search

chadgeary / cloudblock

Cloudblock deploys secure ad-blocking and VPN for all devices. Text and video guides included! 6 supported cloud providers, plus Ubuntu and Raspberry Pi. Cloudblock deploys Wireguard VPN, Pi-Hole DNS Ad-blocking, and DNS over HTTPS in a cloud provider - or locally - using Terraform and Ansible.
Apache License 2.0
823 stars 80 forks source link

Site-to-Site Wireguard? #65

Closed Dviros closed 2 years ago

Dviros commented 2 years ago

Hey Chad, thanks a lot for this brilliant project. I have a very niche issue which I'm currently struggling to set up Site-to-Site VPN using Wireguard to my opnsense. Opnsense runs local wireguard instance and I've set the cloud server as a peer, but I couldn't make the server connect back to the opnsense instance.

Is it possible to run the wireguard docker with a client instance that would connect back?

Thanks again D

chadgeary commented 2 years ago

Hey @Dviros - thank you for your azure MR it has a couple suggestions before approval.

RE: wireguard client

You are able to use the wireguard docker container as a wireguard client, but it will need several config changes. The cloudblock wireguard is setup a server.

See this from the image maintainers:

Client Mode
Do not set the PEERS environment variable. Drop your client conf into the config 
folder as /config/wg0.conf and start the container.
If you get IPv6 related errors in the log and connection cannot be established, 
edit the AllowedIPs line in your peer/client wg0.conf to include only 0.0.0.0/0 
and not ::/0; and restart the container.

For a cloudblock project, that would mean changing the ansible playbook section that sets up the wireguard container - ideally adding a second wireguard container (client). It would look something like this:

    - name: wireguard client directory
      file:
        path: /opt/wireguard_client
        state: directory

    - name: wireguard client file
      file:
        path: /opt/wireguard_client/wg0.conf
        block: |
          [Interface]
          Address = ...
          PrivateKey = ...
          ListenPort = 51820

          [Peer]
          PublicKey = ...
          PresharedKey = ...
          Endpoint = ...:51820
          AllowedIPs = ...

    - name: wireguard client container
      docker_container:
        name: wireguard_client
        capabilities:
          - NET_ADMIN
          - SYS_MODULE
        env:
          PUID: "1000"
          PGID: "1000"
          TZ: "Etc/UTC"
          SERVERURL: "auto"
          SERVERPORT: "51820"
          ALLOWEDIPS: "0.0.0.0/0"
          PEERDNS: "{{ docker_pihole }}"
          INTERNAL_SUBNET: "{{ wireguard_network }}"
        image: linuxserver/wireguard:latest
        networks:
          - name: cloudblock
            ipv4_address: "{{ docker_wireguard }}"
        ports:
          - "51820:51820/udp"
        sysctls:
          net.ipv4.conf.all.src_valid_mark: 1
        volumes:
          - /opt/wireguard_client/wg0.conf:/config/wg0.conf:r
        pull: yes
        restart_policy: "always"
        purge_networks: yes