Selfhosted

59923 readers

509 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

Wireguard easy and third party vpn service. (lemmy.blahaj.zone)

submitted 22 hours ago* (last edited 21 hours ago) by LetchLemon@lemmy.blahaj.zone to c/selfhosted@lemmy.world

38 comments fedilink hide all child comments

Hi, so been working on this for a week but not really happy with the solutions I find as they seem to be done by induviduals who rely heavily on ai. I got wireguard easy going and can remotly connect which is great but id love to be able to route any internet traffic to and from the wireguard clients to go though another server while filtering my local onsite services. Felt that if i can crack this i dont need to rely on tailscale. The end goal is to have no reliance on tailscale as i am preparing for the eventual enshitification.

you are viewing a single comment's thread
view the rest of the comments

[–] LetchLemon@lemmy.blahaj.zone 1 points 21 hours ago* (last edited 21 hours ago)

Here is the compose and post up im working on

services:
  gluetun:
    image: qmcgaw/gluetun:v3
    hostname: gluetun
    restart: always
    networks:
      wg:
        ipv4_address: 192.168.1.10    
    ports:
      - 51720:51720/udp # wireguard ui
      - 51821:51821 # wireguard tunnel
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER}
      - VPN_TYPE=${VPN_TYPE}
      - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
      - SERVER_CITIES=${SERVER_CITIES}
      - ALLOWED_IPS=0.0.0.0/1
      - FIREWALL_OUTBOUND_SUBNETS=${OUTBOUND_SUBNET}  #change to appropriate subnet
      - DNS_ADDRESS=${DNS}
#      - HEALTH_TARGET_ADDRESS=cloudflare.com:80
#      - HEALTH_VPN_DURATION_INITIAL=120s

  wg-easy:
    environment:
      - INSECURE=true #INITIAL SETUP NOT FOR PRODUCTION
    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    restart: unless-stopped
    networks:
      wg:
        ipv4_address: 192.168.1.20 
    
    volumes:
      - ./data:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - 51720:51720/udp #wireguard
      - 51821:51821/tcp #web ui
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1

networks:
  vpn:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 192.168.1.0/24 #container ipgateway
#        - subnet: fdcc:ad94:bacf:61a3::/64

Post up

# Detect the VPN bridge interface by wg-easy's container IP
VPN=$(ip -o -4 addr show | awk '$4 ~ /^192.168.1.20\// {print $2; exit}'); test -n "$VPN";
iptables -P FORWARD DROP;
ip6tables -P FORWARD DROP;
iptables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT;
ip6tables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT;

# Direct subnets:
ip route -A 10.1.0.0/16 via 192.168.1.0/24 dev $VPN table 200;
ip -6 route -A 10.1.0.0/16 via 192.168.1.0/24 dev $VPN table 200;