Wireguard image with built-in api server wgrest.
-
Run command:
wget -qO- https://github.com/Delave-las-Kure/wireguard/archive/refs/heads/main.tar.gz | tar xvz -C /home && \ mv /home/wireguard-main /home/wireguard
Then go to the directory:
cd /home/wireguard
-
Fill
.env
file:SUPPORT_EMAIL= # Optional DOMAIN= # Server Domain. For example: vpnserver.com TZ= # Server Timezone. For Example: Europe/London
Rest API will be available at
wgrest.domain
. The address of the wireguard will bewireguard.domain
. -
Fill
secrets/api-key
file. This key will be used as a bearer token for the rest api. -
Run docker containers:
docker-compose up -d
docker-compose.yml:
version: "3.9"
services:
wireguard:
image: fieron/wireguard:latest
container_name: wireguard
restart: always
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
PUID: 1000
PGID: 1000
TZ: ${TZ}
PEERS: 1 #optional
SERVERURL: wireguard.${DOMAIN} #optional
SERVERPORT: 51820 #optional
PEERDNS: auto #optional
VIRTUAL_HOST: wgrest.${DOMAIN}
VIRTUAL_PORT: 8000
LETSENCRYPT_HOST: wgrest.${DOMAIN}
API_KEY_FILE: /run/secrets/api-key
volumes:
- ./config:/config
- /lib/modules:/lib/modules
- ./wgrest:/etc/wgrest
ports:
- 8000:8000
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
networks:
- net
secrets:
- api-key
nginx-proxy:
image: jwilder/nginx-proxy:alpine
container_name: nginx-proxy
restart: always
environment:
DHPARAM_GENERATION: 0
volumes:
- ./nginx/html:/usr/share/nginx/html
- ./nginx/vhost:/etc/nginx/vhost.d
- ./nginx/certs:/etc/nginx/certs
- /var/run/docker.sock:/tmp/docker.sock:ro
networks:
- net
ports:
- 80:80
- 443:443
letsencrypt:
image: nginxproxy/acme-companion:latest
container_name: nginx-proxy-acme
restart: always
environment:
DEFAULT_EMAIL: ${SUPPORT_EMAIL}
volumes_from:
- nginx-proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./nginx/acme:/etc/acme.sh
depends_on:
- nginx-proxy
networks:
- net
networks:
net:
secrets:
api-key:
file: ./secrets/api-key
The following conditions must be met for a seamless migration:
- Domains of the old and new server must match
- The new server must have a clean wgrest, i.e. without peers.
In manual migration mode you must:
- Copy
config
andwgrest
folders from the old server to the new one. - Run docker containers.
- Deploy a new clean wiergard server to which you will migrate peers.
- Forward the domain of the old server to the new one. Since domain forwarding does not happen immediately you can set the new server's
apiUrl
value as ip:http://<IP>/v1
. - Send a request to the router
/migration
(see open api of the VPN BFF / vpn orchestrator) with the following parameters:# **Id of the new and old server may be the same { "fromServerId": 1, # Old server id "toServerId": 2, # New server id "replacePrivateKey": true # Overwrite the private key of the new server with the old one }
Note
:
- that the new server must be clean with no peers.
- Also, the new server will not work until the domain has been forwarded to the new server.
- The domains of the old and new server must match. Otherwise already created peers on the old server will not work.
- The private keys of the old and new server must be the same. Otherwise the public keys of the old server's peers will not be valid. I.e. the peers will not work.
- Use
SaveConfig = true
in wg0.conf.