Select Page
VPN

WireGuard VPN on Zimaboard CasaOS

Read Article
zimaboard on a desk

by Nariman Aga-Tagiyev

Nov 11, 2022

Comments (6)

How to configure WireGuard VPN server on CasaOS

Introduction

This article will provide instructions about Configuring WireGuard VPN on ZimaBoard CasaOS.

WireGuard is an performant alternative for OpenVPN which aims to be fastersimpler, leaner, and more useful than IPsec, while avoiding the massive headache.

ZimaBoard is a small silent computer comparible to Raspberry PI, but faster and with x86 cpu. It can run both Windows, Linux based operating systemes and has quite reach interfaces making it a good option for home NAS and VPN. CasaOS runs on top of an Debian OS and provides an easy way to install and manage Docker images.

Built in App Store in the CasaOS doesn’t come with a WireGuard docker image out of the box, but it’s possible to manually install this image.

Zimaboard single board microserver

Install WireGuard Docker Image on CasaOS

First step to configure WireGuard VPN is to install the docker-wireguard image on the CasaOS using Self-Deploying-Applications as described here: Self-Deploying-Applications | ZimaBoard Docs.

Prepare docker-cli script

CasaOS can automatically generate Docker application configuration from a docker-cli command with arguments. First prepare such a command and update arguments as documented on the docker-wireguard GitHub page:

docker run -d \
--name=wireguard \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Amsterdam \
-e SERVERURL=<YOUR_HOME_PUBLIC_IP_OR_DNS_ADDRESS> `#optional` \
-e SERVERPORT=51820 `#optional` \
-e PEERS=laptop,myiphone,myandroid `#list of clients` \
-e PEERDNS=auto `#optional` \
-e INTERNAL_SUBNET=10.13.13.0 `#optional` \
-e ALLOWEDIPS=0.0.0.0/0 `#optional` \
-e LOG_CONFS=true `#optional` \
-p 51820:51820/udp \
-v /path/to/appdata/config:/config \
-v /lib/modules:/lib/modules \
--restart unless-stopped \
lscr.io/linuxserver/wireguard:latest

Note that SERVERURL is the public IP address of your home network. You can check it by searching for it on Google or here: What Is My IP? Shows Your Public IP Address – IPv4 – IPv6.

Last chapter will show how you can use DynamicDNS to avoid providing fix public IP in settings.

For each client name that you specify in the PEERS argument (myiphone, mylaptop etc..), a QR code will be generated automatically further in this process. You will need it to configure your VPN clients. 

Create a new application on CasaOS

Open CasaOS App Store and click on Custom Install on the top right corner:

CasaOS App Store
CasaOS Custom Install Docker Image

Click on the Import button on top right corner and paste your docker-cli script you prepared in the first step:

CasaOS Import Docker cli script

Once you click submit you will see that all settings of the docker container are configured automatically based on your docker-cli command arguments. Check the values and hit Install:

CasaOS WireGuard Settings

Navigate the private and public keys with QR Codes

In order to connect one of WireGuard clients to your VPN server you will need a key or a QR code that is generated during installation per PEER (one of the environment arguments). You can download official client applications here: Installation – WireGuard. For simplicity, launch the “Files” application on the CasaOS and navigate to the WireGuard app settings folder. If you used default arguments then it should be here: /DATA/AppData/wireguard/config

If your config folder is empty, you probably didn’t provide any client names in the PEERS argument list of your docker command earlier.

CasaOS files application
CasaOS WireGuard peer config files

Configure Port Forwarding on your home router

Internet traffic (UDP packages) that is redirected from your VPN client (mobile device) cannot reach your VPN Server on your local home network unless you forward incoming traffic to a port on your home router to the Zimaboard’s WireGuard VPN Server port.

Assign a fix IP to your Zimaboard in your local network

Everytime a new device is connected to your home network, a random IP address is allocated to it by the DHCP Server built in your modem/router. In order make port forwarding work, first you need to ensure that your modem/router gives out same IP address everytime Zimaboard computer is connected. It is achieved differently in each router model, but typically you can find a list of currently connected devices and click on Fix IP option. It is also called DHCP Binding.

On most router admin pages currently connected devices are displayed:

Clicking on the CasaOS device probably will show following option:

Now since the VPN server always has same IP address, you can safely configure port forwarding. Look into settings on your modem/router. It should be under Port Forwarding IPv4. Start and End port is the range of ports on which encrypted UDP traffic will be received from outside world. Mapping port is the port number on the VPN server inside your network. LAN Host is the fixed IP Address of your Zimaboard:

Install and configure WireGuard VPN Client on mobile

Install a WireGuard VPN client on your mobile phone using one of links on the official documentation: https://www.wireguard.com/install/.

Launch the app, click on + icon on top right corner and choose “Create from QR code” – should be straight forward. Use the QR Code you located in the Files on CasaOS earlier in the process.

Dynamic DNS

These days home public IP addresses tend to be the same for very long time and in theory you could just use your current home public IP address in the arguments of docker-cli command above. But to make it work always I recommend to check out dynamic dns solutions like Duck DNS (www.duckdns.org), DynDNS, NOIP.

If you configure Dynamic DNS right, every time your router/modem gets a new public DNS from your internet provider, it will udpate the third party service like DuckDNS which will right away start to point to the correct IP address.

About the Author

Nariman Aga-Tagiyev

Related Posts

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

Comments

6 Comments

  1. Ace
    Ace on August 12, 2023 at 2:53 am

    Thank yoi!

    Reply
  2. r
    r on October 12, 2023 at 7:06 pm

    thanks!
    I have a problem foLLowing the instructions… the container is not generating the folder “peer_myiphone” inside the config folder.
    Do you know what can be happening?
    thanks!

    Reply
    • Nariman
      Nariman on October 30, 2023 at 9:44 am

      Hi, probably because you missed the -e PEERS argument in the docker command. There you list each client that you want to allow connection to your vpn server.

      Reply
  3. z
    z on November 9, 2023 at 7:27 pm

    I also have a problem where the config folder is empty. is there a step between the install and QR Codes creation that I’m missing? or do I put a qr code image there that will work?

    Reply
    • Nariman
      Nariman on November 21, 2023 at 4:35 pm

      Did you set correctly the argument as following in the Prepare docker-cli script section of this article: -e PEERS=laptop,myiphone,myandroid `#list of clients` \
      Official documentation also mentions how to create new qr codes for your peers, see the “Server Mode” paragraph here: https://github.com/linuxserver/docker-wireguard

      Reply
  4. Kevin
    Kevin on February 5, 2024 at 9:31 pm

    How do you add addional peers at a later time?

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *