107 lines
3.0 KiB
Markdown
107 lines
3.0 KiB
Markdown
# WireGuard Module for VHostLoom
|
|
|
|
This optional module adds a WireGuard VPN interface (`wg0`) so you can access
|
|
private services (e.g., Stable Diffusion, Llamafile, Ollama, Forgejo SSH, etc.)
|
|
securely over a VPN, without exposing them on the public Internet.
|
|
|
|
## Overview
|
|
|
|
- WireGuard listens on `UDP 51820` on the WAN interface.
|
|
- Clients connect to the server and receive an address in a VPN subnet
|
|
(e.g., `10.20.0.0/24`).
|
|
- nftables rules restrict "private services" to be reachable **only** via the
|
|
WireGuard interface (`wg0`), while public services (Traefik on 80/443) remain
|
|
exposed on the WAN interface.
|
|
|
|
## Setup
|
|
|
|
1. **Copy and edit WireGuard config**
|
|
|
|
```bash
|
|
sudo mkdir -p /etc/wireguard
|
|
sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
|
|
sudo chmod 600 /etc/wireguard/wg0.conf
|
|
|
|
Generate keys:
|
|
|
|
```bash
|
|
wg genkey | tee server.key | wg pubkey > server.pub
|
|
wg genkey | tee client.key | wg pubkey > client.pub
|
|
```
|
|
|
|
* Put `server.key` into `PrivateKey` for `[Interface]`.
|
|
* Put `client.pub` into `PublicKey` for `[Peer]`.
|
|
|
|
2. **Enable WireGuard**
|
|
|
|
```bash
|
|
sudo systemctl enable wg-quick@wg0
|
|
sudo systemctl start wg-quick@wg0
|
|
```
|
|
|
|
You should now see the interface:
|
|
|
|
```bash
|
|
ip addr show wg0
|
|
```
|
|
|
|
3. **Configure firewall**
|
|
|
|
Use `firewall/nftables-wireguard.conf.example` as a starting point:
|
|
|
|
```bash
|
|
sudo cp firewall/nftables-wireguard.conf.example /etc/nftables.conf
|
|
sudo nft -f /etc/nftables.conf
|
|
sudo systemctl enable nftables
|
|
```
|
|
|
|
Adjust:
|
|
|
|
* `wan_if` to match your actual WAN interface (e.g., `eno1`).
|
|
* `wg_if` to `wg0` (default).
|
|
* `wg_tcp_ports` set to match your private services (SSH, Stable Diffusion, etc.).
|
|
|
|
4. **Client configuration**
|
|
|
|
On your client (laptop, etc.), create a WireGuard config like:
|
|
|
|
```ini
|
|
[Interface]
|
|
Address = 10.20.0.2/32
|
|
PrivateKey = <CLIENT_PRIVATE_KEY>
|
|
DNS = 1.1.1.1
|
|
|
|
[Peer]
|
|
PublicKey = <SERVER_PUBLIC_KEY>
|
|
Endpoint = your.domain.example:51820
|
|
AllowedIPs = 10.20.0.0/24
|
|
PersistentKeepalive = 25
|
|
```
|
|
|
|
Bring it up with your WireGuard client (e.g., `wg-quick up`, or a GUI).
|
|
|
|
5. **Access private services**
|
|
|
|
Once the tunnel is up, you should be able to reach private services on the
|
|
VHostLoom host by its VPN address:
|
|
|
|
* `http://10.20.0.1:7860` (Stable Diffusion)
|
|
* `http://10.20.0.1:8080` (Llamafile)
|
|
* `http://10.20.0.1:11434` (Ollama)
|
|
* etc.
|
|
|
|
Public services (e.g. `https://cloud.example.com`, `https://git.example.com`)
|
|
remain available via their normal DNS names and the Traefik reverse proxy.
|
|
|
|
## Coexistence with ZeroTier
|
|
|
|
If you prefer ZeroTier or want both:
|
|
|
|
* Keep the ZeroTier interface and rules.
|
|
* Treat `wg0` and `zt+` as equally trusted VPN ingress points.
|
|
* Use a shared set (e.g. `vpn_tcp_ports`) for ports allowed from either VPN
|
|
interface, and separate sets if you want to distinguish them.
|
|
|
|
This module is intentionally minimal; adapt the address ranges, ports, and
|
|
routing rules to match your environment.
|