Hi, so been working on this for a week but not really happy with the solutions I find as they seem to be done by induviduals who rely heavily on ai. I got wireguard easy going and can remotly connect which is great but id love to be able to route any internet traffic to and from the wireguard clients to go though another server while filtering my local onsite services. Felt that if i can crack this i dont need to rely on tailscale. The end goal is to have no reliance on tailscale as i am preparing for the eventual enshitification.

  • LetchLemon@lemmy.blahaj.zoneOPEnglish
    1·
    15 hours ago

    Here is the compose and post up im working on

    services:
  gluetun:
    image: qmcgaw/gluetun:v3
    hostname: gluetun
    restart: always
    networks:
      wg:
        ipv4_address: 192.168.1.10    
    ports:
      - 51720:51720/udp # wireguard ui
      - 51821:51821 # wireguard tunnel
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER}
      - VPN_TYPE=${VPN_TYPE}
      - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
      - SERVER_CITIES=${SERVER_CITIES}
      - ALLOWED_IPS=0.0.0.0/1
      - FIREWALL_OUTBOUND_SUBNETS=${OUTBOUND_SUBNET}  #change to appropriate subnet
      - DNS_ADDRESS=${DNS}
#      - HEALTH_TARGET_ADDRESS=cloudflare.com:80
#      - HEALTH_VPN_DURATION_INITIAL=120s

  wg-easy:
    environment:
      - INSECURE=true #INITIAL SETUP NOT FOR PRODUCTION
    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    restart: unless-stopped
    networks:
      wg:
        ipv4_address: 192.168.1.20 
    
    volumes:
      - ./data:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - 51720:51720/udp #wireguard
      - 51821:51821/tcp #web ui
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1

networks:
  vpn:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 192.168.1.0/24 #container ipgateway
#        - subnet: fdcc:ad94:bacf:61a3::/64

    Post up

    # Detect the VPN bridge interface by wg-easy's container IP
VPN=$(ip -o -4 addr show | awk '$4 ~ /^192.168.1.20\// {print $2; exit}'); test -n "$VPN";
iptables -P FORWARD DROP;
ip6tables -P FORWARD DROP;
iptables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT;
ip6tables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT;

# Direct subnets:
ip route -A 10.1.0.0/16 via 192.168.1.0/24 dev $VPN table 200;
ip -6 route -A 10.1.0.0/16 via 192.168.1.0/24 dev $VPN table 200;