Create your own VPN server with WireGuard in Docker

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everybody and welcome to the digital life in this video i will show you how to easily create your own private vpn server with wire guard running in the docker container and this was highly requested from you guys because i recently also did a video about how to install and configure wireguard on an ubuntu server so if you haven't already checked out this video please do so in that video we had to create our own private and public keys and also created our static configuration files for the server and all clients but when using the docker image i'm using in this tutorial this will be automatically created for you the docker container will create all private and public keys and also create steady configuration files for the server and all your clients it will also run a dns server so i think that is a pretty easy and much more faster deployment method so if you want to learn how to do that keep watching but before we start with this tutorial let me explain a few things you need to consider when running a vpn tunnel because i think currently there's a lot of confusion on the internet about what a vpn does and what a vpn does not and if you're one of these guys hoping to increase your privacy surf more securely on the internet or hide your identity you probably will need to lower down a bit your expectations because all we do is create a secured tunnel from your client to your wireguard server so that means whenever your client will send out any network packets that get rooted through that secure tunnel and all these network packets are encrypted and no one in between can really inspect or track those packets but you need to be aware of your internet outbreak point will be at your wire guard server so whatever is sent out from there may still be unencrypted or maybe still tracked by anyone so it really comes down to where is their wire guard server located and how secure that is although many vpn providers may tell you something different a vbn tunnel is not a tool to increase your privacy and it's not a tool to serve more secure on the internet but i still think a vpn tunnel can make sense in a lot of cases for instance if you want to access the internet through big public or shared networks like in hotels or public wi-fi networks or if you want to easily gain access from anywhere to your local area network at home when your wi-guard server is running there or if you want to avoid country blocking when your wire guard server is running in a cloud environment in a different country so in these cases i also think it makes a lot more sense to run your own private vpn server than just use a vpn server provider because otherwise you would give a lot of control away and you put a lot of trust into that service provider and you really never know how they are handling your data or how they are securing your data so i think it makes more sense to create your own private vbn server and using wireguard in combination with the docker container is a very easy approach to do that so let me share my screen with you guys and we will start right now to do a short demonstration i have just created a new virtual machine and installed ubuntu 20.05 lts in the server version you can also follow this tutorial with any other ubuntu or debian based linux distro it may also work on other ones as well but that is not really tested or optimized by the creator of the docker image ok so if you have not installed docker and docker compose already let's do that you can also skip this part if you already have docker and docker compose installed and don't worry you don't need to remember all these commands or type them from this video you can also have a look at the description of this video i've put you a link to my written blog article there i have written all steps we are doing in this tutorial and you can just copy and paste the commands i'm using in this guide so first let us install some prerequisites uh to be able to install the docker and docker compose and we also need to add the docker.com repository in our packet sources so after doing that we also need to do an update to update our packet sources and then we can install the docker ce docker c e cli and the containerized engine so i will skip that part because that will take some time if that is finished and docker is installed successfully we can now install docker compose so we simply just download a file and place that in our user local binary directory don't forget to make this file executable with this command here and we can also add our current user to the docker group so we don't need to place a sudo command in front of any docker or docker compose commands if you have done that you need to re-log into your shell or you can just simply type in new group docker and that will reload all the memberships of that group to check that let me just clear my screen guys and you should be able to execute this command docker run hello dash world so that should pull the docker image from the docker hub and run this hello world image if you see a screen like this hello from docker everything is working fine you can also check if you have installed docker dash compose correctly with this command here docker composer version and you should see the docker compose version we can now create our docker compose configuration file that will manage our docker container with wire guard so to do that i will create a new folder in the opt directory and i will call this wire guard dash server i will also change the permission uh to my current linux user i'm using so that will make sure we have the correct permissions when we create the docker compose file and if the docker container will also create those configuration files and the private and public keys you actually have the right permissions on your current user so that is also very important let's step into this directory so let's go to the wired server directory and we will now start creating our docker compose file so let's just create a new file that is called docker dash compose dot yaml and when we create this empty file we will now use a docker image or template of this that will use the docker image from the site linux server.io so if you haven't already checked out these guys let me show you uh the home page so the guys from linux server io they maintain community images and they are some and through the guests from across the world who build and maintain these collection of docker images for the community so you can also check their images in the images section and if you scroll down you can see what these guys are doing so i think they are doing an incredible work so that is really nice if you haven't checked out them please do so i will also put your link to their homepage in the description below if you scroll down you can also see a docker image that is called linux server slash wire guard and if you click on that and go to the home page on the docker hub you will get directed to the official documentation of that image so that is really nice you can see it's frequently updated and there is everything described that is used in that docker image you can also see how to use that with just a docker command but i think it's much more easier to use the docker compose template so you can just copy this here and put this in your docker compose file in your directory and use this as a template you need to customize a few things so let me just copy that and place that in this file and we can go over this step by step so we are using a docker compose configuration file from the scheme 2.1 so we are creating a new service that is called wireguard from the image linux server slash wireguard so these guys already have uh provision that image to the docker hub so you don't need to clone any repository or build your images yourself so that is very easy we also set the container name to wireguard so we can easily access this container in the docker command and we will also need to add two permissions if you want to know what these permissions are really doing you can also refer to the documentation on the docker.com home page so let's uh check this so you can see the net admin performs various network related operations so that is needed in order uh to manage the network and we also add this option here so that is this module load and unload kernel modules so that is very important because as i said before the wire guard kernel module needs to be loaded on the host operating system and because the docker container is an isolated one we need to add this permission manually so the docker container will have the correct permission to load the wire guard kernel module at your host operating systems kernel next we have some environment variables that will set the configuration for our wire guard server so this year the pu id and the pg id that is set to 1000 and that can be different in your environment so we should have a look at the linux or documentation so if you scroll down you can see a part like this your user and group identifiers and when using volumes permission issues can arise between the host operating system and the container and to avoid that we will set the user identifier and the group identifier to the id of your current linux user so if you have created your folder let me just exit this here if you have created your folder remember i have set the owner of this folder to my user christian so my user christian has the identifier 1000 and that is okay so i will use the 1000 if you have another user that has a different identifier you should add this identifier and change this in the docker compose configuration file so in my case 1000 is fine it's also default if you just have created one user and you're using that next we need to set our time zone so i can set this to europe london i could also change that to europe berlin probably and then we will need to specify the server url so these parameters are only needed when running the wire guard in server mode so that is what we want to do here and you can also specify that here so enter an ip address or dns name or you can set it to auto when you do it with the auto setup the docker image will automatically try to determine your public ip address so it will make a look up to any web server and then check what is your external public ip address because i'm using that in my own local area network as a virtual machine test setup i cannot use that because the client i will connect needs to refer to the private ip address and not to the public one so you need to really think of where is your server located and where are your clients located usually you should set this to auto when your clients are located in a different network and you want to access your wireguard server with your public ip address at this point but in my case i'm using a private ip address so i'm typing in this here this is a private ip address of my uh ubuntu server you could also change the server port so the 51820 is the default port for wireguard but you can also customize it to anything else and the next parameter appears will tell the docker image or the docker container how many client configurations we want to create so you can also set this to any other number and the docker container when it first starts will automatically create configuration files and private and public keys and a qr code for all these clients so in this uh case i'm just creating one peer i will show you how to add a different or second or third peer afterwards and if you want to use a dns server you can also specify that here so if you set this to auto the client configuration file will point at the dns server running on your wireguard server so when you run this docker image it has also a pre-configured and pre-installed dns server running on it and with setting this to auto the clients will use your dns server that is running on your wireguard docker container but you can also set this to any other ip address if you want to use a different dns server and you can also specify the internet subnet i leave it like this because i don't have any different subnet with the same um subnet mask so that should be fine and then we need to set our configuration paths so when the wire guard server is running at the first time it will create the server configuration the client configuration the dns server configuration in this folder and you can also change these configuration files later or copy them and distribute that to your clients so in this case i will use the same folder i've just created opt slash wired server you need to make sure the docker container has the correct permissions to access this folder so that should be fine we also need to have a volume placed to the library module section that is needed when you need to compile or run the kernel headers when your kernel is older than the 5.6 version so it doesn't has the wire guard kernel modules already included in your host operating systems kernel then you will need to do that but i will leave it like this and you also need to expose this part here so that is support if you have customized that you need to change it here of course as well and this one here the sys ctls i just leave it like this i think that is needed for the container and also for client configuration to work it properly and you can also reset or set this here the restart you can also set this to always if you have any issues and stop your container and you just do a reboot to enable it again you can also set this to always if you want to do that let's save this and exit this we can now start our docker container with a simple command docker dash compose up don't forget to place a dash d in order to make this docker container run in the background and just hit enter so if you haven't already pulled the wireguard server image from linux or io this is automatically downloading it from docker hub and once this is finished it should start the wire guard server you can see the docker container is now successfully started you can also check this with docker compose ps and you see it has one container that is up so if you now want to check your y-guard server with the command you will see this is not installed because we are running that on the host operating system if you want to use that command in order to check whenever there is a client connected or what is the status of your server you need to execute this wg command in your docker container to do that simply just type in docker exec it then you will need to use the name wireguard that is the name of our docker container and then the command wg if we execute this you can see it is now working we have here the public key the private key of course is hidden and there's one peer that is automatically created because we have set the parameter peers to one and if we do an ls here in this folder you can also see there is a new folder created by the docker container and if we cd into that config folder do an ls you can see there there's a wg0.conf so that is a configuration file of our wireguard server and we also have the config files for the core dns that is a dns server running in that container the pr1 this contains all configuration files private and public keys of our client and also the server we also have some templates for the configuration files but we really don't need them let's just have a look at the wg0.conf file and you can see this is our server's configuration file so this just looks like a usual wireguard configuration file you can see the private key the public key everything in here if you check the correct permissions you can also see this configuration file also has read and write permissions to your user so this is also securely stored on your computer and no one else than this user or the owner of this folder we have used can access these files so you should also check that because when you go to the servers folder and do an ls here you can see there is a private in the public key so you need to store that in a secure way so the creators of linux server io have also taken care of that so that is very nice and we simply could just now connect any client if you want to connect with a client to your ygart server you simply just go to the peer one folder or we need to go to the config folder first sorry and if we do an ls you can see here is appear1.png so that contains a qr code i will show you later what this is and also the po1.config file so we need to just use this config file and distribute that config file to any client and use that as our ygart configuration file it also has the private and public keys it also has all the um configuration we have set so if we have a look at this file you can see it already has configured the endpoint to the public ip address we have just used and it has set the dns server it has the set the private ip address and the client uh public and private key it also has set the load ip address to all so that means all traffic is automatically routed through the tunnel if you would need to change that so you only want to route specific traffic through the tunnel from your client you would need to change this line here and change this to the networks you want to root through the tunnel okay guys so let me just show a simple example how to easily connect a client because you can also connect many other operating systems or different clients if you check the installation instruction on the wireguard.com homepage you can see there's a client available for windows for mac os for linux android ios and other linux distributions as well so you just can refer to this year install the client on your computer or whenever you want to install that and just use the po1.conf configuration file and distribute that to the client and everything should be set up correctly i have already created a ubuntu client so that is in version 18.04 let's just install wireguard so to do that just enter sudo apt install wire guard and we also need the resolve conf package that is needed for the dns command used in the wg quick command so what we need to do is we now need to copy the pr1.conf file of the server to the client i just do that with scp so i just copy the pr1 conf to the client and i just store this in my personal folder pm1.conf yes and just enter the password so it should be located on our client as well so if we do an ls here here's our po1.com file and what we're going to do now is we just copy this so i can also move this file because we don't need it in my personal folder again and move this to the etc wireguard wg0.conf file we can now start the wireguard client with the command wg quick up wg 0 now the wire guard client should be connected to the server to check that just enter wg with sudo permissions of course and you can see the handshake is 40 seconds ago so the client is now connected to our wire guard server we can also check this on the wire guard server of course we now need to execute the wg command in the docker container of course so just enter docker exec it it wireguard wg and you can see we can also uh see here the pier is connected from endpoint id so that is ip address of my client with that private ip address so if we want to add more than one client for instance i just want to add my mobile phone also as a client to the wireguard server i need to increase the number of peers if you want to do that you simply just go to the docker compose file edit this and just increase the peer number by one or by the number of peers you just want to create and just write this to the file we now need to restart our docker container simply with the up dash d and enter a force recreate if we hit enter we are now recreating the wire guard container and it should add automatically a second peer configuration file so if we cd into that config folder and do an ls you can see there is a po2 folder created and if you for instance want to add a more by a client you can just go to the app store and download the wire guard client and then execute this command here docker exec it wireguard so we're executing a command in the wireguard container app show pier uh show dash peer and then the number of the peer you want to show the qr code so i want to show the qr code for po2 just hit enter and you can see it now prints us a qr code so i can now grab my phone open the wire guard client and scan this qr code and i have automatically created the tunnel interface and also added all the configuration file i can then just enable that and my mobile phone will automatically connect to the wireguard server so i think that is pretty easy i think that is just great what the guys from linux server io have created it is very easy but you would need to have some knowledge of docker and also docker compose so if you want to learn more about docker and docker compose and why this is just amazing you can also have a look at my other two videos about docker and also docker compose i've put your link in the description below check them out i hope you liked this video and you could also learn something new and if you want to learn more about linux python docker cloud networking and all this stuff and you really want to become an id professional don't forget to subscribe to my channel you can also leave me a comment or join my discord server if you want to discuss that or if you want to get in touch with people who share the same interests like you so thanks everybody for watching enjoy the rest of your day take care of yourself and i see you soon [Music] you
Info
Channel: The Digital Life
Views: 45,578
Rating: undefined out of 5
Keywords: linux, python, cloud, networking, wireguard, docker, docker-compose, wireguard in docker, wireguard docker, vpn, vpn server, vpn wireguard, vpn docker
Id: GZRTnP4lyuo
Channel Id: undefined
Length: 24min 37sec (1477 seconds)
Published: Sun Jul 26 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.