From 3abe20c14b3d14bc5600589cfe81fd8d219ee1eb Mon Sep 17 00:00:00 2001 From: "Wesley R. Elsberry" Date: Thu, 20 Nov 2025 08:46:15 -0500 Subject: [PATCH] Edited Wireguard README.md --- wireguard/README.md | 83 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/wireguard/README.md b/wireguard/README.md index 53f7313..225ec1f 100644 --- a/wireguard/README.md +++ b/wireguard/README.md @@ -21,3 +21,86 @@ securely over a VPN, without exposing them on the public Internet. sudo mkdir -p /etc/wireguard sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf sudo chmod 600 /etc/wireguard/wg0.conf + +Generate keys: + +```bash +wg genkey | tee server.key | wg pubkey > server.pub +wg genkey | tee client.key | wg pubkey > client.pub +``` + +* Put `server.key` into `PrivateKey` for `[Interface]`. +* Put `client.pub` into `PublicKey` for `[Peer]`. + +2. **Enable WireGuard** + + ```bash + sudo systemctl enable wg-quick@wg0 + sudo systemctl start wg-quick@wg0 + ``` + + You should now see the interface: + + ```bash + ip addr show wg0 + ``` + +3. **Configure firewall** + + Use `firewall/nftables-wireguard.conf.example` as a starting point: + + ```bash + sudo cp firewall/nftables-wireguard.conf.example /etc/nftables.conf + sudo nft -f /etc/nftables.conf + sudo systemctl enable nftables + ``` + + Adjust: + + * `wan_if` to match your actual WAN interface (e.g., `eno1`). + * `wg_if` to `wg0` (default). + * `wg_tcp_ports` set to match your private services (SSH, Stable Diffusion, etc.). + +4. **Client configuration** + + On your client (laptop, etc.), create a WireGuard config like: + + ```ini + [Interface] + Address = 10.20.0.2/32 + PrivateKey = + DNS = 1.1.1.1 + + [Peer] + PublicKey = + Endpoint = your.domain.example:51820 + AllowedIPs = 10.20.0.0/24 + PersistentKeepalive = 25 + ``` + + Bring it up with your WireGuard client (e.g., `wg-quick up`, or a GUI). + +5. **Access private services** + + Once the tunnel is up, you should be able to reach private services on the + VHostLoom host by its VPN address: + + * `http://10.20.0.1:7860` (Stable Diffusion) + * `http://10.20.0.1:8080` (Llamafile) + * `http://10.20.0.1:11434` (Ollama) + * etc. + + Public services (e.g. `https://cloud.example.com`, `https://git.example.com`) + remain available via their normal DNS names and the Traefik reverse proxy. + +## Coexistence with ZeroTier + +If you prefer ZeroTier or want both: + +* Keep the ZeroTier interface and rules. +* Treat `wg0` and `zt+` as equally trusted VPN ingress points. +* Use a shared set (e.g. `vpn_tcp_ports`) for ports allowed from either VPN + interface, and separate sets if you want to distinguish them. + +This module is intentionally minimal; adapt the address ranges, ports, and +routing rules to match your environment.