Create your own VPN server with WireGuard in Docker

hi everybody and welcome to the digital

life in this video

i will show you how to easily create

your own private vpn server with wire

guard

running in the docker container and this

was highly requested from you guys

because i recently also did a video

about how to install and configure

wireguard on an ubuntu server

so if you haven't already checked out

this video please do so

in that video we had to create our own

private and public keys

and also created our static

configuration files for the server

and all clients but when using the

docker image i'm using in this tutorial

this will be automatically created for

you the docker container will create all

private and public keys

and also create steady configuration

files for the server and all your

clients

it will also run a dns server so i think

that is a pretty easy and

much more faster deployment method so if

you want to learn how to do that

keep watching

but before we start with this tutorial

let me explain a few

things you need to consider when running

a vpn tunnel

because i think currently there's a lot

of confusion on the internet about

what a vpn does and what a vpn does not

and if you're one of these guys hoping

to increase your privacy

surf more securely on the internet or

hide your identity

you probably will need to lower down a

bit your expectations

because all we do is create a secured

tunnel

from your client to your wireguard

server so that means

whenever your client will send out any

network packets

that get rooted through that secure

tunnel and all these network packets are

encrypted and no one in between

can really inspect or track those

packets but you need to be aware of your

internet outbreak point

will be at your wire guard server so

whatever is sent out from there

may still be unencrypted or maybe still

tracked by anyone

so it really comes down to where is

their wire guard server located

and how secure that is although many vpn

providers may tell you something

different

a vbn tunnel is not a tool to increase

your privacy

and it's not a tool to serve more secure

on the internet

but i still think a vpn tunnel can make

sense in a lot of cases for instance

if you want to access the internet

through big public or shared networks

like

in hotels or public wi-fi networks or if

you

want to easily gain access from anywhere

to your local area network at home when

your wi-guard server is running there

or if you want to avoid country blocking

when your wire guard server is running

in a cloud environment in a different

country

so in these cases i also think it makes

a lot more sense to run your own private

vpn server

than just use a vpn server provider

because

otherwise you would give a lot of

control away and you put

a lot of trust into that service

provider and you really never know

how they are handling your data or how

they are securing your data

so i think it makes more sense to create

your own private vbn server

and using wireguard in combination with

the docker container is a very easy

approach to do that

so let me share my screen with you guys

and we will start right now

to do a short demonstration i have just

created a new virtual machine and

installed ubuntu 20.05 lts in the server

version

you can also follow this tutorial with

any other ubuntu or debian based linux

distro

it may also work on other ones as well

but that is not really tested or

optimized by the creator of the docker

image

ok so if you have not installed docker

and docker compose already

let's do that you can also skip this

part if you already have

docker and docker compose installed and

don't worry

you don't need to remember all these

commands or type them from this video

you can also have a look at the

description of this video

i've put you a link to my written blog

article there i have written

all steps we are doing in this tutorial

and you can just copy and paste the

commands i'm using in this guide

so first let us install some

prerequisites uh

to be able to install the docker and

docker compose

and we also need to add the docker.com

repository in our packet sources

so after doing that we also need to

do an update to update our packet

sources and then we can install the

docker ce

docker c e cli and the containerized

engine

so i will skip that part because that

will take some time

if that is finished and docker is

installed successfully we can now

install docker compose so we simply just

download a file

and place that in our user local binary

directory

don't forget to make this file

executable with this command here

and we can also add our current user

to the docker group so we don't need to

place a sudo command in front of any

docker

or docker compose commands if you have

done that you need to re-log

into your shell or you can just simply

type in new

group docker and that will reload

all the memberships of that group to

check that let me just

clear my screen guys and you should be

able to

execute this command docker run hello

dash world

so that should pull the docker image

from the docker hub and run this hello

world image if you see a screen like

this

hello from docker everything is working

fine you can also check if you have

installed docker dash compose correctly

with this command here docker composer

version and you should see

the docker compose version we can now

create our docker compose configuration

file that will manage our docker

container

with wire guard so to do that i will

create a new folder

in the opt directory and i will call

this wire guard dash

server i will also change the permission

uh to my current linux user i'm using

so that will make sure we have the

correct permissions when we create the

docker compose file

and if the docker container will also

create those configuration files and the

private and public keys

you actually have the right permissions

on your current user so that is also

very important

let's step into this directory so let's

go to the wired server directory

and we will now start creating our

docker compose file

so let's just create a new file that is

called docker dash compose

dot yaml and

when we create this empty file we will

now use a docker image or

template of this that will use the

docker image from the site linux

server.io so if you haven't already

checked out these guys

let me show you uh the home page so the

guys from linux server io they

maintain community images and they are

some

and through the guests from across the

world who build and maintain these

collection of docker images for the

community so

you can also check their images in the

images

section and if you scroll down you can

see what these guys are doing so

i think they are doing an incredible

work so that is really nice if you

haven't checked out them please do so

i will also put your link to their

homepage in the description below if you

scroll down you can also see

a docker image that is called linux

server slash wire guard and if you click

on that and go to the home page on the

docker hub

you will get directed to the official

documentation of that image

so that is really nice you can see it's

frequently updated

and there is everything described that

is used in that docker image

you can also see how to use that with

just a docker command

but i think it's much more easier to use

the docker compose template

so you can just copy this here and put

this in your docker compose file

in your directory and use this as a

template you need to customize a few

things

so let me just copy that and place that

in this file and we can go over this

step by step

so we are using a docker compose

configuration file

from the scheme 2.1

so we are creating a new service that is

called wireguard from the image

linux server slash wireguard so these

guys already have

uh provision that image to the docker

hub so you don't need to clone any

repository or build your images yourself

so that is very easy

we also set the container name to

wireguard so we can easily access

this container in the docker command and

we will also need to add two permissions

if you want to know what these

permissions are really doing you can

also refer to the

documentation on the docker.com home

page so let's uh

check this so you can see the net admin

performs various network related

operations so that is needed in order

uh to manage the network and we also add

this option here so that is this module

load and unload kernel modules

so that is very important because as i

said before

the wire guard kernel module needs to be

loaded on the host operating system

and because the docker container is an

isolated one

we need to add this permission manually

so the docker container will have the

correct permission

to load the wire guard kernel module at

your host operating systems kernel

next we have some environment variables

that will set the configuration for our

wire guard server

so this year the pu id and the pg

id that is set to 1000 and that can be

different in your environment so

we should have a look at the linux or

documentation so if you scroll down you

can see a part like this your user and

group identifiers

and when using volumes permission issues

can arise between the host operating

system and the container

and to avoid that we will set the user

identifier and the group identifier

to the id of your current linux user

so if you have created your folder

let me just exit this here if you have

created your folder

remember i have set the owner of this

folder to my user christian

so my user christian has the identifier

1000 and that is okay so i will use the

1000

if you have another user that has a

different identifier

you should add this identifier and

change this

in the docker compose configuration file

so in my case 1000

is fine it's also default if you just

have created one user and you're using

that

next we need to set our time zone so i

can set

this to europe london i could also

change that to

europe berlin probably

and then we will need to specify the

server url so these parameters are only

needed when running the wire guard in

server mode so that is what we want to

do here

and you can also specify that here so

enter an ip address or dns name

or you can set it to auto when you do it

with the auto setup

the docker image will automatically try

to determine your public ip address so

it will make a look up to any web server

and then check what is your external

public ip address

because i'm using that in my own local

area network as a virtual machine test

setup i cannot use that because

the client i will connect needs to refer

to the private ip address and not to the

public one

so you need to really think of where is

your server located and where are your

clients located

usually you should set this to auto when

your clients are located in a different

network and you want to access your

wireguard server

with your public ip address at this

point

but in my case i'm using a private ip

address so i'm typing in

this here this is a private ip address

of my

uh ubuntu server you could also change

the server port so the 51820 is the

default port for wireguard but you can

also customize it to anything else

and the next parameter appears will tell

the docker image or the docker container

how many client configurations we want

to create so you can also set

this to any other number and the docker

container when it first starts will

automatically create configuration files

and private and public keys and a qr

code for all these clients

so in this uh case i'm just creating one

peer i will

show you how to add a different or

second or third peer afterwards

and if you want to use

a dns server you can also specify that

here so if you set this to auto

the client configuration file will point

at the dns server

running on your wireguard server so when

you run this docker image

it has also a pre-configured and

pre-installed dns server running on it

and with setting this to auto the

clients will use

your dns server that is running on your

wireguard docker container but you can

also set this to any other ip address

if you want to use a different dns

server

and you can also specify the internet

subnet i leave it like this because i

don't have any different subnet with the

same

um subnet mask so that should be fine

and then we need to set our

configuration paths

so when the wire guard server is running

at the first time it will create

the server configuration the client

configuration the dns server

configuration

in this folder and you can also change

these configuration files later or copy

them and

distribute that to your clients so in

this case i will use the same folder

i've just created opt

slash wired server you need to make sure

the docker container

has the correct permissions to access

this folder

so that should be fine we also need to

have a volume placed to the

library module section that is needed

when you need to compile

or run the kernel headers when your

kernel is older than the 5.6 version

so it doesn't has the wire guard kernel

modules already

included in your host operating systems

kernel

then you will need to do that but i will

leave it like this and you also need to

expose this part here so that is support

if you have customized that you need to

change it here of course as well

and this one here the sys ctls i just

leave it like this i think that is

needed for the container and also for

client configuration

to work it properly and you can also

reset or

set this here the restart you can also

set this to always if you

have any issues and stop your container

and you just do a reboot to

enable it again you can also set this to

always if you want to do that

let's save this and

exit this we can now start our docker

container with a simple command

docker dash compose up don't forget to

place a dash

d in order to make this docker container

run in the background

and just hit enter so if you haven't

already pulled the wireguard server

image from linux or io

this is automatically downloading it

from docker hub

and once this is finished it should

start the wire guard server

you can see the docker container is now

successfully started you can also check

this with docker

compose ps and you see it has

one container that is up so if you now

want to check your y-guard

server with the command you will see

this is not installed because

we are running that on the host

operating system if you want to use that

command in order to check whenever there

is a client connected or what is the

status of your server

you need to execute this wg command in

your docker container

to do that simply just type in docker

exec it then you will need to use the

name wireguard that is the

name of our docker container and then

the command wg

if we execute this you can see it is now

working we have here the public key the

private key of course is hidden

and there's one peer that is

automatically created because we have

set

the parameter peers to one and if we do

an

ls here in this folder you can also see

there is a new folder

created by the docker container

and if we cd into that config folder

do an ls you can see there there's a

wg0.conf so that is a configuration file

of our

wireguard server and we also have the

config files for the core dns that is a

dns server running in that container

the pr1 this contains all configuration

files private and public keys of our

client and also the server

we also have some templates for the

configuration files but we

really don't need them let's just have a

look at the wg0.conf file and you can

see this is our server's configuration

file

so this just looks like a usual

wireguard configuration file you can see

the private key the public key

everything in here if you check the

correct permissions

you can also see this configuration file

also has

read and write permissions to your user

so this is also securely stored on your

computer

and no one else than this user or the

owner of this folder we have used

can access these files so you should

also check that because

when you go to the servers folder and do

an ls here you can see there is a

private in the public key so

you need to store that in a secure way

so the creators of linux server io have

also taken care of that

so that is very nice and we simply could

just

now connect any client if you want to

connect with a

client to your ygart server you simply

just go to the

peer one folder or we need to

go to the config folder first sorry and

if we do an ls

you can see here is appear1.png so that

contains a qr code i will show you later

what this is

and also the po1.config file so

we need to just use this config file and

distribute

that config file to any client and use

that as our ygart configuration file

it also has the private and public keys

it also has all the um configuration we

have set

so if we have a look at this file you

can see it already has

configured the endpoint to the public ip

address we have just used

and it has set the dns server it has the

set the

private ip address and the client uh

public and private key it also has set

the load ip address to all

so that means all traffic is

automatically routed through the tunnel

if you would

need to change that so you only want to

route

specific traffic through the tunnel from

your client

you would need to change this line here

and change this to the

networks you want to root through the

tunnel

okay guys so let me just show

a simple example how to easily connect a

client

because you can also connect many other

operating systems or different clients

if you check

the installation instruction on the

wireguard.com homepage you can see

there's a client available for windows

for mac os for linux android ios

and other linux distributions as well so

you just can refer to this year

install the client on your computer or

whenever you want to install that

and just use the po1.conf

configuration file and distribute that

to the client and everything

should be set up correctly i have

already created

a ubuntu client so that is in version

18.04 let's just install wireguard so to

do that

just enter sudo apt install wire guard

and we also need the resolve conf

package that is needed for the dns

command used in the wg quick

command so what we need to do is we now

need to

copy the pr1.conf

file of the server to the client i just

do that with

scp so i just copy the pr1 conf

to the

client and i just store this in my

personal folder

pm1.conf

yes and just enter the password so it

should be located on our client as well

so if

we do an ls here here's our po1.com file

and what we're going to do now is we

just copy this

so i can also move this file because we

don't need it

in my personal folder again and move

this to the etc

wireguard wg0.conf file

we can now start the wireguard client

with the command wg

quick up wg 0

now the wire guard client should be

connected to the server to check that

just enter wg with

sudo permissions of course and you can

see the handshake

is 40 seconds ago so the client is now

connected to our wire guard server we

can also check this on the wire guard

server of course

we now need to execute the wg command in

the docker container of course so

just enter docker exec it

it wireguard wg

and you can see we can also uh see here

the pier is connected from

endpoint id so that is ip address of my

client

with that private ip address so if we

want to add

more than one client for instance i just

want to

add my mobile phone also as a client to

the wireguard server

i need to increase the number of peers

if you want to do that you

simply just go to the docker compose

file

edit this and just increase

the peer number by one or by the number

of peers you just want to create

and just write this to the file we now

need to restart our docker container

simply with the up dash d and enter a

force

recreate if we hit enter we are now

recreating the wire guard container and

it should add

automatically a second peer

configuration file

so if we cd into that config folder

and do an ls you can see there is a po2

folder created and if you for instance

want to

add a more by a client you can just go

to the app store and download the wire

guard client

and then execute this command here

docker

exec it wireguard so we're executing a

command in the wireguard container app

show pier uh show dash peer

and then the number of the peer you want

to show the qr code

so i want to show the qr code for po2

just hit

enter and you can see it now prints us a

qr code so i can now grab my phone

open the wire guard client and scan this

qr code

and i have automatically created the

tunnel interface and also added all the

configuration file

i can then just enable that and my

mobile phone will automatically connect

to the wireguard server so i think that

is pretty easy i think that is just

great what the guys from linux server io

have created

it is very easy but you would need to

have some

knowledge of docker and also docker

compose so if you want to learn more

about docker and docker compose and why

this is just amazing

you can also have a look at my other two

videos

about docker and also docker compose

i've put your link in the description

below

check them out i hope you liked this

video and you could also learn something

new

and if you want to learn more about

linux python docker cloud

networking and all this stuff and you

really want to become an id professional

don't forget to subscribe to my channel

you can also leave me a comment or join

my discord server if you want to discuss

that or if you want to get in touch with

people who share the same interests like

you

so thanks everybody for watching enjoy

the rest of your day

take care of yourself and i see you soon

[Music]

you