I've been using this for some time now and it is very solid. I set mine up to point the clients to my own self-hosted DNS and it works wonderful when connecting from places like airports or hotels; the tunnel is secured and private and I have the added bonus of blocking all the ad-ware nonsense while connected abroad. Thanks for the easy to follow video!
Nice video, I like this application as a way of securely connecting to my homelab. Just an extra tip to anyone thinking of doing this, I would recommend not having the Web UI publicly accessible, because if that gets compromised then your whole network is compromised. I would place much greater trust in the security of the VPN than the Web UI. It would probably be better to connect to the interface via the VPN connection (of course this then requires being connected to the VPN before you can add additional clients). If you are doing this on a VPS rather than your local network, I guess you could remove external access to the Web UI after you have your first client setup.
First off, BRILLIANT!!! I can't say enough how much I appreciate you talking through some of the commands, while I "understand" most of this stuff, I still get lost on commands most days. Second, I would really like to see you explain using the VPS as a way to access some self hosted things. I've been trying to set up a minecraft server for my daughter and her cousins/friends, but I get hung up on what to do with the IPtables in my VPS and after that how to set it up on my server side. Or even if you know of some walk through that could help me set it up.
@@AwesomeOpenSource I would very much appreciate it. I'm stuck behind cgnat and really the only easy way to punch through that is a VPN. Every rabbit hole I've gone down seems to come up empty. Your video was the closest I had come across so far. I'm not looking to do port forwarding in my router, i have a dedicated little computer that's running my minecraft server on.
Hi Brian, thanks for the video, it's very simple to understand. I got everything installed, but I don't hae any trafic going through VPN server. What can I do with it?
I must be missing something here but I used Tailscale to connect 3 NAS's and 3 Windows computer with nowhere near the complexity of this. It may be that I'm not using all of the features. I just need the various NAS's and PC's to share files and to access them from anywhere. Tailscale just works and is setup in minutes. Thanks for the video though; it's always nice to see what our options are. Really well explained.
1. Some people get nervous about letting another company have that level of access to their internal network. Much of this channel is how to self-host and not rely on someone else. 2. Tailscale requires you to use a third-party SSO. That's a single point of failure that could make someone want to self -host instead
100% what @unselfless said. It's about running your own server. Tailscale kind of owns all the setup. I'm 1 step down with a VPS. You could even go all the way self hosted like I do with Headscale and host it at home.
Hi. thanks again for the great tutorial. About the UDP port...., I cant get nginx listening to the UDP and I have to port forward the UDP 51820 to the IP where the server is installed. The nginx stream entry also did not let UDP port in. How did you solve that? Do we have to open that port on the router? (Using openwrt) Thanks for the suggestion
If you're using NGinX Proxy Manager it wont' do UDP. For UDP you need to use a different proxy, or forward ports. In my case I setup the server on a digital ocean droplet, so no need for forwarding ports.
A great share, thanks. The stuff I love the most in comparison with OpenVPN CE is the UI, even though unlike access server, client cannot connect and download profiles by themselves .. I just followed the tutorial carefully and unfortunately I got my droplets unreacheable wether over SSH or any domain record pointing on them, any help ? Now walking through hell of many forums (stackoverflow, reddit and so on) but still cannot pick up the right solution
Wireguard can be a bit tricky. If you enable the connection, it will connect you directly to other peers, but it will limit you to those "AllowedIPs" addresses. So you can open that up in the client config, by making the allowed IPs like 0.0.0.0/0 which is all addresses. additionally, you may need to add a line for DNS that then add a DNS provider IP address like 1.1.1.1 or 8.8.8.8, etc so that websites will resolve properly.
Hi Thaks for the video. I've set up wireguard on my VPS'. I've ping between all my laptop, but the IP outgoing is of my router. I'd like the outgoing was of my VPS ¿How can I do it?
I am running into an issue with this install. When I go to domain I specified in the compose file I get a message saying "Congratulations! You've successfully started the Nginx Proxy Manager. If you're seeing this site then you're trying to access a host that isn't set up yet. Log in to the Admin panel to get started." How do I access this control panel? I am trying to run this on Ubunto 24.04 on a GCP VPS.
Did you setup a reverse proxy for the domain, or an A Record to point the domain to the public IP of your host machine? It sounds like you're using NGinX Proxy Manager, but it doesn't find a matching domain setup to proxy it through.
is there two separate voices in narration or was that some tv/media playing in background at around 07:00 it was more clear to understand some one on a second track is saying "setup" and similarly before that with some other words.
Instead of using a digital ocean server how could it be configure on a home server to vpn in to a home network? Do you have a past video on your docker script install. I like to learn about the other services installed like the proxy. Also could you explain what app to use to update a domain name when the home ip address changes? The video has some great insights. thank you
From what I understand the point of this video is to show how to create a VPN tunnel from outside your home network to inside your home network without port forwarding. If your wireguard server is inside your network you would need to port forward your home router to the wireguard server on your network. This would negate any advantages of using wireguard in the first place.
@anagnale000 said it correctly. The idea behind using something like this is 1. a VPN between your devices, but also to allow you to get back to the devices / services on your home network without having to open any ports on your home network. If you setup this part inside your network at home, you have to open ports for the traffic to get to the server, and now you're not really gaining much from that setup. If, however, you want to do it, you'll have to port forward ports 51820 and 51821 on your router to your server host running the WG-Easy docker setup.
In that case it would be cheaper to use von provider like NordVPN or Express VPN. Digital Ocean can get very expensive. Your response seems bias such Digital Ocean is your sponsor.
Hmm, this is really very(!) simple, but I totally miss setup for the overall network, as well as setting up, which networks should be routed. Does it by default only route 0.0.0.0/0? And what about IPv6? Which DNS is used here? So, I see this working pretty easy, but I also have quite some open questions. Would have been nice, if you could have shown the contents of the downloaded conf file to get an impression, what happened behind the scenes in there. Anyhow it is a nice video to start wg with, I really like your slow detailed videos, they are usually pretty good to reproduce :-).
You can set 0.0.0.0/0 if you want to, but you can also just set the WG network. it's kind of up to you. You have to edit the configs manually for a lot of the more advanced stuff you might want though.
Thanks for the video. Unfortunately, I cannot change the port numbers. The listened port 51821 is hardcoded in the wg.conf file. I did a rebuild, but it didn't work. I have played with docker before. It's always a pain.
In this section of the docker-compose.yml file, ports: - 51820:51820/udp - 51821:51821/tcp change the left side port number to any open port on your host machine. leave the right side as 51821 though. Then do docker-compose up -d again, and try the new port. This is the port for the web ui, but it should work.
@@AwesomeOpenSource Thanks for your reply. I did all that stuff. The problem is that the wg0.conf file overwrites it. That file cannot be edited. This line is the problem: ListenPort = 51820.
I don't know who maintains it. The github page is active though. You can post a question to their discussion page on Github github.com/wg-easy/wg-easy/discussions
You would need to port forward through your router if you run the server inside your home network. Ports 51820 and 51821 have to be forwarded to your host machine inside your network.
i followed along and everything seems working as they should, my endpoints and phones are connecting ok. however there is no traffic stats and I cannot access anything? is there anything I'm missing?
My wg-easy tunnels fail to work after being disconnected for some time. When that happens, I have to toggle the peer off and on (in the wg-easy web GUI) and the tunnel comes back up immediately. Has anyone figured out why this happens or if there's a way to periodically restart the peers automatically?
In the config on the client, make sure there is a line about "persistent-keep-alive". Something like that. If not, just google it, and you'll see what to add, but that may help.
Once they are installed, they'll each be running on certain ports. You can see which one is using which port by using the docker ps command. When you see the output, look for the port on the left side of the arrow, and that's the port it's running on. Now navigate to your VPS IP address on that port.
Love your content! I just tried running your Installation of Docker-CE and Docker Compose via a Simple Script on my Oracle Cloud free instance using their Ampere A1 ARM64 processor. I ran your script as the option for ARM64 / raspbian os thinking that may be the closest option. Unfortunately just about everything errored out during the install. Any ideas? Keep up the great content, I'm learning a TON!
@@AwesomeOpenSource with wg on opnsense and a second attempt with wg-easy. I might give it a third shot with your instructions, but my problem was that while clients and servers show that my tunnels are up, I don’t pass traffic, can’t ping, etc. Sounded like firewall rules but after hours messing with ufw or iptables I ended up going a different less performative routes like ipsec.
@@duduoson1306 Same issue here but with PFSense. I have had luck with running the terminal version of WG on a pi but WG-easy has eluded me since i found out about it. Would love to get it to work because its much easier to add clients than the latter. Post/DM if you figure it out.
I apologize, I'm not an IPv6 expert thus far. But, you can find the info on their github README here github.com/burghardt/easy-wg-quick/blob/master/README.md#enabling-ipv6. Hope it helps.
If you're asking if you could connect to a LAN through one node on that network, technically you can do that, but you'd have to modify the compose file,a nd be careful where you put the nodes outside of that LAN. WG Easy itself isn't designed for that as far as I can tell.
Thank you for the great videos. If you are interested, can you do a comparison of object storage file systems ? I just tried juicefs with wasabi and i love it and i was wondering if there is something better. almost nobody talks about it. I save so much money with that.
Let me learn more about them. I did setup a MinIO system to mess with, but didn't really grasp the benefit of it over just using an NFS share. So, I need to learn mroe.
@eOpenSource well if i was to compare juicefs to a nfs share from my novice point of view, i would say that visually it looks the same, you get a folder with files inside. But underneath that, with juicefs, every file is chunked and encrypted before they are sent to the cloud storage so they never gets the decryption keys even if cloud is compromised. You can also tell juicefs to store the encrypted chunks on the local disk and then sync the encrypted chunks with another software to whatever cloud. But yeah juicefs is a bit too much cpu intensive for small servers and also encryption is really slow with small files so i was kinda hoping to find better.
Didn't setup the port behind NPM. That has to have the port open to the server (port forwarded if behind a firewall). In my case I setup on Digital Ocean, so just allowed UDP traffic to the part in the cloud firewall. The web interface runs on 51821, so that one you need to setup on NPM.
@@AwesomeOpenSourcethanks for the answer. i feared that too. i did a few research on my side and it seems that wireguard easy absolutely can't be behind NPM. that's sad but it seems that there's no solution abouth this. Headscale in opposition can 100% be used behind NPM. If you can i would be very grateful of a updated tutorial about a full setup of headscale with a recent webui like admin ui or another one (new updates of headscale made your previous tutorial impossible to use and the webui is si old that 50% of it result gives server error messages)
I'd say Wg-Easy isn't really meant for that. I'd say maybe Netmaker, Netbird, or Headscale with Tailscale clients might be the route you want to go. I have videos on all of those solutions as well.
It depends on your use case really. Wireguard is Wireguard. The way you generate configurations is the only difference here. If you just need a flat (LAN-like) network where all machines can reach all other machines, this is great.
Yes. The server acts as a configuration portal. It will provide configs to allow peer to peer communication on the Wireguard network. You can, of course open the comics and modify them as you see fit though.
No, this is really not meant for that. I'd say Tailscale / Headscale, Netmaker, or Netbird would be more what you want for those kinds of things in the GUI.
love your videos. is there a way of using wireguard and nginx proxy manager to host sites. I want to make sites on my home computer public but cant open ports due to double nat. Is there a way of using wireguard with vps to make this happen. I'd like to use a domain I have as well. Want it to be similar to cloudflare tunnels but self hosted.
Yes. Put the reverse proxy on the VPS, then use your Wireguard IP of the server in your home in the proxy host entry. As long as Wireguard is up and the machines can communicate it will work just like a LAN.
Amazing. I did what you said and it worked perfect. You should do a video on this. Super easy to setup. Completely replaces cloudflare tunnel especially if you use oracle free tier.
I tried this the other day but had no luck. Difference with me is that I needed wg-easy installed without docker. I already have vanilla wireguard setup in a VM in Proxmox, so I just need to overlay a GUI on top of that without having to install Docker.
The idea here is that this uses the Wireguard install on the server if it's already there I think. Docker is just a really thin virtualized machine that runs the software. The benefit is that it runs the same on any OS that supports Docker.
So did not work for me... Not sure what I'm missing.. I have done the same steps, have wg-easy running, have NPM configured, can access the web UI, got my samsung s21 added on the wg-easy UI and in the wg app but it's not connecting in the web UI. I also disabled my ufw and tested again but still no luck... Also for me the QR code did not generate had to email myself the conf file to get it added in the app. Any suggestions? Update also tried changing the Ip addresses and the DNS of the added clients but still could not get working. When I activate the connection on my windows laptop it loses internet access however I'm on my phones hotspot.
Sorry you're having so much trouble. Sometimes, depending on the OS, you need to restarrt networking for the internet to start working again. You can also add another environment variable to the docker-compose.yml file to open all traffic through the VPN. In fact, you can add several. Sorry, should add these to my show notes. Didn't mention this in the video. Set the IP addresses mask you want for your VPN - WG_DEFAULT_ADDRESS=10.8.0.x Set the DNS for your devices to use - WG_DEFAULT_DNS=1.1.1.1 Set the MTU - WG_MTU=1420 Set the allowed IPs (for all traffic to go through VPN set this to 0.0.0.0/0) - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24 Make sure the connection checks in to keep it alive - WG_PERSISTENT_KEEPALIVE=25
Welp added what you suggested and still could not get it working. I rebooted the VM, recreated client, redownloaded conf file and still nothing... in the app it says its sending data but not receiving anything. This is on my phone again. UFW is disabled. WG_DEFAULT_ADDRESS=192.168.0.85 WG_DEFAULT_DNS=192.168.0.167 (Pi-hole server) WG_MTU=1420 WG_ALLOWED_IPS=192.168.0.0/24 WG_PERSISTENT_KEEPALIVE=25 @@AwesomeOpenSource
ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-BRLB4wRL4cM.html 192 168 10 17 - Where did you get it from? How do I open nginx on my server? I installed it according to your script
That is the IP address of the host machine (where I have docker running). The host will then forward the traffic to the container based on the port I entered next (that's the port on the left side of the port mapping back in the docker compose file). I hope that helps.
You have to setup the Allowed IPs in the config file properly, adn there's not really a way to do that through the UI on this setup. I'd say Tailscale / Headscale, Netmaker, or Netbird would be better for that setup.