Edited Wireguard README.md
This commit is contained in:
parent
a4e7d10389
commit
3abe20c14b
|
|
@ -21,3 +21,86 @@ securely over a VPN, without exposing them on the public Internet.
|
||||||
sudo mkdir -p /etc/wireguard
|
sudo mkdir -p /etc/wireguard
|
||||||
sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
|
sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
|
||||||
sudo chmod 600 /etc/wireguard/wg0.conf
|
sudo chmod 600 /etc/wireguard/wg0.conf
|
||||||
|
|
||||||
|
Generate keys:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
wg genkey | tee server.key | wg pubkey > server.pub
|
||||||
|
wg genkey | tee client.key | wg pubkey > client.pub
|
||||||
|
```
|
||||||
|
|
||||||
|
* Put `server.key` into `PrivateKey` for `[Interface]`.
|
||||||
|
* Put `client.pub` into `PublicKey` for `[Peer]`.
|
||||||
|
|
||||||
|
2. **Enable WireGuard**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo systemctl enable wg-quick@wg0
|
||||||
|
sudo systemctl start wg-quick@wg0
|
||||||
|
```
|
||||||
|
|
||||||
|
You should now see the interface:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ip addr show wg0
|
||||||
|
```
|
||||||
|
|
||||||
|
3. **Configure firewall**
|
||||||
|
|
||||||
|
Use `firewall/nftables-wireguard.conf.example` as a starting point:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo cp firewall/nftables-wireguard.conf.example /etc/nftables.conf
|
||||||
|
sudo nft -f /etc/nftables.conf
|
||||||
|
sudo systemctl enable nftables
|
||||||
|
```
|
||||||
|
|
||||||
|
Adjust:
|
||||||
|
|
||||||
|
* `wan_if` to match your actual WAN interface (e.g., `eno1`).
|
||||||
|
* `wg_if` to `wg0` (default).
|
||||||
|
* `wg_tcp_ports` set to match your private services (SSH, Stable Diffusion, etc.).
|
||||||
|
|
||||||
|
4. **Client configuration**
|
||||||
|
|
||||||
|
On your client (laptop, etc.), create a WireGuard config like:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[Interface]
|
||||||
|
Address = 10.20.0.2/32
|
||||||
|
PrivateKey = <CLIENT_PRIVATE_KEY>
|
||||||
|
DNS = 1.1.1.1
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = <SERVER_PUBLIC_KEY>
|
||||||
|
Endpoint = your.domain.example:51820
|
||||||
|
AllowedIPs = 10.20.0.0/24
|
||||||
|
PersistentKeepalive = 25
|
||||||
|
```
|
||||||
|
|
||||||
|
Bring it up with your WireGuard client (e.g., `wg-quick up`, or a GUI).
|
||||||
|
|
||||||
|
5. **Access private services**
|
||||||
|
|
||||||
|
Once the tunnel is up, you should be able to reach private services on the
|
||||||
|
VHostLoom host by its VPN address:
|
||||||
|
|
||||||
|
* `http://10.20.0.1:7860` (Stable Diffusion)
|
||||||
|
* `http://10.20.0.1:8080` (Llamafile)
|
||||||
|
* `http://10.20.0.1:11434` (Ollama)
|
||||||
|
* etc.
|
||||||
|
|
||||||
|
Public services (e.g. `https://cloud.example.com`, `https://git.example.com`)
|
||||||
|
remain available via their normal DNS names and the Traefik reverse proxy.
|
||||||
|
|
||||||
|
## Coexistence with ZeroTier
|
||||||
|
|
||||||
|
If you prefer ZeroTier or want both:
|
||||||
|
|
||||||
|
* Keep the ZeroTier interface and rules.
|
||||||
|
* Treat `wg0` and `zt+` as equally trusted VPN ingress points.
|
||||||
|
* Use a shared set (e.g. `vpn_tcp_ports`) for ports allowed from either VPN
|
||||||
|
interface, and separate sets if you want to distinguish them.
|
||||||
|
|
||||||
|
This module is intentionally minimal; adapt the address ranges, ports, and
|
||||||
|
routing rules to match your environment.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue