WireGuard server for YunoHost
Read the whole thread carefully, some limitations are present.
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
- WireGuard’s linux package with its standard features
- WireGuard UI, an unofficial management web app to configure the server and create client credentials.
This WireGuard package can be installed through:
Required parameters are:
path: leave it to
/for the time being, the web UI can only be installed at the root of the domain
admin, among YunoHost’s users
After installation, open your browser to WireGuard’s page. You can configure the server, and manage clients whose credentials can be downloaded or read as a QR code.
During the installation, WireGuard will add its own kernel module. A manual reboot of the server may be needed.
Client software can be found on the installation page of WireGuard’s website. Mobile clients are available on the Play Store, F-Droid, and the App Store.
WireGuard can be configured via the non-official web UI. Avoid altering the configuration files via the command line, though.
If you are behind a modem, or an ISP box, open WireGuard’s port in its firewall. The port number can be found in the
Listen Port field, under
WireGuard Server menu. Do not alter it, it has been assigned by your YunoHost server.
If you want to allow Internet connection through the server (usual use case for a VPN), click below:
Routing instructions for server
Enable port forwarding:
sudo nano /etc/sysctl.conf # Uncomment the following lines: net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 # Save and quit (CTRL+O, CTRL+X) sudo sysctl -p
Copy the following commands in
WireGuard Server menu, and replace
eth0 with the interface connected to the Internet. If you do not know it, check the command
Save and apply configuration to restart the server after setting up the commands.
Post Up Script
iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Post Down Script
iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- Official documentation: Quick Start - WireGuard
YunoHost specific features
- Are LDAP and HTTP auth supported? No, use YunoHost permissions panel to allow users to access the web UI.
- Can the app be used by multiple users? Yes, any user allowed to access the web UI will be able to alter the VPN settings and access the clients credentials.
The web UI can only be installed at the root of a domain.
- I have opened an issue in the upstream app about it.
Only one network interface, wg0 can be created with this app.
- I will investigate the possibility to have the app installed multiple times, one instance per interface. Or maybe the web UI could handle multiple interfaces.
- Report a bug: Issues · YunoHost-Apps/wireguard_ynh · GitHub
- App website: https://www.wireguard.com
- Upstream app repository: https://www.wireguard.com/repositories
- Upstream web UI repository: GitHub - ngoduykhanh/wireguard-ui: Wireguard web interface
- YunoHost website: https://yunohost.org/
Feel free to post about it in this thread or on Github (preferred). Remember to add your logs and error messages to help me help you help us all.