Skip to content

Deployment Overview of WireGuard UI on Server

Prerequisites and Basic Requirements

The deployment requires a Linux server with root privileges. The system must have Docker and Docker Compose installed to run the application containers. The following network ports must be accessible and configured in the firewall:

  • Port 22 (TCP) for SSH access.
  • Port 80 (TCP) for HTTP traffic and SSL certificate validation.
  • Port 443 (TCP) for HTTPS traffic.
  • Port 51820 (UDP) for WireGuard VPN traffic.
  • Port 3128 (TCP) for the Squid proxy service.

The server must have a valid domain name configured to resolve to the server's public IP address for the Nginx reverse proxy and SSL certificate generation.

File and Directory Structure

The application utilizes specific directories for data persistence, configuration, and logs. The following paths are created and managed during the deployment:

  • /data: Root directory for application data.
  • /data/wgui/: Storage location for WireGuard UI database and configuration files.
  • /root/wgui/: Directory containing the Docker Compose configuration file.
  • /data/nginx/: Directory for Nginx-related files.
  • /data/nginx/user_conf.d/: Directory containing custom Nginx server block configurations.
  • /etc/squid/: Location for the Squid proxy configuration file (squid.conf).
  • /etc/wireguard/: Mount point for WireGuard configuration files within the container.
  • /etc/letsencrypt/: Storage for SSL certificates managed by Certbot.

Application Installation Process

The application is deployed using Docker Compose. The primary configuration file is located at /root/wgui/compose.yml. This file defines two main services:

  1. WireGuard UI:

    • Image: ngoduykhanh/wireguard-ui:latest
    • Container Name: wireguard-ui
    • Network Mode: host
    • Capabilities: NET_ADMIN is added to allow network interface management.
    • Environment Variables: Includes settings for SENDGRID_API_KEY, EMAIL_FROM_ADDRESS, SESSION_SECRET, WGUI_USERNAME, WGUI_PASSWORD, WGUI_MTU, WGUI_DNS, and WGUI_ENDPOINT_ADDRESS.
    • Volumes: Mounts /data/wgui to /app/db and /etc/wireguard to /etc/wireguard.

  2. Nginx with Certbot:

    • Image: jonasal/nginx-certbot:latest
    • Network Mode: host
    • Environment Variables: Includes CERTBOT_EMAIL.
    • Environment File: Loads configuration from /data/nginx/nginx-certbot.env.
    • Volumes: Mounts nginx_secrets to /etc/letsencrypt and /data/nginx/user_conf.d to /etc/nginx/user_conf.d.

The deployment is initiated by executing the Docker Compose command within the /root/wgui directory.

Access Rights and Security

Firewall rules are configured to allow necessary traffic. The configuration supports both firewalld and ufw depending on the operating system.

For firewalld, the following rules are enabled in the public zone: - Port 51820/udp for WireGuard. - Port 80/tcp for HTTP. - Port 443/tcp for HTTPS. - Port 3128/tcp for Squid. - Masquerading is enabled for NAT. - Packet forwarding is enabled.

For ufw, the following rules are applied: - Allow ports 22, 80, 443, 51820, and 3128. - Default forward policy is set to ACCEPT. - Routing is allowed from the wg0 interface to the host's default interface. - The firewall is enabled.

Custom iptables rules are managed via a systemd service unit (wg-iptables.service) to handle NAT and forwarding for the WireGuard subnet 10.252.1.0/24.

Proxy Servers

Nginx acts as a reverse proxy for the WireGuard UI application. It listens on port 443 for HTTPS traffic and port 80 for HTTP (redirected or used for validation).

  • SSL Configuration: Nginx uses Let's Encrypt certificates stored in /etc/letsencrypt/live/. The configuration includes ssl_certificate, ssl_certificate_key, and ssl_trusted_certificate paths.
  • Proxy Settings: Requests to the root location / are proxied to http://localhost:5000, which is the internal port of the WireGuard UI container.
  • Headers: The proxy forwards X-Forwarded-Host, X-Forwarded-Server, X-Real-IP, and X-Forwarded-For headers to the backend application.
  • Domain: The server block is configured to respond to a specific domain name defined by the variables prefix, server_id, and zone.

Additionally, a Squid proxy service is installed and configured via /etc/squid/squid.conf, listening on port 3128.

Docker Containers and Their Deployment

The deployment relies on Docker Compose to orchestrate the containers. The compose.yml file is located at /root/wgui/compose.yml.

To start the services, the following command is executed: 

docker compose up -d
This command is run from the /root/wgui directory. The services are configured with restart: unless-stopped to ensure they automatically restart after a system reboot or crash.

Permission Settings

File and directory permissions are set during the deployment process to ensure security and proper access:

  • Directories /data, /data/wgui/, /root/wgui, /data/nginx/, and /data/nginx/user_conf.d are owned by root with mode 0640.
  • The Squid configuration file /etc/squid/squid.conf is owned by root with mode 0644.
  • The Docker Compose file /root/wgui/compose.yml is owned by root with mode 0644.
  • The Nginx configuration file in /data/nginx/user_conf.d/ is owned by root with mode 0644.
  • The Nginx environment file /data/nginx/nginx-certbot.env is owned by root with mode 0644.

Starting, Stopping, and Updating

The application services are managed via Docker Compose.

  • Start: To start the services, run docker compose up -d in the /root/wgui directory.
  • Stop: To stop the services, run docker compose down in the /root/wgui directory.
  • Update: To update the application to the latest version, pull the new images and restart the containers: 
    docker compose pull
docker compose up -d

The Squid proxy service is managed via systemd: - Start: systemctl start squid - Enable: systemctl enable squid

The custom iptables rules for WireGuard are managed via the wg-iptables systemd service: - Start: systemctl start wg-iptables - Stop: systemctl stop wg-iptables

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×