I used the userspace implementation of Wireguard in Go via Docker using the "masipcat/wireguard-go" docker image/container (https://github.com/masipcat/wireguard-go-docker and https://hub.docker.com/r/masipcat/wireguard-go).
I had some difficulties - check my remarks below. Make sure you store the private key in a file and start wg with that key so it doesnt change on every reboot (part of the tutorial in the link).
Precondtion: I had QVPN installed (not sure if this is required to get IP forwarding enabled.
Edit: A few more posts down I wrote my steps down in detail - viewtopic.php?f=50&t=155840&p=758548#p758548
My wg0.conf - please note that I had to update the iptables rules and add another one to make it work. Choose your subnet. Often 10.0.0.0/24 is used. I chose a different one to avoid conflicts. The below 172.0.20.0/24 is an example
Code: Select all
[Interface]
Address = 172.0.20.1/32
PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -A FORWARD -i %i -j ACCEPT && iptables -t nat -A POSTROUTING -s 172.0.20.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT && iptables -t nat -D POSTROUTING -s 172.0.20.0/24 -o eth0 -j MASQUERADE
ListenPort = YOUR_PORT #choose your own, default is 51820
PrivateKey = SERVER_PRIVATEKEY
[Peer]
# Client1
PublicKey = CLIENT1_PUBLICKEY
AllowedIPs = 172.0.20.2/32
[Peer]
# Client2
PublicKey = CLIENT2_PUBLICKEY
AllowedIPs = 172.0.20.3/32
Code: Select all
[Interface]
Address = 172.0.20.2/32
PrivateKey = CLIENT1_PRIVATEKEY
DNS = 1.1.1.1 # cloudflare dns
[Peer]
PublicKey = SERVER_PUBLICKEY
AllowedIPs = 0.0.0.0/0 # means route ALL traffic through the VPN. Choose your subnets if only some subnets shall be routed. E.g. 192.168.0.0/24 or multiple ones
Endpoint = WG_SERVER_IP:51820
Starting container
Bringing up wireguard, I used the docker-compose from masipcat with a few changes: I activated priviledged=true and removed sysctl as port forwarding is already active on my QNAP. I started the application using docker-compose up (-d later on to make it run in the background) from commandline. I havent tried yet the the "create application" button in container station. As this is only one container, I would prefer docker, but I cannot use "cap_add" in the container-stration interface to my knowledge.:
Code: Select all
version: '3.3'
services:
wireguard:
image: masipcat/wireguard-go:latest
cap_add:
- NET_ADMIN
# sysctls:
# - net.ipv4.ip_forward=1
volumes:
- /dev/net/tun:/dev/net/tun
- YOUR_NAS_WIREGUARD_FOLDER:/etc/wireguard
environment:
- WG_COLOR_MODE=always
- LOG_LEVEL=info
ports:
- YOUR_PORT:YOUR_PORT/udp
# Uncomment the following line when 'AllowedIPs' is '0.0.0.0/0'
privileged: true
restart: always
Please note that I didnt do any long term test. I still have OpenVPN running in parallel to have a fallback (seems to work). The setup I only tested for a few hours, but it worked. Probably somebody is able to bring it a step further.
Issue: official clients show VPN connection as active while handshake was failing
Remark: ssh into docker and check "wg show all" if there is a successful handshake (you can also show "latest-handshakes" only). If there is no handshake - keys will be most likely mixed up
Issue: handshake didnt work
Remark: server publickey was different to the one I noted down. Check keys triple times . After updating all was smooth
Issue: internet and network access didnt work in the beginning
Remark: Had to add the following rule to PostUp and accordingly PostDown (see conf above): iptables -A FORWARD -i %i -j ACCEPT to make it work ("%i" will translate into the wg created interface - normally wg0)
Issue: Bringing the container down didnt remove the iptables routes, leading to multiple similar rules when starting the container up
Remark: If you ssh into the container and use wg-quick down, rules are removed. I filed a bug against this issue
>>> This issue is solved using the container-station GUI - see next reply
Issue: TUN device suddenly was found to be a directory in QNAP
Remark: dont know the cause - reboot helped
>>> Seems now to work, when using container-station gui. To be tested further
I hope this helps some users and I didnt make any mistaked . Best regards!