WireGuard
Official WireGuard documentation
- Reverse proxy manager (Caddy, Nginx, Traefik)
- You can do initial set up without reverse proxy by uncommenting code (see notes in yaml file)
- WARNING: Setting up without a reverse proxy poses security risks!
- Container manager (e.g., Docker or Portainer)
- Go to App Center on UGOS and install Docker. Alternatively, you can install Portainer or other container management software.
- Create folders on NAS
- Go to Files app and navigate to docker folder
- Create a folder and name it wg-easy
- Create two subfolders within wg-easy and name them: wireguard and modules
- Docker installation
- Open Docker app
- On the left hand side, click Project and click Create button
-
- In the name field enter: wg-easy
- In the compose configuration field, paste the following yaml file
- Click Deploy button
- Portainer installation
- Login to Portainer
- On the left hand side, click Home then Live connect
- On the left hand side, click Stacks
- Click + Add stack button
- In the name field enter: wg-easy
- In the compose configuration field, paste the following yaml file
- Click Deploy the stack button
Change router settings (Disclaimer: Every router has slightly different settings. These instructions are specific to my AT&T router: AT&T BGW320-500)
- Login to router
- Click Firewall tab, NAT/Gaming tab, then Custom Services button. Add the following information to add WireGuard as a custom service. Global Port Range and Base Host Port should both be 51820. Protocol should be UDP. Name can be anything you want. Click Add button.
-
- Click Return to NAT/Gaming button. Select custom service you just created. Needed by Device field should be the name of your NAS.
-
- Click Add button. Router setup is complete!
- Optional (RECOMMENDED): Set up a reverse proxy. I used Nginx and with a free DuckDNS domain to test this out. Please see Nginx set up guide for tutorial on how to install and use Nginx.
- WARNING: Setting up without a reverse proxy poses security risks!
- Go to WireGuard web UI at [NAS IP]:51821 or domain name
- To find NAS IP, go to Control Panel -> Network -> Network connection. If IP is not static, click Edit and change to static.
- Note: If you did not set up a reverse proxy and did not uncomment the environment code in the yaml file, you will not be able to login
- Follow set up instructions. For host name, click the Suggest button and choose [Public Router IP] - IPv4 - Public. To find your public router IP, go to https://whatismyipaddress.com.
-
- Download WireGuard app on mobile device from app store
- On computer, go to WireGuard web UI at [NAS IP]:51821 or domain name and login
- To find NAS IP, go to Control Panel -> Network -> Network connection. If IP is not static, click Edit and change to static.
- Click New button and name connection
- Click on QR code button to generate QR code
- On mobile phone, click + icon in the upper right hand corner. Click Create from QR code. Allow phone to scan QR code to complete setup.
- After creating the connection, you can click on the connection and Edit to change On-demand activation. If you turn Cellular on, the VPN will automatically connect if your phone switches to cellular data. You can also do the same for your home Wi-Fi network if you turn Wi-Fi on and select Except these SSIDs and enter the name of your home Wi-Fi network.
- Client set up is complete!
- Download WireGuard app on desktop
- On computer, go to WireGuard web UI at [NAS IP]:51821 or domain name and login
- To find NAS IP, go to Control Panel -> Network -> Network connection. If IP is not static, click Edit and change to static.
- Click New button and name connection
- Click on Download button to download configuration file
- Open WireGuard on computer and click Import tunnel(s) from file button. Find file and click Import button
- After creating the connection, you can click on the connection and Edit to change On-demand activation. If you turn Wi-Fi on and select Except these SSIDs and enter the name of your home Wi-Fi network, the VPN will automatically connect if your computer switches to Wi-Fi that is not on your home network.
-
- Client set up is complete!
This was the error I received after updating UGOS, Docker app, or restarting the NAS:
modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.12.30+
ip6tables v1.8.11 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
Solution (Credit to u/killbeagle on Reddit):
- On UGOS, go to Control Panel -> Terminal -> Enable SSH. Click Apply button.
-
- On desktop, open Terminal (Mac) or Command Prompt (Windows) and type the following command
ssh [admin account name]@[NAS IP] -p22and hit Enter/Return button on your keyboard.- Example:
ssh administrator@192.168.1.1 -p22
- Example:
- You be prompted to enter the password for the admin account for your NAS. Type the password in and hit Enter/Return button on your keyboard. Note: You will not see anything being typed on screen.
- Type the following command
sudo su -and hit Enter/Return button on your keyboard. You will be prompted again for your password. - Type the following command
sudo modprobe wireguardand hit Enter/Return button on your keyboard. - Type the following command
sudo nano /etc/modules-load.d/modules.confand hit Enter/Return button on your keyboard. This will open the config file. Go to the bottom of the file and add linewireguard. On your keyboard, press Ctrl + X to exit and save. You can close Terminal or Command Prompt.- Alternatively, you can use the following command:
echo "wireguard" | sudo tee -a /etc/modules
- Alternatively, you can use the following command:
- On UGOS, disable SSH (see step 1)
- Restart container in Docker on UGOS or in Portainer
