Help setting up a selfhosted VPN at home
from NaiP@lemmy.world to selfhosted@lemmy.world on 16 Aug 23:15
https://lemmy.world/post/34564410
from NaiP@lemmy.world to selfhosted@lemmy.world on 16 Aug 23:15
https://lemmy.world/post/34564410
Hello there,
Just want to preface that this is for selfhosted purposes, I may be routing my network in other way later.
I wanted to be able to setup a wireguard docker container with gluetun such that I can connect multiple devices to it at home, in order to minimize my “five device limit” with mullvad. I have the following docker compose:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun-wireguard
restart: unless-stopped
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- ./gluetun:/gluetun
environment:
- VPN_SERVICE_PROVIDER=#
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY=#
- WIREGUARD_ADDRESSES=#
- SERVER_CITIES=#setup#setup
# Timezone for accurate log times
- TZ=#
# Server list updater
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
- UPDATER_PERIOD=24h
ports:
- 51820:51820/udp
wireguard-server:
image: linuxserver/wireguard
container_name: wireguard-server
network_mode: service:gluetun # << important
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- SERVERPORT=51820
- PEERS=iphone
- PEERDNS=auto
volumes:
- ./config:/config
- /lib/modules:/lib/modules
restart: unless-stopped
Whenever I try connecting to it by iphone, which is my first attempt for the peer, it doesn’t quite work out. The packets are received by the container, and querying cloudflare as such works:
$ sudo docker exec -it wireguard-server ping -c 3 1.1.1.1
Is there any obvious error I’ve made?
If I’m making the XY Problem, please let me know. If there is a more apt community, please let me know.
threaded - newest
Gluetun is a great example of “I changed nothing and it suddenly works”. I’ve had to set up this exact docker container several times, and it usually takes me a week of retries until it chooses to work. I wish I had better advice for you
Is there a reason not to use Tailscale for this?
Or github.com/juanfont/headscale.
I wanted to do it with pure wireguard. I like the headscale idea though. Might give that a shot.
@thirdBreakfast @NaiP Is there a reason not to use plain #wireguard because it's so simple? 🤷🏻♂️
We still haven’t heard your solution to OPs problem, if that’s so simple?
@0_o7 @NaiP
I use https://github.com/linuxserver/docker-wireguard and followed the "Usage" to install and start my personal #wireguard #VPN server(s) - at #homelab and on my cloud servers at german datacenter provider #Hetzner #hetznercloud
This took me only some minutes to have a running VPN for my mobile devices and laptops for everyone in the family.
Important: to reach my VPN at home a #portforwarding from ISP router to my homelab linux server is needed.
WireGuard does authenticate devices - not users! So you need a config for each devices!
@abimelechbeutelbilch
I have wireguard on my router and it has completely replaced tailscale.
My mobile device is always connected to my homelab now. I have access to my private tools, and pihole adblocking on top of that.
I still have to figure out how to set up my homelab containers to use a VPN proxy for egress traffic, so I'm liking and boosting your post to come back to it later when tackling that project.
@0_o7 @NaiP
@chihuamaranian
You only want your #homelab #containers use a #wireguard #vpn or all from your homelab computer(s)?
First you need a wireguard server "outside" to tunnel your traffic to. I have WG on some cloud servers at german datacenter provider #Hetzner , so I can start/stop a VPN easy like this:
wg-quick "$1" ~/dev/wg/hetzner-"$2".conf
with first argument = down/up
and second argument = shortname for my VPN server = location at #hetznercloud
@0_o7 @NaiP
@abimelechbeutelbilch
@0_o7 @NaiP
I am mostly considering how to get my torrents running through the VPN at the moment.
I have nordvpn in a container, and I am upgrading to a better provider.
However, their tools don't work in docker (they all depend on systemd, which isn't present in container space) so I need to get an openvpn configuration going that uses them.
Once my primary use case is configured, I would like to experiment with using it for other traffic, too.
@abimelechbeutelbilch @0_o7 @NaiP Oh I've been looking for an easier to setup wireguard! I have been reluctantly using Tailscale since PiVPN dev had to take a step back. Tailscale is just too much other stuff. I just need to be an IP ony LAN, I don't need all the other stuff.
@cinimodev @0_o7 @NaiP What can be easier than edit a #yaml file and do a #docker compose up -d 🤷🏻♂️
Besides being easy, there is no advantage to tailscale for this case, and I would add that lots of us don’t want to depend on an external resource just to road warrior back home.
I’ve just setup headscale in docker and it worked right away. It’s even faster than when I was using tailscale. It was very easy to setup and I’ve been using it for about a month with no issues. Doesn’t really help but I haven’t used gluetun myself.
Headscale has been my go-to for the past 6 months - it’s so reliable that I use it to connect to my self-hosted audiobookshelf server from anywhere using the soundleaf app on my iphone and it nver drops connection even on spotty mobile data.
Is doing this in Docker necessary? I like containerization too but a VPN server seems a little intense — why not install it directly?
I prefer docker because I can plop it in elsewhere if needed.
I don’t think you want two VPN services, I think you want one VPN service and plain network routing. Use the VPN server as the local gateway, and the VPN server routes that traffic up the tunnel.
How does one do this? Is there an article I could read up on?
I use a variant of this: github.com/linuxserver/docker-wireguard
You don’t need two different containers for this. They’re going to either fight each other for control over the networking tables or run wireguard in wireguard
Have you confirmed that port forwarding to gluetun is working?
The network_mode: service: gluetun looks off to me but I can’t check.
Does each one their own?
Not sure what you mean here, but I am quite sure I need to set the network mode like that to route the network through the VPN.
You’re right, sorry! I checked it github.com/…/connect-a-container-to-gluetun.md#ex…
If you have the WireGuard config from Mullvad already, just edit your wg.conf files on client devices to route all traffic via the Mullvad servers. Basically replace all the values of the
[Peer]block with Mullvad values.If you can share your Mullvad wg config file and your wireguard-server config file here, we can sort this out together
Edit: actually since your only goal is to increase the Mullvad device limits, why not just use Mullvad-provided confs directly in your client WireGuard apps? Should be straightforward to do
I’m trying to do something similar. I am using Wireguard to VPN to my home network. Then I want to route all home internet traffic through one Mullvad instance. How would I do this? So far all my attempts have failed, I was trying to set routes but I don’t have an expert understanding of both VPN settings in regards to Linux networking.