WireGuard + Traefik + Authelia

Docker Compose stack to deploy a WireGuard VPN server (wg-easy), Traefik as a reverse proxy to access the wg-easy UI, and Authelia for authentication.

                       

Deployment Guide

Preparation

1. Ensure Docker and Docker Compose plugin are installed.

2. Download the latest version of the source code from the release page:

   RELEASE=0.0.1
   curl -L -o wireguard-traefik-authelia-${RELEASE}.zip https://github.com/veerendra2/wireguard-traefik-authelia/archive/refs/tags/v${RELEASE}.zip
   unzip wireguard-traefik-authelia-${RELEASE}.zip
   cd wireguard-traefik-authelia-${RELEASE}

3. Generate a password hash for users in Authelia:

   docker run --rm authelia/authelia:latest \
      authelia crypto hash generate argon2 \
      --password 'YOUR_PASSWORD'

4. Update the Authelia users configuration in ./config/users_database.yml:

   users:
     your-user-name:
       disabled: false
       displayname: "Your Display Name"
       password: "<generated-password-hash>"
       email: "root@localhost"

5. Open the following ports on your server for the WireGuard stack:

   • 80 (TCP)
   • 443 (TCP)
   • 22 (TCP)
   • 51820 (UDP)

Deploying the Stack

This setup has been tested with DuckDNS and Cloudflare. It should work with other DNS providers with appropriate configurations.

DuckDNS

1. Log in to DuckDNS and retrieve your token.

2. Create below subdomains and add your server's IP address.

   • wg.<SUB_DOMAIN>
   • auth.<SUB_DOMAIN>
   • <SUB_DOMAIN>

   Example: If you pick your SUB_DOMAIN=my-wireguard-server, your domains look like:

   • wg.my-wireguard-server.duckdns.org
   • auth.my-wireguard-server.duckdns.org
   • my-wireguard-server.duckdns.org

   

3. Export the required environment variables and start the Docker stack:

   export MY_PROVIDER="duckdns"
   export MY_DOMAIN="<SUB_DOMAIN>.duckdns.org"
   export DUCKDNS_TOKEN="<MY_DUCKDNS_TOKEN>"
   
   docker compose up -d

Cloudflare

1. Log in to Cloudflare and navigate to your domain.

2. Click on "DNS" and add the following subdomains as "A" records, pointing to your server's IP address:

   • wg.<SUB_DOMAIN>
   • auth.<SUB_DOMAIN>
   • <SUB_DOMAIN>

   The created subdomains should look like the screenshot below.

   Example: If <SUB_DOMAIN> is xyz and your root domain is example.com, the DNS records should look like:

   • wg.xyz.example.com
   • auth.xyz.example.com
   • xyz.example.com

   

   Note: Ensure that Cloudflare proxy is disabled while adding these subdomains, as shown below:

   

3. To generate a Cloudflare API token:

   • Go to "Profile" → "API Token" → Click "Create Token".
   • Scroll down and click "Get started" under "Custom token".
   • Assign the necessary permissions.

   

4. Export the required environment variables and start the Docker stack:

   export MY_ROOT_DOMAIN="<MY_ROOT_DOMAIN>"
   export MY_PROVIDER="cloudflare"
   export MY_DOMAIN="<SUB_DOMAIN>.${MY_ROOT_DOMAIN}"
   export CLOUDFLARE_DNS_API_TOKEN="<MY_CLOUDFLARE_TOKEN>"
   
   docker compose up -d

Post-Deployment Setup

1. Once the stack is running, visit wg.<SUB_DOMAIN>.<MY_ROOT_DOMAIN> (for DuckDNS, it should be wg.<SUB_DOMAIN>.duckdns.org), log in, and register.

   

2. After logging in, click "ADD" to set up OTP authentication.

   

3. Retrieve the initial 2FA code from config/notification.txt.

   cat config/notification.txt

   Example Output:

   Date: 2024-07-21 14:55:11 UTC
   Recipient: Test User <authelia@authelia.com>
   Subject: Confirm your identity
   
   To confirm your identity, use the following code: TXQAT55T
   

4. Register the OTP in your preferred authenticator app.

   

5. Log in, configure your clients, and verify VPN connectivity via whoer.net.