EZ Wireguard | all in one
YAML
volumes:
etc_wireguard:
services:
wg-easy:
environment:
# Change Language:
# (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi, ja, si)
- LANG=en
# ⚠️ Required:
# Change this to your host's public address
- WG_HOST=raspberrypi.local
# Optional:
# - PASSWORD_HASH=$$2y$$10$$hBCoykrB95WSzuV4fafBzOHWKu9sbyVa34GJr8VV5R/pIelfEMYyG # (needs double $$, hash of 'foobar123'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)
# - PORT=51821
# - WG_PORT=51820
# - WG_CONFIG_PORT=92820
# - WG_DEFAULT_ADDRESS=10.8.0.x
# - WG_DEFAULT_DNS=1.1.1.1
# - WG_MTU=1420
# - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
# - WG_PERSISTENT_KEEPALIVE=25
# - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
# - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
# - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
# - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
# - UI_TRAFFIC_STATS=true
# - UI_CHART_TYPE=0 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
# - WG_ENABLE_ONE_TIME_LINKS=true
# - UI_ENABLE_SORT_CLIENTS=true
# - WG_ENABLE_EXPIRES_TIME=true
# - ENABLE_PROMETHEUS_METRICS=false
# - PROMETHEUS_METRICS_PASSWORD=$$2a$$12$$vkvKpeEAHD78gasyawIod.1leBMKg8sBwKW.pQyNsq78bXV3INf2G # (needs double $$, hash of 'prometheus_password'; see "How_to_generate_an_bcrypt_hash.md" for generate the hash)
image: ghcr.io/wg-easy/wg-easy
container_name: wg-easy
volumes:
- etc_wireguard:/etc/wireguard
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
# - NET_RAW # ⚠️ Uncomment if using Podman
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
wg-password
wg-password
(wgpw) is a script that generates bcrypt password hashes for use with wg-easy
, enhancing security by requiring passwords.
Features
- Generate bcrypt password hashes.
- Easily integrate with
wg-easy
to enforce password requirements.
Usage with Docker
To generate a bcrypt password hash using docker, run the following command :
Bash
If a password is not provided, the tool will prompt you for one :
docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'YOUR_PASSWORD'
PASSWORD_HASH='$2b$12$coPqCsPtcFO.Ab99xylBNOW4.Iu7OOA2/ZIboHN6/oyxca3MWo7fW' // literally YOUR_PASSWORD
Bash
docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw
Enter your password: // hidden prompt, type in your password
PASSWORD_HASH='$2b$12$coPqCsPtcFO.Ab99xylBNOW4.Iu7OOA2/ZIboHN6/oyxca3MWo7fW'
Important : make sure to enclose your password in single quotes when you run docker run
command :
Bash
$ echo $2b$12$coPqCsPtcF <-- not correct
b2
$ echo "$2b$12$coPqCsPtcF" <-- not correct
b2
$ echo '$2b$12$coPqCsPtcF' <-- correct
$2b$12$coPqCsPtcF
Important : Please note: don't wrap the generated hash password in single quotes when you use docker-compose.yml
. Instead, replace each $
symbol with two $$
symbols. For example:
This hash is for the password 'foobar123', obtained using the command docker run ghcr.io/wg-easy/wg-easy wgpw 'foobar123'
and then inserted an additional $
before each existing $
symbol.
Wireguard VPN With GUI
docker-compose.yml
YAML
---
version: "3.7"
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
# - SERVERURL=wireguard.kafana.dev #optional
- SERVERPORT=51820 #optional
- PEERS=1 #optional
- PEERDNS=auto #optional
- INTERNAL_SUBNET=10.13.13.0 #optional
- ALLOWEDIPS=0.0.0.0/0 #optional
- LOG_CONFS=true #optional
volumes:
- ./config:/config
- /lib/modules:/lib/modules
ports:
- 51820:51820/udp
- 0.0.0.0:5002:5000
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
wg:
# build: .
image: ngoduykhanh/wireguard-ui:latest
container_name: wgui
cap_add:
- NET_ADMIN
network_mode: service:wireguard
environment:
- SENDGRID_API_KEY
- EMAIL_FROM_ADDRESS
- EMAIL_FROM_NAME
- SESSION_SECRET
- SMTP_HOSTNAME=postal.kafana.dev
- SMTP_PORT=2525
- SMTP_USERNAME=kafana
- SMTP_PASSWORD=some-password
- SMTP_AUTH_TYPE=LOGIN # PLAIN, LOGIN, NONE
- [email protected]
- [email protected]
- WGUI_USERNAME=username
- WGUI_PASSWORD=password
- WG_CONF_TEMPLATE
logging:
driver: json-file
options:
max-size: 50m
volumes:
- ./config:/app/db
- ./config:/etc/wireguard
Links: