w0rng / amnezia-wg-easy

The easiest way to run WireGuard VPN + Web-based Admin UI.
Other
137 stars 18 forks source link

AmnewziaWG Easy

You have found the easiest way to install & manage WireGuard on any Linux host!

Features

Requirements

Installation

1. Install Docker

If you haven't installed Docker yet, install it by running:

curl -sSL https://get.docker.com | sh
sudo usermod -aG docker $(whoami)
exit

And log in again.

2. Run AmneziaWG Easy

To automatically install & run wg-easy, simply run:

  docker run -d \
  --name=amnezia-wg-easy \
  -e LANG=en \
  -e WG_HOST=<🚨YOUR_SERVER_IP> \
  -e PASSWORD_HASH=<🚨YOUR_ADMIN_PASSWORD_HASH> \
  -e PORT=51821 \
  -e WG_PORT=51820 \
  -v ~/.amnezia-wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --device=/dev/net/tun:/dev/net/tun \
  --restart unless-stopped \
  ghcr.io/w0rng/amnezia-wg-easy

💡 Replace YOUR_SERVER_IP with your WAN IP, or a Dynamic DNS hostname.

💡 Replace YOUR_ADMIN_PASSWORD_HASH with a bcrypt password hash to log in on the Web UI. See How_to_generate_an_bcrypt_hash.md for know how generate the hash.

The Web UI will now be available on http://0.0.0.0:51821.

The Prometheus metrics will now be available on http://0.0.0.0:51821/metrics. Grafana dashboard 21733

💡 Your configuration files will be saved in ~/.amnezia-wg-easy

Options

These options can be configured by setting environment variables using -e KEY="VALUE" in the docker run command.

Env Default Example Description
PORT 51821 6789 TCP port for Web UI.
WEBUI_HOST 0.0.0.0 localhost IP address web UI binds to.
PASSWORD_HASH - $2y$05$Ci... When set, requires a password when logging in to the Web UI. See How to generate an bcrypt hash.md for know how generate the hash.
WG_HOST - vpn.myserver.com The public hostname of your VPN server.
WG_DEVICE eth0 ens6f0 Ethernet device the wireguard traffic should be forwarded through.
WG_PORT 51820 12345 The public UDP port of your VPN server. WireGuard will listen on that (othwise default) inside the Docker container.
WG_CONFIG_PORT 51820 12345 The UDP port used on Home Assistant Plugin
WG_MTU null 1420 The MTU the clients will use. Server uses default WG MTU.
WG_PERSISTENT_KEEPALIVE 0 25 Value in seconds to keep the "connection" open. If this value is 0, then connections won't be kept alive.
WG_DEFAULT_ADDRESS 10.8.0.x 10.6.0.x Clients IP address range.
WG_DEFAULT_DNS 1.1.1.1 8.8.8.8, 8.8.4.4 DNS server clients will use. If set to blank value, clients will not use any DNS.
WG_ALLOWED_IPS 0.0.0.0/0, ::/0 192.168.15.0/24, 10.0.1.0/24 Allowed IPs clients will use.
WG_PRE_UP ... - See config.js for the default value.
WG_POST_UP ... iptables ... See config.js for the default value.
WG_PRE_DOWN ... - See config.js for the default value.
WG_POST_DOWN ... iptables ... See config.js for the default value.
WG_ENABLE_EXPIRES_TIME false true Enable expire time for clients
LANG en de Web UI language (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi).
UI_TRAFFIC_STATS false true Enable detailed RX / TX client stats in Web UI
UI_CHART_TYPE 0 1 UI_CHART_TYPE=0 # Charts disabled, UI_CHART_TYPE=1 # Line chart, UI_CHART_TYPE=2 # Area chart, UI_CHART_TYPE=3 # Bar chart
DICEBEAR_TYPE false bottts see dicebear types
USE_GRAVATAR false true Use or not GRAVATAR service
WG_ENABLE_ONE_TIME_LINKS false true Enable display and generation of short one time download links (expire after 5 minutes)
MAX_AGE 0 1440 The maximum age of Web UI sessions in minutes. 0 means that the session will exist until the browser is closed.
UI_ENABLE_SORT_CLIENTS false true Enable UI sort clients by name
ENABLE_PROMETHEUS_METRICS false true Enable Prometheus metrics http://0.0.0.0:51821/metrics and http://0.0.0.0:51821/metrics/json
PROMETHEUS_METRICS_PASSWORD - $2y$05$Ci... If set, Basic Auth is required when requesting metrics. See How to generate an bcrypt hash.md for know how generate the hash.
JC random 5 Junk packet count — number of packets with random data that are sent before the start of the session.
JMIN 50 25 Junk packet minimum size — minimum packet size for Junk packet. That is, all randomly generated packets will have a size no smaller than Jmin.
JMAX 1000 250 Junk packet maximum size — maximum size for Junk packets.
S1 random 75 Init packet junk size — the size of random data that will be added to the init packet, the size of which is initially fixed.
S2 random 75 Response packet junk size — the size of random data that will be added to the response packet, the size of which is initially fixed.
H1 random 1234567891 Init packet magic header — the header of the first byte of the handshake. Must be < uint_max.
H2 random 1234567892 Response packet magic header — header of the first byte of the handshake response. Must be < uint_max.
H3 random 1234567893 Underload packet magic header — UnderLoad packet header. Must be < uint_max.
H4 random 1234567894 Transport packet magic header — header of the packet of the data packet. Must be < uint_max.

If you change WG_PORT, make sure to also change the exposed port.

Updating

To update to the latest version, simply run:

docker stop amnezia-wg-easy
docker rm amnezia-wg-easy
docker pull ghcr.io/w0rng/amnezia-wg-easy

And then run the docker run -d \ ... command above again.

Thanks

Based on wg-easy by Emile Nijssen.
Use integrations with AmneziaWg from amnezia-wg-easy by Viktor Yudov.