Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Share my wireguard+udp2raw+docker practice #531

Open
jearton opened this issue Jun 7, 2024 · 1 comment
Open

Share my wireguard+udp2raw+docker practice #531

jearton opened this issue Jun 7, 2024 · 1 comment

Comments

@jearton
Copy link

jearton commented Jun 7, 2024
edited
Loading

Network Topology

image

Software Environment

  • Docker Compose
  • udp2raw
  • ngoduykhanh/wireguard-ui (used for wireguard configuration centralized manegement)

Step1: Run upd2raw server On My HK Debian VPS

  • Assume Public IP: 30.30.30.30
  • Run udp2raw_server, remote port points to the ListenPort in wireguard configuration, let's assume 32884
services:
  udp2raw_server:
    image: jearton1024/udp2raw:latest
    container_name: udp2raw_server
    restart: unless-stopped
    network_mode: host
    cap_add:
      - NET_ADMIN
    environment:
      - LISTEN_PORT=4096  # just for health check
    command: >
      -s
      -l0.0.0.0:4096
      -r127.0.0.1:32884
      -k "your_password"
      --raw-mode faketcp
      --fix-gro
      -a

Step2: Run udp2raw client and wireguard On My Home Ubuntu Device

  • Lan IP: 192.168.10.151
  • Prepare a ddns to access your home router, assume that is myddns.xxx.team
services:
  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    restart: unless-stopped
    depends_on:
      udp2raw_client_hk:
        condition: service_healthy
    networks:
      - backend
    cap_add:
      - NET_ADMIN
    ports:
      - "5000:5000"       # Management UI Port
      - "51886:51820/udp" # Wireguard Endpoint Port
    environment:
      - SESSION_SECRET=*******
      - SMTP_HOSTNAME=smtphz.qiye.163.com
      - SMTP_PORT=465
      - [email protected]
      - SMTP_PASSWORD=*******
      - SMTP_AUTH_TYPE=LOGIN
      - SMTP_ENCRYPTION=SSL
      - SMTP_HELO=vpn.xxx.team
      - [email protected]
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=admin
      - WGUI_ENDPOINT_ADDRESS=myddns.xxx.team:51886
      - WGUI_DNS=  # leave it blank
      - WGUI_MTU=1420
      - WGUI_PERSISTENT_KEEPALIVE=25
      - WGUI_LOG_LEVEL=INFO
      - WGUI_SERVER_INTERFACE_ADDRESSES=10.10.8.0/24
      - WGUI_SERVER_POST_UP_SCRIPT=iptables -t nat -A POSTROUTING -s 10.10.8.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
      - WGUI_SERVER_POST_DOWN_SCRIPT=iptables -t nat -D POSTROUTING -s 10.10.8.0/24 -o eth0 -j MASQUERADE; iptables -D INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT;
      - WGUI_DEFAULT_CLIENT_ALLOWED_IPS=10.10.8.0/24,192.168.10.0/24
      - WGUI_DEFAULT_CLIENT_USE_SERVER_DNS=false
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    volumes:
      - /home/ubuntu/apps/wireguard/db:/app/db
      - /home/ubuntu/apps/wireguard/config:/etc/wireguard
    logging:
      driver: json-file
      options:
        max-size: 5m
        
  udp2raw_client_hk:
    image: jearton1024/udp2raw:latest
    container_name: udp2raw_client_hk
    restart: unless-stopped
    networks:
      - backend
    cap_add:
      - NET_ADMIN
    environment:
      - LISTEN_PORT=51820 # just for health check
    command: >
      -c
      -l0.0.0.0:51820
      -r30.30.30.30:4096
      -k "your_password"
      --raw-mode faketcp
      --fix-gro
      -a

networks:
  backend:
    external: true

Port mapping from 51886 on home router to 51886 on this device.

image

Open the Wireguard UI in browser, add a new client, leave peer endpoint blank, that will be set later.

image

Then Apply Config

image

Download the client configuration and open it, add ListenPort, and reduce MTU to 1300

[Interface]
Address = 10.10.8.3/32
PrivateKey = *****
ListenPort = 32884
MTU = 1300

[Peer]
PublicKey = XSOxHjIDcTCRe4SbO18eD4mjiqD/9upUaq4s7kej9ig=
PresharedKey = *****
AllowedIPs = 10.10.8.0/24
Endpoint = myddns.xxx.team:51886
PersistentKeepalive = 25

Step3: Run wireguard On My HK Debian VPS

  • Assume Public IP: 30.30.30.30
  • Write wireguard client configuration to /etc/wireguard/myteam.conf and run wireguard client
modprobe wireguard \
  && apt install -y wireguard-tools \
  && cd /etc/wireguard \
  && vi myteam.conf

# write wireguard client configuration

wg-quick up myteam

Step4: Set wireguard peer endpoint On My Home Ubuntu Device

On My Home Ubuntu Device, edit the client, set peer endpoint pointing to the udp2raw_client, Save and Apply Config

image

image

Note: wireguard on udp2raw client side must start up after wireguard on udp2raw server side.

Step5: Verification

SSH Login into my HK Debian VPS, then ping the wireguard network gateway 10.10.8.0

ssh [email protected]

ping 10.10.8.0

Find the allowed MTU upper limit

ssh [email protected]

ping -M do -s 1270 10.10.8.0

Check Status Page on WIREGUARD UI

image
@jearton
Copy link
Author

jearton commented Jun 7, 2024

Cross-Region Remote Networking

image

@jearton jearton mentioned this issue Jun 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jearton