WireGuard - old-menu branch - PR 2 of 3

Paraphraser · Paraphraser · commit e0dfa3539f2f · 2021-07-13T11:17:35.000+10:00
Adds service definition from [IOTstack tutorial: Quick and Dirty WireGuard](https://gist.github.com/Paraphraser/f46014b8a27e3f878f07657d6db4490e) gist. Adds same `duck.sh` proposed in PR 1 of 3 in this PR group. Reduces the following IOTstack documents to stubs, referring to Wiki master branch versions: * Accessing-your-Device-from-the-internet.md * WireGuard.md
diff --git a/.templates/wireguard/service.yml b/.templates/wireguard/service.yml
@@ -1,24 +1,23 @@
-
   wireguard:
-    image: linuxserver/wireguard
     container_name: wireguard
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
+    image: ghcr.io/linuxserver/wireguard
+    restart: unless-stopped
     environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=Europe/Berlin
-      - SERVERURL=<enter yours>.duckdns.org #optional
-      - SERVERPORT=51820 #optional
-      - PEERS=1 #optional
-      - PEERDNS=auto #optional
-      - INTERNAL_SUBNET=100.64.0.0/24 #optional
-    volumes:
-      - ./services/wireguard/config:/config
-      - /lib/modules:/lib/modules
+    - PUID=1000
+    - PGID=1000
+    - TZ=Etc/UTC
+    - SERVERURL=your.dynamic.dns.name
+    - SERVERPORT=51820
+    - PEERS=laptop,phone,tablet
+    - PEERDNS=auto
+    - ALLOWEDIPS=0.0.0.0/0
     ports:
-      - 51820:51820/udp
+    - "51820:51820/udp"
+    volumes:
+    - ./volumes/wireguard:/config
+    - /lib/modules:/lib/modules:ro
+    cap_add:
+    - NET_ADMIN
+    - SYS_MODULE
     sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-    restart: unless-stopped
+    - net.ipv4.conf.all.src_valid_mark=1
diff --git a/docs/Accessing-your-Device-from-the-internet.md b/docs/Accessing-your-Device-from-the-internet.md
@@ -1,44 +1,3 @@
 # Accessing your device from the internet
-The challenge most of us face with remotely accessing your home network is that you don't have a static IP. From time to time the IP that your ISP assigns to you changes and it's difficult to keep up. Fortunately, there is a solution, a DynamicDNS. The section below shows you how to set up an easy to remember address that follows your public IP no matter when it changes.
 
-Secondly, how do you get into your home network? Your router has a firewall that is designed to keep the rest of the internet out of your network to protect you. Here we install a VPN and configure the firewall to only allow very secure VPN traffic in. 
-
-## DuckDNS
-If you want to have a dynamic DNS point to your Public IP I added a helper script.
-Register with duckdns.org and create a subdomain name. Then edit the `nano ~/IOTstack/duck/duck.sh` file and add your
-
-```bash
-DOMAINS="YOUR_DOMAINS"
-DUCKDNS_TOKEN="YOUR_DUCKDNS_TOKEN"
-```
-
-first test the script to make sure it works `sudo ~/IOTstack/duck/duck.sh` then `cat /var/log/duck.log`. If you get KO then something has gone wrong and you should check out your settings in the script. If you get an OK then you can do the next step. 
-
-Create a cron job by running the following command `crontab -e`
-
-You will be asked to use an editor option 1 for nano should be fine
-paste the following in the editor `*/5 * * * * sudo ~/IOTstack/duck/duck.sh >/dev/null 2>&1` then ctrl+s and ctrl+x to save
-
-Your Public IP should be updated every five minutes
-
-## PiVPN
-pimylifeup.com has an excellent tutorial on how to install [PiVPN](https://pimylifeup.com/raspberry-pi-vpn-server/)
-
-In point 17 and 18 they mention using noip for their dynamic DNS. Here you can use the DuckDNS address if you created one.
-
-Don't forget you need to open the port 1194 on your firewall. Most people won't be able to VPN from inside their network so download OpenVPN client for your mobile phone and try to connect over mobile data. ([More info.](https://en.wikipedia.org/wiki/Hairpinning))
-
-Once you activate your VPN (from your phone/laptop/work computer) you will effectively be on your home network and you can access your devices as if you were on the wifi at home.
-
-I personally use the VPN any time I'm on public wifi, all your traffic is secure.
-
-## Zerotier
-https://www.zerotier.com/
-
-Zerotier is an alternative to PiVPN that doesn't require port forwarding on your router. It does however require registering for their free tier service [here](https://my.zerotier.com/login). 
-
-Kevin Zhang has written a how to guide [here](https://iamkelv.in/blog/2017/06/zerotier.html). Just note that the install link is outdated and should be:
-```
-curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import && \
-if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi
-```
+This is the old-menu branch documentation. Please refer to [this page of the IOTstack Wiki](https://sensorsiot.github.io/IOTstack/Accessing-your-Device-from-the-internet.html).
diff --git a/docs/Containers/WireGuard.md b/docs/Containers/WireGuard.md
@@ -1,120 +1,3 @@
 # WireGuard
 
-WireGuard is a fast, modern, secure VPN tunnel. It can securely connect you to your home network, allowing you to access your home network's local services from anywhere. It can also secure your traffic when using public internet connections. 
-
-WARNING: These instructions require that you have privileges to configure your network's gateway. If you are not able to make changes to your network's firewall settings, then you will not be able to finish this setup. If you are able to make these changes, then proceed to the next steps.
-
-## Setup
-
-There are a few things to configure before starting up the WireGuard container. First, it may be necessary to set up a way to locate your home network from the internet. One way to achieve this, if you haven't done so yet, is to set up a DuckDNS account as described in the [Wiki](https://sensorsiot.github.io/IOTstack/Accessing-your-Device-from-the-internet.md) under the section DuckDNS. This address will be used in the following configuration. After configuring the service, it needs to be made accessible from outside the home network. Lastly, each device will need WireGuard installed and set up with the details of your WireGuard service. 
-
-## WireGuard Configuration 
-
-The [Custom services and overriding default settings for IOTstack](https://sensorsiot.github.io/IOTstack/Custom/) page describes how to use a `compose-override.yml` file to allow `./menu.sh` to automatically incorporate your custom configurations into the final `docker-compose.yml` file that is responsible for defining all service containers. 
-
-You will need to create the `compose-override.yml` before building your stack via `./menu.sh`. If you have already built your stack, you'll have to re-build it after creating `compose-override.yml`.
-
-Here is an example `compose-override.yml` file:
-```
-services:
-  wireguard:
-    environment:
-      - PUID=1000                                       
-      - PGID=1000                                     
-      - TZ=America/Los_Angeles                  
-      - SERVERURL=<Your-DuckDNS-account>.duckdns.org #optional 
-      - SERVERPORT=51820 #optional
-      - PEERS=3 #optional                       
-      - PEERDNS=auto #optional
-      - INTERNAL_SUBNET=100.64.0.0/24 #optional
-```
-
-The values you will probably want to change are `TZ` to your own timezone, `SERVERURL` to your own DuckDNS address and `PEERS` to set the number of devices you plan to connect to your VPN. If you also decide to edit the `SERVERPORT` value, you will also need to include a matching value in the `ports:` section as follows:
-
-```
-services:
-  wireguard:
-    environment:
-      - PUID=1000                                       
-      - PGID=1000                                     
-      - TZ=America/Los_Angeles                  
-      - SERVERURL=<Your-DuckDNS-account>.duckdns.org #optional 
-      - SERVERPORT=55555 #optional
-      - PEERS=3 #optional                       
-      - PEERDNS=auto #optional
-      - INTERNAL_SUBNET=100.64.0.0/24 #optional
-    ports:
-      - 55555:55555/udp
-```
-
-If you customize other containers, just make sure the file only says `services:` once at the beginning of the file. Once you are done, you can run `./menu.sh` to build your stack. Finally, check that your changes were successfully integrated by running:
-
-`$ cat docker-compose.yml`
-
-If everything looks good, you can run the following to start your container: `$ docker-compose up -d`
-
-## Network Configuration
-
-A typical home network will have a firewall configured that effectively blocks all incoming attempts to open a new connection with devices on the network. However, in order to use our VPN from outside of our home network (which is precisely the point of running the service!), we need to configure port fowarding to allow incoming connections to reach our device running IOTstack. This step of the configuration varies based on the specific gateway device for your network. Note that these instructions assume you have privileges to configure your gateway's firewall settings (see warning above). This section will include some tips, but if you are unsure how to do this, the best idea would be to search the web for "[YOUR DEVICE NAME] port forwarding configuration".
-
-NOTE: WireGuard uses UDP, not TCP. So make sure your port forwarding rules are for UDP only. 
-
-First, it's a good idea to check that WireGuard is at least accessible on the local network by using `nmap`:
-
-```
-$ sudo nmap -sU -p 51820 ip.of.IOTstack.device
-OR from the IOTstack device itself:
-$ sudo nmap -sU -p 51820 127.0.0.1
-
-PORT      STATE         SERVICE
-51820/udp open|filtered unknown
-MAC Address: XX:XX:XX:XX:XX:XX (Unknown)
-```
-If your result looks similar, then WireGuard is up and running and you simply need to set up port forwarding. Notice again, that WireGuard uses UDP. 
-
-Many routers/gateways are configurable via a web interface, in which case you will only need the ip address of the device, as well as the account and password to access it. You should be able to find  your gateway's address with the following command:
-
-```
-$ ip route | grep default
-
-default via 192.168.1.1 dev eth0 proto dhcp metric 100
-```
-Then copy the ip to a browser window to configure. The login credentials may be physically printed on the device if you have never logged in or changed the default credentials. 
-
-Follow the instructions to configure UDP port forwarding for your network. Make sure that you configure only UDP port forwarding, only pointing specifically at your IOTstack device (by ip or hostname, whichever is more appropriate for your network configuration) and only for port 51820 (or whichever port you have configured for WireGuard). Remember that you are opening this port to the public internet, so be careful not to leave anything open that you're not using or point to the wrong device. Once you are finished, save your changes and test that the port is open from the internet, again using `nmap`:
-
-```
-$ sudo nmap -sU -p 51820 <your-duckdns-account>.duckdns.org
-
-PORT      STATE         SERVICE
-51820/udp open|filtered unknown
-MAC Address: XX:XX:XX:XX:XX:XX (Unknown)
-```                                           
-If everything looks good, then the last step is to set up your devices to connect to your WireGuard service.
-
-## Device Setup
-
-Lastly, it's time to set up each device to connect to your VPN. You will need to install the WireGuard client on each device. This can be typically be done via each device's app store or package manager. For complete install instructions, see the [WireGuard Installation page](https://www.wireguard.com/install/).
-
-## QR Code Mobile Device Setup
-After the client is installed on your devices, each one needs its own WireGuard peer configuration. The easiest devices to set up are mobile devices, which can be done by using the QR codes that are automatically generated for each WireGuard PEER, as defined in the `docker-compose.yml` file. The QR codes are located in the following locations:
-
-```
-~/IOTstack/services/wireguard/config/peer1/peer1.png
-~/IOTstack/services/wireguard/config/peer2/peer2.png
-~/IOTstack/services/wireguard/config/peer3/peer3.png
-...
-```
-
-To copy the files from a Raspberry Pi onto another Linux machine for example, you can use the following command:
-
-```
-$ sudo scp pi@<Rpi-ip-address>:/home/pi/IOTstack/services/wireguard/config/peer1/peer1.png ~/peer1.png
-```
-(Hint: you can use the `scp -i` flag to specify an IdentityFile or better yet, `scp -F` flag if you have your device configured in `.ssh/config`)
-
-You can repeat this step for each peer's QR code `.png` file and then scan the QR codes in the mobile app on your devices. The devices should now be configured and able to connect to your VPN.
-
-## Setting Up Other Devices
-
-Setting up other devices is a bit more complicated. Refer to the [WireGuard Quick Start](https://www.wireguard.com/quickstart/) page or search for instructions specific to your OS. 
+This is the old-menu branch documentation. Please refer to [this page of the IOTstack Wiki](https://sensorsiot.github.io/IOTstack/Containers/WireGuard.html).
diff --git a/duck/duck.sh b/duck/duck.sh
@@ -1,6 +1,27 @@
-#!/bin/bash
-# Your comma-separated domains list
-DOMAINS="YOUR_DOMAINS"
+#!/usr/bin/env bash
+
+# Your DuckDNS domain (or comma-separated list of DuckDNS domains if you
+# have multiple domains associated with the same IP address).
+DOMAINS="YOURS.duckdns.org"
+
 # Your DuckDNS Token
 DUCKDNS_TOKEN="YOUR_DUCKDNS_TOKEN"
-curl -k -o /var/log/duck.log "https://www.duckdns.org/update?domains=${DOMAINS}&token=${DUCKDNS_TOKEN}&ip="
+
+# is this script running in the foreground or background?
+if [ "$(tty)" = "not a tty" ] ; then
+
+   # background! Assume launched by cron. Add a random delay to avoid
+   # every client contacting DuckDNS at exactly the same moment.
+   sleep $((RANDOM % 60))
+
+fi
+
+# mark the event in case this is being logged.
+echo "$(date "+%a, %d %b %Y %H:%M:%S %z") - updating DuckDNS"
+
+# Request duckdns to update your domain name with your public IP address
+curl --max-time 10 \
+   "https://www.duckdns.org/update?domains=${DOMAINS}&token=${DUCKDNS_TOKEN}&ip="
+
+# curl does not append newline so fix that
+echo ""
