Published June 15, 2023, 12:20 p.m. by Jerald Waisoki
In this video, I will show you how to easily create your own private vpn server with wireguard running in a docker container. I will walk you step by step through the installation, configuration, and how to add clients to your vpn server. #wireguard #vpn #docker
DOCS: https://github.com/christianlempa/videos/tree/main/wireguard-docker
01:00 What you need to consider when using a vpn tunnel
03:10 Prerequisites, install docker & docker-compose
14:47 Start the wireguard container and inspect config files
19:00 How to connect clients to the wireguard server
21:43 Add more clients and mobile phones via QR code
You may also like to read about:
hi everybody and welcome to the digital
life in this video
i will show you how to easily create
your own private vpn server with wire
guard
running in the docker container and this
was highly requested from you guys
because i recently also did a video
about how to install and configure
wireguard on an ubuntu server
so if you haven't already checked out
this video please do so
in that video we had to create our own
private and public keys
and also created our static
configuration files for the server
and all clients but when using the
docker image i'm using in this tutorial
this will be automatically created for
you the docker container will create all
private and public keys
and also create steady configuration
files for the server and all your
clients
it will also run a dns server so i think
that is a pretty easy and
much more faster deployment method so if
you want to learn how to do that
keep watching
but before we start with this tutorial
let me explain a few
things you need to consider when running
a vpn tunnel
because i think currently there's a lot
of confusion on the internet about
what a vpn does and what a vpn does not
and if you're one of these guys hoping
to increase your privacy
surf more securely on the internet or
hide your identity
you probably will need to lower down a
bit your expectations
because all we do is create a secured
tunnel
from your client to your wireguard
server so that means
whenever your client will send out any
network packets
that get rooted through that secure
tunnel and all these network packets are
encrypted and no one in between
can really inspect or track those
packets but you need to be aware of your
internet outbreak point
will be at your wire guard server so
whatever is sent out from there
may still be unencrypted or maybe still
tracked by anyone
so it really comes down to where is
their wire guard server located
and how secure that is although many vpn
providers may tell you something
different
a vbn tunnel is not a tool to increase
your privacy
and it's not a tool to serve more secure
on the internet
but i still think a vpn tunnel can make
sense in a lot of cases for instance
if you want to access the internet
through big public or shared networks
like
in hotels or public wi-fi networks or if
you
want to easily gain access from anywhere
to your local area network at home when
your wi-guard server is running there
or if you want to avoid country blocking
when your wire guard server is running
in a cloud environment in a different
country
so in these cases i also think it makes
a lot more sense to run your own private
vpn server
than just use a vpn server provider
because
otherwise you would give a lot of
control away and you put
a lot of trust into that service
provider and you really never know
how they are handling your data or how
they are securing your data
so i think it makes more sense to create
your own private vbn server
and using wireguard in combination with
the docker container is a very easy
approach to do that
so let me share my screen with you guys
and we will start right now
to do a short demonstration i have just
created a new virtual machine and
installed ubuntu 20.05 lts in the server
version
you can also follow this tutorial with
any other ubuntu or debian based linux
distro
it may also work on other ones as well
but that is not really tested or
optimized by the creator of the docker
image
ok so if you have not installed docker
and docker compose already
let's do that you can also skip this
part if you already have
docker and docker compose installed and
don't worry
you don't need to remember all these
commands or type them from this video
you can also have a look at the
description of this video
i've put you a link to my written blog
article there i have written
all steps we are doing in this tutorial
and you can just copy and paste the
commands i'm using in this guide
so first let us install some
prerequisites uh
to be able to install the docker and
docker compose
and we also need to add the docker.com
repository in our packet sources
so after doing that we also need to
do an update to update our packet
sources and then we can install the
docker ce
docker c e cli and the containerized
engine
so i will skip that part because that
will take some time
if that is finished and docker is
installed successfully we can now
install docker compose so we simply just
download a file
and place that in our user local binary
directory
don't forget to make this file
executable with this command here
and we can also add our current user
to the docker group so we don't need to
place a sudo command in front of any
docker
or docker compose commands if you have
done that you need to re-log
into your shell or you can just simply
type in new
group docker and that will reload
all the memberships of that group to
check that let me just
clear my screen guys and you should be
able to
execute this command docker run hello
dash world
so that should pull the docker image
from the docker hub and run this hello
world image if you see a screen like
this
hello from docker everything is working
fine you can also check if you have
installed docker dash compose correctly
with this command here docker composer
version and you should see
the docker compose version we can now
create our docker compose configuration
file that will manage our docker
container
with wire guard so to do that i will
create a new folder
in the opt directory and i will call
this wire guard dash
server i will also change the permission
uh to my current linux user i'm using
so that will make sure we have the
correct permissions when we create the
docker compose file
and if the docker container will also
create those configuration files and the
private and public keys
you actually have the right permissions
on your current user so that is also
very important
let's step into this directory so let's
go to the wired server directory
and we will now start creating our
docker compose file
so let's just create a new file that is
called docker dash compose
dot yaml and
when we create this empty file we will
now use a docker image or
template of this that will use the
docker image from the site linux
server.io so if you haven't already
checked out these guys
let me show you uh the home page so the
guys from linux server io they
maintain community images and they are
some
and through the guests from across the
world who build and maintain these
collection of docker images for the
community so
you can also check their images in the
images
section and if you scroll down you can
see what these guys are doing so
i think they are doing an incredible
work so that is really nice if you
haven't checked out them please do so
i will also put your link to their
homepage in the description below if you
scroll down you can also see
a docker image that is called linux
server slash wire guard and if you click
on that and go to the home page on the
docker hub
you will get directed to the official
documentation of that image
so that is really nice you can see it's
frequently updated
and there is everything described that
is used in that docker image
you can also see how to use that with
just a docker command
but i think it's much more easier to use
the docker compose template
so you can just copy this here and put
this in your docker compose file
in your directory and use this as a
template you need to customize a few
things
so let me just copy that and place that
in this file and we can go over this
step by step
so we are using a docker compose
configuration file
from the scheme 2.1
so we are creating a new service that is
called wireguard from the image
linux server slash wireguard so these
guys already have
uh provision that image to the docker
hub so you don't need to clone any
repository or build your images yourself
so that is very easy
we also set the container name to
wireguard so we can easily access
this container in the docker command and
we will also need to add two permissions
if you want to know what these
permissions are really doing you can
also refer to the
documentation on the docker.com home
page so let's uh
check this so you can see the net admin
performs various network related
operations so that is needed in order
uh to manage the network and we also add
this option here so that is this module
load and unload kernel modules
so that is very important because as i
said before
the wire guard kernel module needs to be
loaded on the host operating system
and because the docker container is an
isolated one
we need to add this permission manually
so the docker container will have the
correct permission
to load the wire guard kernel module at
your host operating systems kernel
next we have some environment variables
that will set the configuration for our
wire guard server
so this year the pu id and the pg
id that is set to 1000 and that can be
different in your environment so
we should have a look at the linux or
documentation so if you scroll down you
can see a part like this your user and
group identifiers
and when using volumes permission issues
can arise between the host operating
system and the container
and to avoid that we will set the user
identifier and the group identifier
to the id of your current linux user
so if you have created your folder
let me just exit this here if you have
created your folder
remember i have set the owner of this
folder to my user christian
so my user christian has the identifier
1000 and that is okay so i will use the
1000
if you have another user that has a
different identifier
you should add this identifier and
change this
in the docker compose configuration file
so in my case 1000
is fine it's also default if you just
have created one user and you're using
that
next we need to set our time zone so i
can set
this to europe london i could also
change that to
europe berlin probably
and then we will need to specify the
server url so these parameters are only
needed when running the wire guard in
server mode so that is what we want to
do here
and you can also specify that here so
enter an ip address or dns name
or you can set it to auto when you do it
with the auto setup
the docker image will automatically try
to determine your public ip address so
it will make a look up to any web server
and then check what is your external
public ip address
because i'm using that in my own local
area network as a virtual machine test
setup i cannot use that because
the client i will connect needs to refer
to the private ip address and not to the
public one
so you need to really think of where is
your server located and where are your
clients located
usually you should set this to auto when
your clients are located in a different
network and you want to access your
wireguard server
with your public ip address at this
point
but in my case i'm using a private ip
address so i'm typing in
this here this is a private ip address
of my
uh ubuntu server you could also change
the server port so the 51820 is the
default port for wireguard but you can
also customize it to anything else
and the next parameter appears will tell
the docker image or the docker container
how many client configurations we want
to create so you can also set
this to any other number and the docker
container when it first starts will
automatically create configuration files
and private and public keys and a qr
code for all these clients
so in this uh case i'm just creating one
peer i will
show you how to add a different or
second or third peer afterwards
and if you want to use
a dns server you can also specify that
here so if you set this to auto
the client configuration file will point
at the dns server
running on your wireguard server so when
you run this docker image
it has also a pre-configured and
pre-installed dns server running on it
and with setting this to auto the
clients will use
your dns server that is running on your
wireguard docker container but you can
also set this to any other ip address
if you want to use a different dns
server
and you can also specify the internet
subnet i leave it like this because i
don't have any different subnet with the
same
um subnet mask so that should be fine
and then we need to set our
configuration paths
so when the wire guard server is running
at the first time it will create
the server configuration the client
configuration the dns server
configuration
in this folder and you can also change
these configuration files later or copy
them and
distribute that to your clients so in
this case i will use the same folder
i've just created opt
slash wired server you need to make sure
the docker container
has the correct permissions to access
this folder
so that should be fine we also need to
have a volume placed to the
library module section that is needed
when you need to compile
or run the kernel headers when your
kernel is older than the 5.6 version
so it doesn't has the wire guard kernel
modules already
included in your host operating systems
kernel
then you will need to do that but i will
leave it like this and you also need to
expose this part here so that is support
if you have customized that you need to
change it here of course as well
and this one here the sys ctls i just
leave it like this i think that is
needed for the container and also for
client configuration
to work it properly and you can also
reset or
set this here the restart you can also
set this to always if you
have any issues and stop your container
and you just do a reboot to
enable it again you can also set this to
always if you want to do that
let's save this and
exit this we can now start our docker
container with a simple command
docker dash compose up don't forget to
place a dash
d in order to make this docker container
run in the background
and just hit enter so if you haven't
already pulled the wireguard server
image from linux or io
this is automatically downloading it
from docker hub
and once this is finished it should
start the wire guard server
you can see the docker container is now
successfully started you can also check
this with docker
compose ps and you see it has
one container that is up so if you now
want to check your y-guard
server with the command you will see
this is not installed because
we are running that on the host
operating system if you want to use that
command in order to check whenever there
is a client connected or what is the
status of your server
you need to execute this wg command in
your docker container
to do that simply just type in docker
exec it then you will need to use the
name wireguard that is the
name of our docker container and then
the command wg
if we execute this you can see it is now
working we have here the public key the
private key of course is hidden
and there's one peer that is
automatically created because we have
set
the parameter peers to one and if we do
an
ls here in this folder you can also see
there is a new folder
created by the docker container
and if we cd into that config folder
do an ls you can see there there's a
wg0.conf so that is a configuration file
of our
wireguard server and we also have the
config files for the core dns that is a
dns server running in that container
the pr1 this contains all configuration
files private and public keys of our
client and also the server
we also have some templates for the
configuration files but we
really don't need them let's just have a
look at the wg0.conf file and you can
see this is our server's configuration
file
so this just looks like a usual
wireguard configuration file you can see
the private key the public key
everything in here if you check the
correct permissions
you can also see this configuration file
also has
read and write permissions to your user
so this is also securely stored on your
computer
and no one else than this user or the
owner of this folder we have used
can access these files so you should
also check that because
when you go to the servers folder and do
an ls here you can see there is a
private in the public key so
you need to store that in a secure way
so the creators of linux server io have
also taken care of that
so that is very nice and we simply could
just
now connect any client if you want to
connect with a
client to your ygart server you simply
just go to the
peer one folder or we need to
go to the config folder first sorry and
if we do an ls
you can see here is appear1.png so that
contains a qr code i will show you later
what this is
and also the po1.config file so
we need to just use this config file and
distribute
that config file to any client and use
that as our ygart configuration file
it also has the private and public keys
it also has all the um configuration we
have set
so if we have a look at this file you
can see it already has
configured the endpoint to the public ip
address we have just used
and it has set the dns server it has the
set the
private ip address and the client uh
public and private key it also has set
the load ip address to all
so that means all traffic is
automatically routed through the tunnel
if you would
need to change that so you only want to
route
specific traffic through the tunnel from
your client
you would need to change this line here
and change this to the
networks you want to root through the
tunnel
okay guys so let me just show
a simple example how to easily connect a
client
because you can also connect many other
operating systems or different clients
if you check
the installation instruction on the
wireguard.com homepage you can see
there's a client available for windows
for mac os for linux android ios
and other linux distributions as well so
you just can refer to this year
install the client on your computer or
whenever you want to install that
and just use the po1.conf
configuration file and distribute that
to the client and everything
should be set up correctly i have
already created
a ubuntu client so that is in version
18.04 let's just install wireguard so to
do that
just enter sudo apt install wire guard
and we also need the resolve conf
package that is needed for the dns
command used in the wg quick
command so what we need to do is we now
need to
copy the pr1.conf
file of the server to the client i just
do that with
scp so i just copy the pr1 conf
to the
client and i just store this in my
personal folder
pm1.conf
yes and just enter the password so it
should be located on our client as well
so if
we do an ls here here's our po1.com file
and what we're going to do now is we
just copy this
so i can also move this file because we
don't need it
in my personal folder again and move
this to the etc
wireguard wg0.conf file
we can now start the wireguard client
with the command wg
quick up wg 0
now the wire guard client should be
connected to the server to check that
just enter wg with
sudo permissions of course and you can
see the handshake
is 40 seconds ago so the client is now
connected to our wire guard server we
can also check this on the wire guard
server of course
we now need to execute the wg command in
the docker container of course so
just enter docker exec it
it wireguard wg
and you can see we can also uh see here
the pier is connected from
endpoint id so that is ip address of my
client
with that private ip address so if we
want to add
more than one client for instance i just
want to
add my mobile phone also as a client to
the wireguard server
i need to increase the number of peers
if you want to do that you
simply just go to the docker compose
file
edit this and just increase
the peer number by one or by the number
of peers you just want to create
and just write this to the file we now
need to restart our docker container
simply with the up dash d and enter a
force
recreate if we hit enter we are now
recreating the wire guard container and
it should add
automatically a second peer
configuration file
so if we cd into that config folder
and do an ls you can see there is a po2
folder created and if you for instance
want to
add a more by a client you can just go
to the app store and download the wire
guard client
and then execute this command here
docker
exec it wireguard so we're executing a
command in the wireguard container app
show pier uh show dash peer
and then the number of the peer you want
to show the qr code
so i want to show the qr code for po2
just hit
enter and you can see it now prints us a
qr code so i can now grab my phone
open the wire guard client and scan this
qr code
and i have automatically created the
tunnel interface and also added all the
configuration file
i can then just enable that and my
mobile phone will automatically connect
to the wireguard server so i think that
is pretty easy i think that is just
great what the guys from linux server io
have created
it is very easy but you would need to
have some
knowledge of docker and also docker
compose so if you want to learn more
about docker and docker compose and why
this is just amazing
you can also have a look at my other two
videos
about docker and also docker compose
i've put your link in the description
below
check them out i hope you liked this
video and you could also learn something
new
and if you want to learn more about
linux python docker cloud
networking and all this stuff and you
really want to become an id professional
don't forget to subscribe to my channel
you can also leave me a comment or join
my discord server if you want to discuss
that or if you want to get in touch with
people who share the same interests like
you
so thanks everybody for watching enjoy
the rest of your day
take care of yourself and i see you soon
[Music]
you
2CUTURL
Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.
© 2CUTURL. All Rights Reserved.