Sign in Subscribe

Using wg-easy for Wireguard VPN

How to install wg-easy for a Wireguard VPN

Using wg-easy for Wireguard VPN
Wireguard wg-easy admin interface

Wireguard is a VPN protocol that creates a secure connection between your device and the internet. It's designed to be easy to use, fast, and secure. Wireguard uses public key cryptography to encrypt and authenticate all network traffic passing through it.

The easiest way to install Wireguard and start using it for secure internet traffic is wg-easy. This open source tool provides a web interface to create, delete, and monitor Wireguard clients and devices. Unfortunately, the web interface does not easily support HTTPS and the security of the web page overall is lacking. This guide will show you how to install and use wg-easy securely using forward SSH tunnels to access the web interface.

Installing wg-easy on Ubuntu or Debian

Update existing software

apt update
apt upgrade

Install docker

curl -sSL https://get.docker.com | sh
usermod -aG docker root

Generate wg-easy admin interface password hash

docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'YOUR_PASSWORD'

Replace YOUR_PASSWORD with the password you want to use for the wg-easy web interface.

Download and execute the wg-easy docker container

docker run --detach --name wg-easy --env LANG=en \
--env WG_HOST=<IP_ADDRESS> --env WEBUI_HOST=0.0.0.0 \
--env PASSWORD_HASH='<PASSWORD_HASH>' \
--env WG_DEVICE=eth0 --env WG_DEFAULT_DNS=1.1.1.1 \
--env UI_TRAFFIC_STATS=true --env UI_CHART_TYPE=1 \
--env MAX_AGE=1440 --env ENABLE_PROMETHEUS_METRICS=false \
--env PORT=51821 --env WG_PORT=51820 \
--volume ~/.wg-easy:/etc/wireguard \
--publish 51820:51820/udp \
--publish 127.0.0.1:51821:51821/tcp \
--cap-add NET_ADMIN --cap-add SYS_MODULE \
--sysctl 'net.ipv4.conf.all.src_valid_mark=1' \
--sysctl 'net.ipv4.ip_forward=1' \
--restart unless-stopped ghcr.io/wg-easy/wg-easy

Replace IP_ADDRESS with the public IP address of your Ubuntu or Debian server. This is the IP address you will connect to for the VPN.

Replace PASSWORD_HASH with the bcrypt password hash you generated earlier.

Confirm the docker container started successfully

docker ps

The key security change with this configuration is the "127.0.0.1:51821:51821/tcp" port publishing. The wg-easy web interface will now listening only on 127.0.0.1 localhost instead of 0.0.0.0 globally. This means the web interface will only allow local connections to it. So...how can you access it?

Accessing wg-easy Admin Interface

We are going to use a forward SSH tunnel to access the locally hosted web interface.

SSH tunnel connection line

ssh -L 8080:127.0.0.1:51821 <username>@<host>

The -L argument will create a forward SSH tunnel. Any connections you make to port 8080 from your machine will be forwarded (and encrypted) through your SSH session and reach the 127.0.0.1:51821 endpoint on the machine you are connecting to. In this case, that endpoint is the wg-easy web interface. Try browsing to http://127.0.0.1:8080 on your machine and you will see the wg-easy web page. Using wg-easy this way will ensure the keys and passwords you send to it are encrypted without the hassle of setting up HTTPS connections or the danger of exposing admin interfaces to the public internet.

From here, you can create your first Wireguard user and use the generated QR code to add the config to your device. If you get an error from your Wireguard client when using the QR code, you can alternatively download the configuration file from wg-easy and import that file into your device.