Skip to content

veerendra2/wireguard-traefik-authelia

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
assets
assets
 
 
config
config
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
compose.yml
compose.yml
 
 

Repository files navigation

WireGuard + Traefik + Authelia

Docker Compose stack to deploy a WireGuard VPN server (wg-easy), Traefik as a reverse proxy to access the wg-easy UI, and Authelia for authentication.

WireGuard Logo         Traefik Logo         Authelia Logo         Watchtower Logo

Deployment Guide

Preparation

  1. Ensure Docker and Docker Compose plugin are installed.

  2. Download the latest version of the source code from the release page:

    RELEASE=0.0.1
curl -L -o wireguard-traefik-authelia-${RELEASE}.zip https://github.com/veerendra2/wireguard-traefik-authelia/archive/refs/tags/v${RELEASE}.zip
unzip wireguard-traefik-authelia-${RELEASE}.zip
cd wireguard-traefik-authelia-${RELEASE}

  3. Generate a password hash for users in Authelia:

    docker run --rm authelia/authelia:latest \
   authelia crypto hash generate argon2 \
   --password 'YOUR_PASSWORD'

  4. Update the Authelia users configuration in ./config/users_database.yml:

    users:
  your-user-name:
    disabled: false
    displayname: "Your Display Name"
    password: "<generated-password-hash>"
    email: "root@localhost"

  5. Open the following ports on your server for the WireGuard stack:

    • 80 (TCP)
    • 443 (TCP)
    • 22 (TCP)
    • 51820 (UDP)

Deploying the Stack

This setup has been tested with DuckDNS and Cloudflare. It should work with other DNS providers with appropriate configurations.

DuckDNS

  1. Log in to DuckDNS and retrieve your token.

  2. Create a subdomain and add your server's IP address.

  3. Export the required environment variables and start the Docker stack:

    export MY_PROVIDER="duckdns"
export MY_DOMAIN="YOUR_SUB_DOMAIN.duckdns.org"
export DUCKDNS_TOKEN="MY_DUCKDNS_TOKEN"

docker compose up -d

Cloudflare

  1. Log in to Cloudflare and navigate to your domain.

  2. Click on "DNS" and add the following subdomains as "A" records, pointing to your server's IP address:

    • wg.<YOUR_SUB_DOMAIN>
    • auth.<YOUR_SUB_DOMAIN>
    • <YOUR_SUB_DOMAIN>

    For example, if <YOUR_SUB_DOMAIN> is xyz, the records should be configured as shown below:

    Note: Ensure that Cloudflare proxy is disabled while adding these subdomains, as shown below:

  3. To generate a Cloudflare API token:

    • Go to "Profile" → "API Token" → Click "Create Token".
    • Scroll down and click "Get started" under "Custom token".
    • Assign the necessary permissions.

  4. Export the required environment variables and start the Docker stack:

    export MY_PROVIDER="cloudflare"
export MY_DOMAIN="YOUR_SUB_DOMAIN.YOUR_DOMAIN_NAME.com"
export CLOUDFLARE_DNS_API_TOKEN="MY_CLOUDFLARE_TOKEN"

docker compose up -d

Post-Deployment Setup

  1. Once the stack is running, visit wg.${MY_DOMAIN}, log in, and register.

  2. After logging in, click "ADD" to set up OTP authentication.

  3. Retrieve the initial 2FA code from config/notification.txt.

    cat config/notification.txt

    Example Output:

    Date: 2024-07-21 14:55:11 UTC
Recipient: Test User <[email protected]>
Subject: Confirm your identity

To confirm your identity, use the following code: TXQAT55T

  4. Register the OTP in your preferred authenticator app.

  5. Log in, configure your clients, and verify VPN connectivity via whoer.net.

About

wg-easy(wireguard) + traefik + authelia + watchtower

veerendra2.medium.com/how-to-setup-wireguard-vpn-server-with-traefik-and-authelia-1ce7de0786a2

Topics

docker docker-compose proxy traefik wireguard-vpn authelia wg-easy

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 4

v1.1.1 Latest
Mar 11, 2025
+ 3 releases