman wg-easy.service...
2024-05-12T18:03:10+02:00 [1:wg-easy2:podman] ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Removed slice cgroup user-libpod_pod_ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67.slice.
2024-05-12T18:03:10+02:00 [1:wg-easy2:podman] ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopped Podman wg-easy.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy.service: Start request repeated too quickly.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy.service: Failed with result 'start-limit-hit'.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Failed to start Podman wg-easy.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Dependency failed for Podman wg-easy-app.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Job wg-easy-app.service/start failed with result 'dependency'.
The errors above disappeared by running at the command line:
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
I’m not sure if all 3 commands are needed. I will check this and let you know.
After the installation i was not able to open the WG-Easy Web UI.
The Firewall setting at the cluster shows 51821 UDP.
I guess for the WG-Easy Web UI it should be TCP.
IIRC I didn’t need them during testing…which distro are you using for NS8?
I need to recheck…
Thanks in advance!
It should be reachable under the hostname/FQDN you set in the app settings like https://wg-easy.domain.tld
The WireGuard VPN uses port 51820 UDP so the firewall should open that port.
The wg-easy container publishes port 51821 TCP for the web UI.
If you need to use another wireguard vpn port than the default 51820/udp you can define something like WG_PORT=23232 but you’d need to open the right firewall port manually.
I’m going to add the port to the UI so it’s changeable if already in use.
What if I want to close off ALL services to be accessed from the outside world, and ONLY provide availability to users that are connected through the VPN? This goes for all modules/apps.
In future I’m going to provide updated releases in Software Center.
Thanks guys. As regards RH-based distros, they don’t autoload iptable_nat anymore as for example Debian still does. So the solution for now is manually adding it as explained by @LayLow to make it persistent.
The iptables command runs in the provided container where nft is not available. I think I need to change/extend the container and add nft as proposed here. I’ll give it a try…
add iptable_nat to /etc/modules-load-d/iptable_nat.conf
modprobe iptable_nat
lsmod | grep iptable_nat
install wg-easy module via software center
add ‘MTU = 1420’ to /etc/wireguard/wg0.conf (default of wireguard)
→ testing commands ip a show wg0 to show values of the wg0 adapter ip link set dev wg0 mtu 1500 to set the various MTU values to test ip -4 route show table all to look at all the routes (IPv4)
----> speedtest
With this I tried setting various MTU values with ip link set and the wg0 config file. Using Mac, Android WG clients and this device with build in WG client.
Isn’t wg0 the wireguard device from Nethserver default installation ?
If i do wg show the output is: interface: wg0 public key: xyz private key: (hidden) listening port: 55820
My downloaded config from wg-easy shows a peer port of 51820.
I thought the wg-easy “module” is somewhat of a container (even if it’s not shown with podman ps -a)?
If so, changing the MTU in /etc/wireguard/wg0.conf would do nothing, because this is not the interface for wg-easy connections.
My guess, changing the MTU for wg-easy has something to do with: