19: Installing WireGuard - VPN Infrastructure

WireGuard is a modern,modern fast,VPN protocol using ChaCha20 encryption and secureCurve25519 key exchange. This installation uses WG-Easy (WireGuard-UI) for web-based client management, providing a user-friendly interface for VPN (Virtualadministration Privatewhile Network)maintaining thatWireGuard's lets you access your serverperformance and itssecurity services securely from anywhere. Once connected, you can access internal services, manage your server, and browse securely - all encrypted and protected!benefits.

For protocol specifications, advanced features, API documentation,configuration, and technical details,documentation, see the official WireGuard documentation.

Why WireGuard?

• ✅ Secure access - Access your server and services securely from anywhere
• ✅ Easy to use - Web interface makes managing clients simple
• ✅ Fast and modern - Uses modern encryption (ChaCha20) for speed and security
• ✅ Mobile-friendly - QR codes for easy mobile device setup
• ✅ Multiple devices - Connect phones, laptops, tablets - all from one server
• ✅ Split tunneling - Only VPN traffic goes through VPN, rest uses normal internet
• ✅ Low overhead - Minimal impact on your internet speed

Prerequisites

• ✅ Docker runninginstalled (fromChapter 3)
• ✅ Docker Compose (Chapter 3)
• ✅ Linux kernel 5.6+ - MostWireGuard modernkernel Linuxmodule distributions have thissupport
• ✅ Optional: Traefik installed (from Chapter 4) for HTTPS access with aLet's domainEncrypt
• ✅ Optional: SubdomainDomain configured (from Chapter 4.5), e.g., vpn.yourdomain.example.com
• ✅ Firewall access - Ability to open UDP port

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → WireGuard → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install

# With domain (Traefik mode)
export WG_DOMAIN="vpn.example.com"
export WG_USE_TRAEFIK="true"
sudo -E bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install

# Custom networks
export VPN_NETWORK_BASE="192.168.100"
export HOST_NETWORK_BASE="192.168.101"
export WG_VPN_PORT="51820"
sudo -E bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install

Architecture

Containers

• wireguard - WG-Easy (WireGuard-UI) container (ngoduykhanh/wireguard-ui:latest)
• wireguard-https - Nginx SSL proxy (standalone HTTPS mode only)

Network Architecture

• VPN Network: Default 10.13.13.0/24 (configurable)
  • WireGuard server: 10.13.13.1
  • Admin client: 10.13.13.2
  • Client IPs: 10.13.13.3+ (auto-assigned)
• Host Network: Default 10.13.14.0/24 (configurable)
  • Host services IP: 10.13.14.1
  • Accessible via VPN for host service access

Data Persistence

• Data: /opt/speedbits/wireguard/data/ (WG-Easy database, client configs)
• Configs: /opt/speedbits/wireguard/wg_confs/ (WireGuard config files)
• SSL: /opt/speedbits/wireguard/ssl/ (standalone mode certificates)
• Password: /opt/speedbits/wireguard/web-password.txt

Host Integration

• Kernel Module: WireGuard kernel module loaded on host
• Systemd Service: wireguard-host-network.service for host network persistence
• Network Interface: wg-host dummy interface for host network
• iptables Rules: NAT and forwarding rules for VPN ↔ Host network

Deployment Modes

Traefik Mode

Uses Traefik for SSL termination and domain routing:

• Automatic Let's Encrypt certificate provisioning
• Domain-based access: https://vpn.example.com
• Security headers configured
• Requires: Traefik running, DNS A record configured

Standalone Mode (Default)

Direct access with HTTPS (self-signed):

• HTTPS: https://SERVER_IP:8445 (self-signed cert via nginx proxy)
• Default web UI port: 8445 (configurable)
• VPN port: 51820 UDP (configurable)
• No domain required

Installation Process

Configuration Steps

1. Network Configuration: VPN network base (default: 10.13.13) and Host network base (default: 10.13.14)
2. DNS Configuration: Auto-detected from server's /etc/resolv.conf
3. SSL Mode Selection: Choose Traefik or Standalone
4. VPN Port: UDP port for VPN connections (default: 51820)
5. Server

   Endpoint: Public IP or domain name for client connections

6. Note:Kernel Module: WireGuard workskernel greatmodule with Traefikinstalled and a domain name. Having a friendly URL like vpn.yourdomain.com makes it easy to access the web management interface.

   Step 1: Start Infinity Tools

   sudo infinity-tools

   Step 2: Install WireGuard

   1. Go to 📱 APPLICATIONSloaded
   2. SelectSystemd WireGuardService:
   3. ChooseHost Installnetwork WireGuardservice created and enabled

   UsingWhat theGets Infinity Tools GUICreated

   • Use ↑/↓Directory: to move, Enter to select, Esc to go back/opt/speedbits/wireguard
   • Look for the turquoise cursorContainers: indicatingwireguard, thewireguard-https current(standalone selectionmode)
   • EachDocker screenCompose: shows/opt/speedbits/wireguard/docker-compose.yml
   a
   • Systemd shortService: description/etc/systemd/system/wireguard-host-network.service
   at
   • Host theScripts: tophost-network-setup.sh, explaininghost-network-cleanup.sh
   what's
   needed

   Access Methods

   Traefik Mode

   https://vpn.example.com

   Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

   Standalone Mode

   https://SERVER_IP:8445

   Accept self-signed certificate warning (Advanced → Proceed).

   Authentication

   Web UI Credentials

   • Username: admin (fixed)
   • Password: Randomly generated (20 characters)
   • Storage: /opt/speedbits/wireguard/web-password.txt
   • Hash: bcrypt hash stored in container environment

   StepVPN 2.1:Client Authentication

   • Each client gets unique public/private key pair
   • Server validates client public key
   • No username/password required for VPN connection
   • Keys generated cryptographically secure

   Network Configuration

   You'll be asked to configure two networks:

   VPN Network (Default: 10.13.13)

   13.0/24)
   • What it is:Purpose: The network used by WireGuard clients and Docker services
   • WhatServer you get:IP: Clients get IPs like 10.13.13.3, 10.13.13.4, etc.
   • Default: 10.13.13 (usually fine to accept)
   • Pick this if: You want the default setup (recommended)

   Host Network (Default: 10.13.14)

   • What it is: The network used for accessing host services (like Webmin, Apprise)
   • What you get: Host services accessible at 10.13.14.1
   • Default: 10.13.14 (usually fine to accept)
   • Pick this if: You want the default setup (recommended)

   💡 Tip: Unless you have a specific reason, accept the defaults (just press Enter).

   Step 2.2: DNS Configuration

   WireGuard will automatically detect your server's DNS settings. This ensures VPN clients use the same DNS as your server for consistency.

   Usually, you can just accept the auto-detected DNS (press Enter).

   Step 2.3: Choose SSL Mode

   You'll see two options. Here's what each means:

   • Traefik (optional)
     • What it is: Uses your domain name with a trusted HTTPS certificate from Let's Encrypt
     • What you need: A subdomain (e.g., vpn.yourdomain.com) pointing to your server (see Chapter 4.5)
     • What you get: Professional URL like https://vpn.yourdomain.com with trusted SSL
     • Pick this if: You want secure, easy access with a domain name
   • Standalone (recommended)
     • What it is: Uses HTTPS with a self-signed certificate and direct port access
     • What you need: Just a free port (default: 8445)
     • What you get: URL like https://SERVER_IP:8445 with a warning you must accept once
     • Pick this if: You don't have a domain or prefer direct access (recommended)

   Simple rule of thumb: Use Standalone for most cases. Use Traefik if you have a domain and want trusted SSL.

   Step 2.4: VPN Port Configuration

   You'll be asked for the UDP port for VPN connections:

   • Default: 51820
   • What it is: The port clients will connect to
   • Important: You must open this port in your firewall!
   • Pick this if: Default is fine (recommended)

   Step 2.5: Server Endpoint

   You'll be asked for your server's public IP address or domain name:

   • What it is: How clients will find your server
   • Examples: 123.45.67.89 or vpn.yourdomain.com
   • Important:Client This must be accessible from the internet!

   What Happens During Installation

   • WireGuard kernel module is installed (if needed)
   • WireGuard container is created
   • Web management interface is set up
   • Random password is generated for web UI
   • Host network interface is created
   • Network routing is configured
   • Service starts and becomes accessible

   Step 3: Open Firewall Port

   ⚠️ CRITICAL: You MUST open the VPN port in your firewall, or clients cannot connect!

   Opening the Port

   sudo ufw allow 51820/udp

   Replace 51820 with your custom port if you chose a different one.

   Why This Matters

   • Without this, VPN clients cannot connect to your server
   • The port must be UDP (not TCP)
   • This is the ONLY port you need to open for VPN access

   Step 4: Access WireGuard Web Interface

   If Using Traefik

   1. Wait 30-60 seconds for SSL certificate generation
   2. Open https://vpn.yourdomain.com in your browser
   3. You'll see the WireGuard login page

   If Using Standalone

   1. Open https://SERVER_IP:8445 in your browser
   2. You'll see a security warning (normal for self-signed certificates)
   3. Click "Advanced" → "Proceed to site" to continue
   4. You'll see the WireGuard login page

   Step 5: Login to Web Interface

   ⚠️ CRITICAL: During installation, a random password was generated and displayed. Save it immediately!

   Default Credentials

   • Username:IPs: admin10.13.13.3+ (auto-assigned)
   • Password:Routing: Randomly generated (shown during installation)

   If You Lost the Password

   YouClients can retrieve it from:

   cat /opt/speedbits/wireguard/web-password.txt

   Login Steps

   1. Enter username: admin
   2. Enter the password shown during installation
   3. Click "Login"
   4. You'll see the WireGuard dashboard!

   Step 6: Create Your First VPN Client

   Now that you're logged in, let's create your first VPN client!

   Adding a Client

   1. Click "Add Client" or the "+" button
   2. Enter a name for your device, e.g., "My Phone", "Laptop", "Work PC"
   3. Configure settings (or use defaults):
      • Allowed IPs: Usually auto-filled (VPN network + Host network)
      • Use Server DNS: Usually enabled (recommended)
   4. Click "Save" or "Create"
   5. You'll see a QR code and download options!

   What You'll Get

   • 📱 QR Code - Scan with mobile devices
   • 📄 Config File - Download for Windows/Linux
   • 🔑 Client Details - IP address, public key, etc.

   Step 7: Set Up WireGuard on Your Device

   Windows

   1. Install WireGuard from Microsoft Store
   2. Open WireGuard app
   3. Click "Add Tunnel" → "Import from file"
   4. Select the downloaded .conf file
   5. Click "Activate" to connect

   Android/iOS

   1. Install WireGuard app from Play Store/App Store
   2. Open WireGuard app
   3. Tap "+" → "Create from QR code"
   4. Scan the QR code from the web interface
   5. Tap "Activate" to connect

   Linux

   1. Install WireGuard: sudo apt install wireguard
   2. Copy the .conf file to: /etc/wireguard/wg0.conf
   3. Start WireGuard: sudo wg-quick up wg0
   4. Enable auto-start: sudo systemctl enable wg-quick@wg0

   Step 8: Understanding VPN Networks

   WireGuard creates two networks for different purposes:

   VPN Network (10.13.13.0/24)

   This network is for WireGuard clients andaccess Docker services:

   • 📱 Your devices - Get IPs like 10.13.13.3, 10.13.13.4, etc.
   • 🐳 Docker services - Accessiblecontainers via their container names
   • 🌐 Examples:
     • Vaultwarden: http://vaultwarden:80
     • WordPress: http://wordpress:80
     • Apprise: http://apprise:8000

   Host Network (10.13.14.0/24)

   This

   network
   • Purpose: is for accessingAccess host services (servicesvia running directly on the server):
     VPN
     • 🖥️ Host servicesIP: - Accessible at 10.13.14.1
     • 🌐 Examples:
       • Webmin: https://10.13.14.1:8443
       • Apprise: http://10.13.14.1:8444
       • SSH: ssh user@10.13.14.1
     • Interface: wg-host dummy interface
     • Routing: NAT and forwarding rules configured

     What

     iptables YouRules

     Can

     # AccessNAT viafor VPN → Host network
     iptables -t nat -A POSTROUTING -s 10.13.13.0/24 -d 10.13.14.0/24 -j MASQUERADE
     
     # Forwarding rules
     iptables -A FORWARD -s 10.13.13.0/24 -d 10.13.14.0/24 -j ACCEPT
     iptables -A FORWARD -s 10.13.14.0/24 -d 10.13.13.0/24 -j ACCEPT

     Environment Variables

     DockerWireGuard Services (VPN Network)Container

     • AllWGUI_USERNAME your- InfinityWeb ToolsUI applicationsusername (default: admin)
     • AccessWGUI_PASSWORD via- containerWeb namesUI password (randomly generated)
     • WGUI_SERVER_INTERFACE_ADDRESSES - Server IP/CIDR (e.g., http://vaultwarden:80)10.13.13.1/24)
     • NoWGUI_SERVER_LISTEN_PORT need- toVPN exposeUDP portsport publicly!(default: 51820)
     • WGUI_DEFAULT_CLIENT_ALLOWED_IPS - Default allowed IPs for clients
     • WGUI_DEFAULT_CLIENT_USE_SERVER_DNS - Use server DNS (default: true)
     • WGUI_MANAGE_START - Auto-start WireGuard (default: true)
     • WGUI_MANAGE_RESTART - Auto-restart WireGuard (default: true)
     • SESSION_SECRET - Session encryption key (randomly generated)

     Client Management

     Web UI Features

     • Add/remove clients via web interface
     • Generate QR codes for mobile devices
     • Download .conf files for desktop clients
     • Enable/disable clients individually
     • View connection statistics
     • Monitor traffic usage

     HostClient ServicesConfiguration

     (Host

     Clients Network)are created via web UI. Each client gets:

     • WebminUnique (ifpublic/private installed)key pair
     • AppriseAuto-assigned (ifIP installed)address
     • SSHPre-configured accessAllowedIPs (VPN + Host networks)
     • AnyServer otherendpoint servicesand runningpublic on the hostkey

     Security RecommendationsConfiguration

     Encryption

     • Cipher: ChaCha20 (symmetric encryption)
     • Key Exchange: Curve25519 (elliptic curve)
     • Hash: BLAKE2s
     • Handshake: Noise protocol framework

     Access Security

     • ✅ OpenTraefik onlymode VPNuses portLet's -Encrypt Close other public portsSSL (Webmin,production-ready)
     Apprise,
     • ✅ Standalone HTTPS uses self-signed certificates (acceptable for internal use)
     • ✅ Security headers configured (X-Frame-Options, CSP, etc.)
     • ✅ Use strong password - The generatedRandom password isgeneration strong,(20 keep it safe!characters)
     • ✅ Unique keys per client

     Container Security

     • Requires NET_ADMIN and SYS_MODULE capabilities
     • IP forwarding enabled
     • Kernel module access for WireGuard
     • Host network access for routing

     Firewall Configuration

     Required Ports

     • StoreUDP password51820 securely(or custom VPN port) - UseVPN a password managerconnections (VaultwardenMUST recommended!)be open)
     • ✅TCP Limit8445 client(standalone accessmode) - OnlyWeb createUI clients(optional, forcan trustedbe devicesclosed after VPN setup)
     • ✅TCP Disable443 unused(Traefik clientsmode) - Turn off clients you're not using
     • ✅ Keep WireGuard updated - Re-run install script periodically for updates
     • ⚠️ Protect web interface - The webWeb UI managesvia all VPN clients - keep it secure!Traefik

     Firewall Best Practices

     After

     # settingOpen upVPN WireGuard,port you(REQUIRED)
     cansudo closeufw allow 51820/udp
     
     # Close other public ports:
     
     # Close Webmin public accessports (access via VPN instead)
     sudo ufw delete allow 8443  # Close Apprise public access (access via VPN instead)Webmin
     sudo ufw delete allow 8444  # Close WireGuard web UI public access (access via VPN instead)Apprise
     sudo ufw delete allow 8445  # WireGuard web UI
     Systemd Service
     
     Host Network Service
     
     NowService: accesswireguard-host-network.service
     everything
     
     securely
     Creates viawg-host VPN!
     dummy interface
     
     Configures host network IP (10.13.14.1)
     
     Sets up routing and iptables rules
     
     Persists across reboots
     
     
     Service Management
     
     # Check status
     systemctl status wireguard-host-network.service
     
     # Restart service
     sudo systemctl restart wireguard-host-network.service
     
     # View logs
     journalctl -u wireguard-host-network.service
     Troubleshooting
     Can'tVPN ConnectConnection to VPNIssues
     
     CheckVerify firewall: Makesudo sureufw UDPstatus port| grep 51820 (or your custom port) is open
     Check server endpoint:endpoint Verify the IP/domain is correct and accessibleaccessibility
     CheckVerify client config:config Make(AllowedIPs, sureendpoint, you're using the correct .conf filekeys)
     Check WireGuard status: Runlogs: docker logs wireguard
     to
     Test seeUDP errorsconnectivity: nc -u -v SERVER_IP 51820
     
     Can'tHost AccessNetwork Web InterfaceIssues
     
     TraefikCheck mode:systemd Waitservice: 30-60systemctl secondsstatus after installation for SSL certificate generationwireguard-host-network.service
     StandaloneVerify mode:interface: Acceptip theaddr self-signedshow certificate warningwg-host
     Check container:routing: Runip route show | grep 10.13.14
     
     Verify iptables rules: iptables -t nat -L -n -v
     
     
     Web UI Issues
     
     
     Check container status: docker ps | grep wireguard to see if it's running
     CheckView logs: Run docker logs wireguard to see error messages
     
     
     Can't Access Services via VPN
     
     
     Check VPN connection: Make sure WireGuard is connected on your device
     Check IP address: Verify you're using the correct IPs (10.13.13.x or 10.13.14.1)
     
     Check Allowed IPs: Make sure client config includes both VPN and Host networks
     
     Check routing: Verify network routing is configured correctly
     
     
     Lost Web UI Password
     
     
     View saved password: cat /opt/speedbits/wireguard/web-password.txt
     IfTest fileAPI: doesn'tcurl exist,-u you'lladmin:PASSWORD need to reinstall WireGuardhttp://localhost:5000/api/sessions
     
     WhereProduction to Find WireGuard After InstallConsiderations
     
     OnAccess theMethod: finishUse screen,Traefik Infinitymode Toolsfor printsproduction the(trusted web interface URL and passwordSSL)
     YouFirewall: canOpen alsoonly seeVPN itport, inclose 📊other STATUSpublic & HEALTH → STATUSports
     Check the installation directory: /opt/speedbits/wireguard
     
     Password savedManagement: in: /opt/speedbits/wireguard/web-password.txt
     
     Client configs: /opt/speedbits/wireguard/data/ (managed via web UI)
     
     
     Managing VPN Clients
     
     Adding More Clients
     
     Simply repeat Step 6 for each device you want to connect. Each device gets its own unique IP address.
     
     Disabling Clients
     
     In the web interface, you can disable clients without deleting them. This is useful if you temporarily don't want a device to connect.
     
     Viewing Connection Stats
     
     The web interface shows connection statistics for each client, including data transferred and connection time.
     
     You're Ready!
     
     WireGuard is now installed and ready to use! Remember:
     
     
     🔥 Open the firewall port (UDP 51820) - critical for connections!
     
     🔐 Save yourStore web UI password securely
     📱Client CreateManagement: Regularly review and disable unused clients
     
     Monitoring: Monitor VPN connections and traffic
     
     Backup: Backup client configurations and keys
     
     Updates: Re-run install script periodically for updates
     
     
     Integration with Infinity Tools
     
     WireGuard complements Infinity Tools by providing:
     
     
     Secure remote access to all Infinity Tools applications
     
     Access to Docker services without exposing ports publicly
     
     Access to host services (Webmin, Apprise) securely
     
     Centralized VPN management via the web interface
     
     Recommended Setup:
     
     
     🔒Open only VPN port (UDP 51820) publicly
     
     Close other public ports and(Webmin, accessApprise, everythingetc.)
     
     Access all services via VPN
     🌐 Use VPN network (10.13.13.x) for Docker services
     🖥️ Use Host network (10.13.14.1) for host services
     
     Advanced Configuration
     
     Custom Networks
     
     Configure custom network ranges:
     
     export VPN_NETWORK_BASE="192.168.100"
     export HOST_NETWORK_BASE="192.168.101"
     sudo -E bash setup-wireguard.sh --install
     
     Custom VPN Port
     
     export WG_VPN_PORT="51821"
     sudo -E bash setup-wireguard.sh --install
     
     Custom DNS
     
     export VPN_DNS="8.8.8.8,8.8.4.4"
     sudo -E bash setup-wireguard.sh --install
     
     Client Configuration Export
     
     Via Web UI
     
     
     Download .conf file for desktop clients
     
     Scan QR code for mobile clients
     
     View client details (IP, public key, etc.)
     
     
     Via Command Line
     
     # View admin client config
     sudo bash setup-wireguard.sh --show-config
     
     # Client configs stored in
     ls /opt/speedbits/wireguard/data/peer_*/peer.conf
     
     Next steps:Steps
     WireGuard is now operational. Use it to:
     
     
     Create VPN clients for all your firstdevices
     client,
     Access setInfinity upTools applications securely
     
     Access host services without exposing ports
     
     Manage clients via web interface
     
     Monitor VPN connections and traffic
     
     
     For advanced features, protocol specifications, and development guides, refer to the official WireGuard on your device, test the connection, and start accessing your services securely from anywhere!documentation.