How to configure WireGuard VPN server on CasaOS
Introduction
This article will provide instructions about Configuring WireGuard VPN on ZimaBoard CasaOS.
WireGuard is an performant alternative for OpenVPN which aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache.
ZimaBoard is a small silent computer comparible to Raspberry PI, but faster and with x86 cpu. It can run both Windows, Linux based operating systemes and has quite reach interfaces making it a good option for home NAS and VPN. CasaOS runs on top of an Debian OS and provides an easy way to install and manage Docker images.
Built in App Store in the CasaOS doesn’t come with a WireGuard docker image out of the box, but it’s possible to manually install this image.
Install WireGuard Docker Image on CasaOS
First step to configure WireGuard VPN is to install the docker-wireguard image on the CasaOS using Self-Deploying-Applications as described here: Self-Deploying-Applications | ZimaBoard Docs.
Prepare docker-cli script
CasaOS can automatically generate Docker application configuration from a docker-cli command with arguments. First prepare such a command and update arguments as documented on the docker-wireguard GitHub page:
docker run -d \ --name=wireguard \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Europe/Amsterdam \ -e SERVERURL=<YOUR_HOME_PUBLIC_IP_OR_DNS_ADDRESS> `#optional` \ -e SERVERPORT=51820 `#optional` \ -e PEERS=laptop,myiphone,myandroid `#list of clients` \ -e PEERDNS=auto `#optional` \ -e INTERNAL_SUBNET=10.13.13.0 `#optional` \ -e ALLOWEDIPS=0.0.0.0/0 `#optional` \ -e LOG_CONFS=true `#optional` \ -p 51820:51820/udp \ -v /path/to/appdata/config:/config \ -v /lib/modules:/lib/modules \ --restart unless-stopped \ lscr.io/linuxserver/wireguard:latest
Note that SERVERURL is the public IP address of your home network. You can check it by searching for it on Google or here: What Is My IP? Shows Your Public IP Address – IPv4 – IPv6.
Last chapter will show how you can use DynamicDNS to avoid providing fix public IP in settings.
For each client name that you specify in the PEERS argument (myiphone, mylaptop etc..), a QR code will be generated automatically further in this process. You will need it to configure your VPN clients.
Create a new application on CasaOS
Open CasaOS App Store and click on Custom Install on the top right corner:
Click on the Import button on top right corner and paste your docker-cli script you prepared in the first step:
Once you click submit you will see that all settings of the docker container are configured automatically based on your docker-cli command arguments. Check the values and hit Install:
Navigate the private and public keys with QR Codes
In order to connect one of WireGuard clients to your VPN server you will need a key or a QR code that is generated during installation per PEER (one of the environment arguments). You can download official client applications here: Installation – WireGuard. For simplicity, launch the “Files” application on the CasaOS and navigate to the WireGuard app settings folder. If you used default arguments then it should be here: /DATA/AppData/wireguard/config
If your config folder is empty, you probably didn’t provide any client names in the PEERS argument list of your docker command earlier.
Configure Port Forwarding on your home router
Internet traffic (UDP packages) that is redirected from your VPN client (mobile device) cannot reach your VPN Server on your local home network unless you forward incoming traffic to a port on your home router to the Zimaboard’s WireGuard VPN Server port.
Assign a fix IP to your Zimaboard in your local network
Everytime a new device is connected to your home network, a random IP address is allocated to it by the DHCP Server built in your modem/router. In order make port forwarding work, first you need to ensure that your modem/router gives out same IP address everytime Zimaboard computer is connected. It is achieved differently in each router model, but typically you can find a list of currently connected devices and click on Fix IP option. It is also called DHCP Binding.
On most router admin pages currently connected devices are displayed:
Clicking on the CasaOS device probably will show following option:
Now since the VPN server always has same IP address, you can safely configure port forwarding. Look into settings on your modem/router. It should be under Port Forwarding IPv4. Start and End port is the range of ports on which encrypted UDP traffic will be received from outside world. Mapping port is the port number on the VPN server inside your network. LAN Host is the fixed IP Address of your Zimaboard:
Install and configure WireGuard VPN Client on mobile
Install a WireGuard VPN client on your mobile phone using one of links on the official documentation: https://www.wireguard.com/install/.
Launch the app, click on + icon on top right corner and choose “Create from QR code” – should be straight forward. Use the QR Code you located in the Files on CasaOS earlier in the process.
Dynamic DNS
These days home public IP addresses tend to be the same for very long time and in theory you could just use your current home public IP address in the arguments of docker-cli command above. But to make it work always I recommend to check out dynamic dns solutions like Duck DNS (www.duckdns.org), DynDNS, NOIP.
If you configure Dynamic DNS right, every time your router/modem gets a new public DNS from your internet provider, it will udpate the third party service like DuckDNS which will right away start to point to the correct IP address.
Thank yoi!
thanks!
I have a problem foLLowing the instructions… the container is not generating the folder “peer_myiphone” inside the config folder.
Do you know what can be happening?
thanks!
Hi, probably because you missed the -e PEERS argument in the docker command. There you list each client that you want to allow connection to your vpn server.
I also have a problem where the config folder is empty. is there a step between the install and QR Codes creation that I’m missing? or do I put a qr code image there that will work?
Did you set correctly the argument as following in the Prepare docker-cli script section of this article: -e PEERS=laptop,myiphone,myandroid `#list of clients` \
Official documentation also mentions how to create new qr codes for your peers, see the “Server Mode” paragraph here: https://github.com/linuxserver/docker-wireguard
How do you add addional peers at a later time?