Skip to content

Deployment Overview of WireGuard UI on Server

Prerequisites and Basic Requirements

The deployment requires a Linux-based server with root privileges. The system must have Docker and Docker Compose installed to run the application containers. Network connectivity must be available on the public interface to allow traffic from the internet.

The following specific requirements apply:

  • Operating System: Linux distribution with systemd support.

  • Privileges: Root access is required for container management, firewall configuration, and file system permissions.

  • Domain: A domain or subdomain pointing to the server IP is required for SSL certificate generation.

  • Ports: The server must allow inbound traffic on ports 80 (HTTP), 443 (HTTPS), 51820 (UDP for WireGuard), and 3128 (TCP for Squid proxy).

FQDN of the Final Panel

The application is accessible via the following Fully Qualified Domain Name (FQDN) format on the hostkey.in domain:

ui<Server ID>.hostkey.in:443

Where <Server ID> is the unique identifier assigned to the specific server instance during the setup process.

File and Directory Structure

The deployment creates the following directory structure to store configuration files, data, and logs:

  • /data: Main data directory.

  • /data/wgui/: Storage location for the WireGuard UI database and configuration files.

  • /root/wgui/: Location of the Docker Compose file (compose.yml).

  • /data/nginx/: Directory for Nginx configurations.

  • /data/nginx/user_conf.d/: Location of custom server block configuration files.

  • /etc/squid/: Storage for the Squid proxy configuration file (squid.conf).

  • /etc/wireguard/: Mount point for WireGuard configuration files.

  • /etc/letsencrypt/: Storage for SSL certificates and private keys managed by Certbot.

Application Installation Process

The application is deployed using Docker Compose. The process involves generating a Compose file and initializing the required containers.

The primary service utilizes the ngoduykhanh/wireguard-ui:latest image. The deployment script performs the following actions:

  • Creates necessary directories and sets ownership.

  • Deploys the wireguard-ui container with host network mode to manage the wg0 interface.

  • Deploys the nginx container using the jonasal/nginx-certbot:latest image to handle reverse proxy and SSL termination.

  • Starts the Squid proxy service via systemd.

  • Executes the docker compose up -d command in the /root/wgui directory to launch the services.

Access Rights and Security

Security is enforced through firewall rules and container capabilities. The firewall configuration allows specific traffic while blocking unauthorized access.

Firewall Rules:

  • UDP port 51820 is allowed for WireGuard traffic.

  • TCP port 80 is allowed for HTTP traffic and SSL certificate validation.

  • TCP port 443 is allowed for HTTPS traffic.

  • TCP port 22 is allowed for SSH access.

  • TCP port 3128 is allowed for the Squid proxy.

  • IP forwarding is enabled to route traffic between the WireGuard interface and the public interface.

  • Masquerading is enabled to perform Source NAT (SNAT) for traffic originating from the WireGuard subnet.

Container Security:

  • The wireguard-ui container runs with NET_ADMIN capabilities to manage network interfaces.

  • The container operates in host network mode to directly interact with the host's network stack.

Docker Containers and Their Deployment

The application consists of two main containers defined in the compose.yml file located at /root/wgui/compose.yml.

  1. wireguard-ui

    • Image: ngoduykhanh/wireguard-ui:latest

    • Restart Policy: unless-stopped

    • Network Mode: host

    • Capabilities: NET_ADMIN

    • Volume Mounts:

      • /data/wgui mounted to /app/db

      • /etc/wireguard mounted to /etc/wireguard

    • Environment Variables:

      • SENDGRID_API_KEY, EMAIL_FROM_ADDRESS, EMAIL_FROM_NAME: Configuration for email notifications.

      • SESSION_SECRET: Session encryption key.

      • WGUI_USERNAME and WGUI_PASSWORD: Administrative credentials.

      • WGUI_MTU: Set to 1400.

      • WGUI_MANAGE_START and WGUI_MANAGE_RESTART: Set to true.

      • WGUI_DNS: Set to 8.8.8.8.

      • WGUI_ENDPOINT_ADDRESS: Set to the host's public IP address.

      • WGUI_SERVER_INTERFACE_ADDRESSES: Set to 10.252.1.1/24.

  2. nginx

    • Image: jonasal/nginx-certbot:latest

    • Restart Policy: unless-stopped

    • Network Mode: host

    • Volume Mounts:

      • nginx_secrets (named volume) mounted to /etc/letsencrypt.

      • /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d.

    • Environment:

      • CERTBOT_EMAIL: Set to [email protected].

      • Loads environment variables from /data/nginx/nginx-certbot.env.

Proxy Servers

Nginx acts as a reverse proxy and SSL terminator for the WireGuard UI application. It listens on port 443 for HTTPS traffic and handles SSL certificate management via Certbot.

Configuration Details:

  • Listen Port: 443 (TCP) for both IPv4 and IPv6.

  • Server Name: Configured to match the FQDN ui<Server ID>.hostkey.in.

  • SSL Certificates: Loaded from /etc/letsencrypt/live/<FQDN>/.

  • Proxy Target: All traffic to the root path / is proxied to http://localhost:5000.

  • Headers: X-Forwarded-Host, X-Forwarded-Server, X-Real-IP, and X-Forwarded-For headers are passed to the backend service.

A Squid proxy is also installed and configured at /etc/squid/squid.conf, listening on port 3128.

Permission Settings

File and directory permissions are set to ensure proper access for the services and the root user:

  • Data Directories: /data, /data/wgui/, /data/nginx/, and /data/nginx/user_conf.d are owned by root:root with mode 0640.

  • Compose File: /root/wgui/compose.yml is owned by root:root with mode 0644.

  • Nginx Configuration: Custom configuration files in /data/nginx/user_conf.d/ are owned by root:root with mode 0644.

  • Squid Configuration: /etc/squid/squid.conf is owned by root:root with mode 0644.

  • Nginx Environment File: /data/nginx/nginx-certbot.env is owned by root:root with mode 0644.

Location of Configuration Files and Data

Key configuration files and data locations are as follows:

File or Directory Purpose Path
Docker Compose File Container orchestration /root/wgui/compose.yml
WireGuard Data Database and configurations /data/wgui/
Nginx Configs Custom server blocks /data/nginx/user_conf.d/
Squid Config Proxy configuration /etc/squid/squid.conf
SSL Certificates Let's Encrypt certificates /etc/letsencrypt/
WireGuard Configs Interface configurations /etc/wireguard/
Nginx Env Nginx environment variables /data/nginx/nginx-certbot.env
Iptables Service Network NAT and firewall rules /etc/systemd/system/wg-iptables.service

Available Ports for Connection

The following ports are configured and open for incoming traffic:

  • 22 (TCP): SSH access for system administration.

  • 80 (TCP): HTTP traffic, primarily for SSL certificate validation.

  • 443 (TCP): HTTPS traffic for the WireGuard UI panel.

  • 51820 (UDP): WireGuard VPN traffic.

  • 3128 (TCP): Squid proxy service.

Starting, Stopping, and Updating

Services are managed via Docker Compose and systemd.

To manage the application containers, use the following commands in the /root/wgui directory:

  • Start/Restart Services: 

    cd /root/wgui
docker compose up -d

  • Stop Services: 

    cd /root/wgui
docker compose down

  • Update Containers: To pull the latest images and restart services: 

    cd /root/wgui
docker compose pull
docker compose up -d

The Squid proxy service is managed via systemd:

  • Start: systemctl start squid

  • Stop: systemctl stop squid

  • Enable on Boot: systemctl enable squid

Network routing and NAT rules managed by the custom service unit can be controlled via:

  • Start: systemctl start wg-iptables

  • Stop: systemctl stop wg-iptables

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×