diff --git a/README.md b/README.md index be35cff..a9b272d 100644 --- a/README.md +++ b/README.md @@ -321,3 +321,190 @@ much more disk space. Also, Docker containers can be large. Consider sym-linking the Docker image directory to a larger disk. +## Secure Private Access (WireGuard Module) + +Some services in VHostLoom are **not public-facing** by design: + +* Stable Diffusion interfaces +* Llamafile demos & research endpoints +* Ollama/vLLM +* Internal dashboards +* Forgejo SSH +* Anything experimental or non-web + +To protect these services, VHostLoom supports an optional **WireGuard VPN module** that restricts private-service ports so they are reachable **only from authenticated VPN clients**, and *never* from the public Internet. + +WireGuard may be used instead of, or alongside, ZeroTier. + +--- + +### Why WireGuard? + +WireGuard is: + +* extremely fast (kernel-level cryptography) +* small and security-audited +* widely supported across platforms +* perfect for “private access only” services + +VHostLoom’s WireGuard module: + +* Exposes WireGuard only on WAN (`udp/51820`) +* Creates a private VPN subnet (`10.20.0.0/24`) +* Restricts critical ports to the WireGuard interface +* Leaves Traefik-managed public services untouched + +--- + +## Installing WireGuard + +Install on the server: + +```bash +sudo apt install wireguard wireguard-tools +``` + +Copy in the example config: + +```bash +sudo mkdir -p /etc/wireguard +sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf +sudo chmod 600 /etc/wireguard/wg0.conf +``` + +Generate server keypair: + +```bash +wg genkey | tee server.key | wg pubkey > server.pub +``` + +Add the server private key to: + +```ini +PrivateKey = +``` + +--- + +## Starting WireGuard + +```bash +sudo systemctl enable wg-quick@wg0 +sudo systemctl start wg-quick@wg0 +``` + +Verify: + +```bash +ip addr show wg0 +wg show +``` + +--- + +## Firewall Configuration + +Choose one: + +* **`firewall/nftables-wireguard.conf.example`** — basic WireGuard + Traefik + private-services setup +* **`firewall/nftables-wireguard-zt.conf.example`** — *combined* WireGuard + ZeroTier rules + +Install a firewall: + +```bash +sudo cp firewall/nftables-wireguard.conf.example /etc/nftables.conf +sudo nft -f /etc/nftables.conf +sudo systemctl enable nftables +``` + +This: + +* Allows public web (80/443) +* Accepts WireGuard on WAN (UDP 51820) +* Allows private services (**only** via wg0) +* Default-denies everything else + +--- + +## Adding a New WireGuard Client + +Use the helper script: + +```bash +wireguard/gen-wg-peer.sh clientname +``` + +It will generate: + +* `clientname.key` +* `clientname.pub` +* `clientname.conf` (the client config) + +Add the peer entry to `/etc/wireguard/wg0.conf` **automatically**. + +Then send the generated `.conf` file to your device. + +--- + +## Client Template + +Clients use a simple config: + +```ini +[Interface] +PrivateKey = +Address = 10.20.0.X/32 +DNS = 1.1.1.1 + +[Peer] +PublicKey = +Endpoint = :51820 +AllowedIPs = 10.20.0.0/24 +PersistentKeepalive = 25 +``` + +Import into: + +* WireGuard app (iOS/Android) +* `wg-quick` +* Desktop clients + +--- + +## Coexisting with ZeroTier + +If you want both overlay networks: + +* ZeroTier mesh connections +* WireGuard direct VPN +* Shared access control for private ports + +Use: + +``` +firewall/nftables-wireguard-zt.conf.example +``` + +It grants private-port access to **either**: + +* WireGuard (`wg0`) +* ZeroTier (`zt*`) + +You can also restrict different services to different VPNs. + +--- + +## Summary + +WireGuard gives VHostLoom: + +* Strong isolation of private services +* Minimal attack surface +* Predictable firewalling +* Fast, encrypted access + +It integrates fully with the project’s model: + +* **Traefik/Authelia** for public-facing authenticated web +* **WireGuard** (and/or ZeroTier) for *non-web private services* +