welsberr
/
VHostLoom
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
VHostLoom/wireguard
History
Wesley R. Elsberry c609104708 Added more files/scripts for Wireguard usage, modified others. 2025-11-20 09:01:42 -05:00
..
README.md Edited Wireguard README.md 2025-11-20 08:46:15 -05:00
gen-wg-peer.sh Added more files/scripts for Wireguard usage, modified others. 2025-11-20 09:01:42 -05:00
wg0-client.conf.template Added more files/scripts for Wireguard usage, modified others. 2025-11-20 09:01:42 -05:00
wg0.conf.example Added Wireguard option for VPN 2025-11-20 08:40:23 -05:00

README.md

WireGuard Module for VHostLoom

This optional module adds a WireGuard VPN interface (wg0) so you can access private services (e.g., Stable Diffusion, Llamafile, Ollama, Forgejo SSH, etc.) securely over a VPN, without exposing them on the public Internet.

Overview

  • WireGuard listens on UDP 51820 on the WAN interface.
  • Clients connect to the server and receive an address in a VPN subnet (e.g., 10.20.0.0/24).
  • nftables rules restrict "private services" to be reachable only via the WireGuard interface (wg0), while public services (Traefik on 80/443) remain exposed on the WAN interface.

Setup

  1. Copy and edit WireGuard config

    sudo mkdir -p /etc/wireguard
sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf

Generate keys:

wg genkey | tee server.key | wg pubkey > server.pub
wg genkey | tee client.key | wg pubkey > client.pub
  • Put server.key into PrivateKey for [Interface].
  • Put client.pub into PublicKey for [Peer].

  1. Enable WireGuard

    sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

    You should now see the interface:

    ip addr show wg0

  2. Configure firewall

    Use firewall/nftables-wireguard.conf.example as a starting point:

    sudo cp firewall/nftables-wireguard.conf.example /etc/nftables.conf
sudo nft -f /etc/nftables.conf
sudo systemctl enable nftables

    Adjust:

    • wan_if to match your actual WAN interface (e.g., eno1).
    • wg_if to wg0 (default).
    • wg_tcp_ports set to match your private services (SSH, Stable Diffusion, etc.).

  3. Client configuration

    On your client (laptop, etc.), create a WireGuard config like:

    [Interface]
Address    = 10.20.0.2/32
PrivateKey = <CLIENT_PRIVATE_KEY>
DNS        = 1.1.1.1

[Peer]
PublicKey  = <SERVER_PUBLIC_KEY>
Endpoint   = your.domain.example:51820
AllowedIPs = 10.20.0.0/24
PersistentKeepalive = 25

    Bring it up with your WireGuard client (e.g., wg-quick up, or a GUI).

  4. Access private services

    Once the tunnel is up, you should be able to reach private services on the VHostLoom host by its VPN address:

    • http://10.20.0.1:7860 (Stable Diffusion)
    • http://10.20.0.1:8080 (Llamafile)
    • http://10.20.0.1:11434 (Ollama)
    • etc.

    Public services (e.g. https://cloud.example.com, https://git.example.com) remain available via their normal DNS names and the Traefik reverse proxy.

Coexistence with ZeroTier

If you prefer ZeroTier or want both:

  • Keep the ZeroTier interface and rules.
  • Treat wg0 and zt+ as equally trusted VPN ingress points.
  • Use a shared set (e.g. vpn_tcp_ports) for ports allowed from either VPN interface, and separate sets if you want to distinguish them.

This module is intentionally minimal; adapt the address ranges, ports, and routing rules to match your environment.