19: Installing WireGuard - Secure VPN Access

WireGuard is a modern, fast, and secure VPN (Virtual Private Network) that lets you access your server and its services securely from anywhere. Once connected, you can access internal services, manage your server, and browse securely - all encrypted and protected!

For advanced features, API documentation, and technical details, see the official WireGuard documentation.

Why WireGuard?

• ✅ Secure access - Access your server and services securely from anywhere
• ✅ Easy to use - Web interface makes managing clients simple
• ✅ Fast and modern - Uses modern encryption (ChaCha20) for speed and security
• ✅ Mobile-friendly - QR codes for easy mobile device setup
• ✅ Multiple devices - Connect phones, laptops, tablets - all from one server
• ✅ Split tunneling - Only VPN traffic goes through VPN, rest uses normal internet
• ✅ Low overhead - Minimal impact on your internet speed

Prerequisites

• ✅ Docker running (from Chapter 3)
• ✅ Linux kernel 5.6+ - Most modern Linux distributions have this
• ✅ Optional: Traefik installed (from Chapter 4) for HTTPS access with a domain
• ✅ Optional: Subdomain (from Chapter 4.5), e.g., vpn.yourdomain.com
• ✅ Firewall access - Ability to open UDP port (default: 51820)

Note: WireGuard works great with Traefik and a domain name. Having a friendly URL like vpn.yourdomain.com makes it easy to access the web management interface.

Step 1: Start Infinity Tools

sudo infinity-tools

Step 2: Install WireGuard

1. Go to 📱 APPLICATIONS
2. Select WireGuard
3. Choose Install WireGuard

Using the Infinity Tools GUI

• Use ↑/↓ to move, Enter to select, Esc to go back
• Look for the turquoise cursor indicating the current selection
• Each screen shows a short description at the top explaining what's needed

Step 2.1: Network Configuration

You'll be asked to configure two networks:

VPN Network (Default: 10.13.13)

• What it is: The network used by WireGuard clients and Docker services
• What you get: Clients get IPs like 10.13.13.3, 10.13.13.4, etc.
• Default: 10.13.13 (usually fine to accept)
• Pick this if: You want the default setup (recommended)

Host Network (Default: 10.13.14)

• What it is: The network used for accessing host services (like Webmin, Apprise)
• What you get: Host services accessible at 10.13.14.1
• Default: 10.13.14 (usually fine to accept)
• Pick this if: You want the default setup (recommended)

💡 Tip: Unless you have a specific reason, accept the defaults (just press Enter).

Step 2.2: DNS Configuration

WireGuard will automatically detect your server's DNS settings. This ensures VPN clients use the same DNS as your server for consistency.

Usually, you can just accept the auto-detected DNS (press Enter).

Step 2.3: Choose SSL Mode

You'll see two options. Here's what each means:

• Traefik (optional)
  • What it is: Uses your domain name with a trusted HTTPS certificate from Let's Encrypt
  • What you need: A subdomain (e.g., vpn.yourdomain.com) pointing to your server (see Chapter 4.5)
  • What you get: Professional URL like https://vpn.yourdomain.com with trusted SSL
  • Pick this if: You want secure, easy access with a domain name
• Standalone (recommended)
  • What it is: Uses HTTPS with a self-signed certificate and direct port access
  • What you need: Just a free port (default: 8445)
  • What you get: URL like https://SERVER_IP:8445 with a warning you must accept once
  • Pick this if: You don't have a domain or prefer direct access (recommended)

Simple rule of thumb: Use Standalone for most cases. Use Traefik if you have a domain and want trusted SSL.

Step 2.4: VPN Port Configuration

You'll be asked for the UDP port for VPN connections:

• Default: 51820
• What it is: The port clients will connect to
• Important: You must open this port in your firewall!
• Pick this if: Default is fine (recommended)

Step 2.5: Server Endpoint

You'll be asked for your server's public IP address or domain name:

• What it is: How clients will find your server
• Examples: 123.45.67.89 or vpn.yourdomain.com
• Important: This must be accessible from the internet!

What Happens During Installation

• WireGuard kernel module is installed (if needed)
• WireGuard container is created
• Web management interface is set up
• Random password is generated for web UI
• Host network interface is created
• Network routing is configured
• Service starts and becomes accessible

Step 3: Open Firewall Port

⚠️ CRITICAL: You MUST open the VPN port in your firewall, or clients cannot connect!

Opening the Port

sudo ufw allow 51820/udp

Replace 51820 with your custom port if you chose a different one.

Why This Matters

• Without this, VPN clients cannot connect to your server
• The port must be UDP (not TCP)
• This is the ONLY port you need to open for VPN access

Step 4: Access WireGuard Web Interface

If Using Traefik

1. Wait 30-60 seconds for SSL certificate generation
2. Open https://vpn.yourdomain.com in your browser
3. You'll see the WireGuard login page

If Using Standalone

1. Open https://SERVER_IP:8445 in your browser
2. You'll see a security warning (normal for self-signed certificates)
3. Click "Advanced" → "Proceed to site" to continue
4. You'll see the WireGuard login page

Step 5: Login to Web Interface

⚠️ CRITICAL: During installation, a random password was generated and displayed. Save it immediately!

Default Credentials

• Username: admin
• Password: Randomly generated (shown during installation)

If You Lost the Password

You can retrieve it from:

cat /opt/speedbits/wireguard/web-password.txt

Login Steps

1. Enter username: admin
2. Enter the password shown during installation
3. Click "Login"
4. You'll see the WireGuard dashboard!

Step 6: Create Your First VPN Client

Now that you're logged in, let's create your first VPN client!

Adding a Client

1. Click "Add Client" or the "+" button
2. Enter a name for your device, e.g., "My Phone", "Laptop", "Work PC"
3. Configure settings (or use defaults):
   • Allowed IPs: Usually auto-filled (VPN network + Host network)
   • Use Server DNS: Usually enabled (recommended)
4. Click "Save" or "Create"
5. You'll see a QR code and download options!

What You'll Get

• 📱 QR Code - Scan with mobile devices
• 📄 Config File - Download for Windows/Linux
• 🔑 Client Details - IP address, public key, etc.

Step 7: Set Up WireGuard on Your Device

Windows

1. Install WireGuard from Microsoft Store
2. Open WireGuard app
3. Click "Add Tunnel" → "Import from file"
4. Select the downloaded .conf file
5. Click "Activate" to connect

Android/iOS/macOS

1. Install WireGuard app from Play Store/App Store
2. Open WireGuard app
3. Tap "+" → "Create from QR code"
4. Scan the QR code from the web interface
5. Tap "Activate" to connect

Linux

1. Install WireGuard: sudo apt install wireguard
2. Copy the .conf file to: /etc/wireguard/wg0.conf
3. Start WireGuard: sudo wg-quick up wg0
4. Enable auto-start: sudo systemctl enable wg-quick@wg0

Step 8: Understanding VPN Networks

WireGuard creates two networks for different purposes:

VPN Network (10.13.13.0/24)

This network is for WireGuard clients and Docker services:

• 📱 Your devices - Get IPs like 10.13.13.3, 10.13.13.4, etc.
• 🐳 Docker services - Accessible via their container names
• 🌐 Examples:
  • Vaultwarden: http://vaultwarden:80
  • WordPress: http://wordpress:80
  • Apprise: http://apprise:8000

Host Network (10.13.14.0/24)

This network is for accessing host services (services running directly on the server):

• 🖥️ Host services - Accessible at 10.13.14.1
• 🌐 Examples:
  • Webmin: https://10.13.14.1:8443
  • Apprise: http://10.13.14.1:8444
  • SSH: ssh user@10.13.14.1

What You Can Access via VPN

Docker Services (VPN Network)

• All your Infinity Tools applications
• Access via container names (e.g., http://vaultwarden:80)
• No need to expose ports publicly!

Host Services (Host Network)

• Webmin (if installed)
• Apprise (if installed)
• SSH access
• Any other services running on the host

Security Recommendations

• ✅ Open only VPN port - Close other public ports (Webmin, Apprise, etc.)
• ✅ Use strong password - The generated password is strong, keep it safe!
• ✅ Store password securely - Use a password manager (Vaultwarden recommended!)
• ✅ Limit client access - Only create clients for trusted devices
• ✅ Disable unused clients - Turn off clients you're not using
• ✅ Keep WireGuard updated - Re-run install script periodically for updates
• ⚠️ Protect web interface - The web UI manages all VPN clients - keep it secure!

Firewall Best Practices

After setting up WireGuard, you can close other public ports:

# Close Webmin public access (access via VPN instead)
sudo ufw delete allow 8443

# Close Apprise public access (access via VPN instead)
sudo ufw delete allow 8444

# Close WireGuard web UI public access (access via VPN instead)
sudo ufw delete allow 8445

Now access everything securely via VPN!

Troubleshooting

Can't Connect to VPN

• Check firewall: Make sure UDP port 51820 (or your custom port) is open
• Check server endpoint: Verify the IP/domain is correct and accessible
• Check client config: Make sure you're using the correct .conf file
• Check WireGuard status: Run docker logs wireguard to see errors

Can't Access Web Interface

• Traefik mode: Wait 30-60 seconds after installation for SSL certificate generation
• Standalone mode: Accept the self-signed certificate warning
• Check container: Run docker ps | grep wireguard to see if it's running
• Check logs: Run docker logs wireguard to see error messages

Can't Access Services via VPN

• Check VPN connection: Make sure WireGuard is connected on your device
• Check IP address: Verify you're using the correct IPs (10.13.13.x or 10.13.14.1)
• Check Allowed IPs: Make sure client config includes both VPN and Host networks
• Check routing: Verify network routing is configured correctly

Lost Web UI Password

• View saved password: cat /opt/speedbits/wireguard/web-password.txt
• If file doesn't exist, you'll need to reinstall WireGuard

Where to Find WireGuard After Install

• On the finish screen, Infinity Tools prints the web interface URL and password
• You can also see it in 📊 STATUS & HEALTH → STATUS
• Check the installation directory: /opt/speedbits/wireguard
• Password saved in: /opt/speedbits/wireguard/web-password.txt
• Client configs: /opt/speedbits/wireguard/data/ (managed via web UI)

Managing VPN Clients

Adding More Clients

Simply repeat Step 6 for each device you want to connect. Each device gets its own unique IP address.

Disabling Clients

In the web interface, you can disable clients without deleting them. This is useful if you temporarily don't want a device to connect.

Viewing Connection Stats

The web interface shows connection statistics for each client, including data transferred and connection time.

You're Ready!

WireGuard is now installed and ready to use! Remember:

• 🔥 Open the firewall port (UDP 51820) - critical for connections!
• 🔐 Save your web UI password securely
• 📱 Create clients via the web interface
• 🔒 Close other public ports and access everything via VPN
• 🌐 Use VPN network (10.13.13.x) for Docker services
• 🖥️ Use Host network (10.13.14.1) for host services

Next steps: Create your first client, set up WireGuard on your device, test the connection, and start accessing your services securely from anywhere!