docker-socket-proxy VS wireguard-ui

I just found this the other day. You might be interested I haven't done myself yet https://github.com/Tecnativa/docker-socket-proxy

I think you could provide access to the socket using a "docker-socket-proxy" container. It allows other containers to access the docker socket, you can even control which actions are allowed and which are not. You can use a bridge network for the communication to the socket-proxy container, so the socket-proxy container does not need to map/expose any ports. In the other container you need to set the "DOCKER_HOST" env variable accordingly, e.g. "DOCKER_HOST=tcp://mydockersockerproxycontainer:2375". https://github.com/Tecnativa/docker-socket-proxy

I use the container docker socket proxy

There are Docker socket proxys (like docker-socket-proxy 😉) that are made exactly for this. You can pass only read access to the socket and even restrict what resources can be read.

So far I have Traefik set up and tested (along with some security lockdowns https://github.com/Tecnativa/docker-socket-proxy). This is working well: I can manually create containers, get a cert, dynamic hostnames, etc.

May be not necessarily: https://github.com/Tecnativa/docker-socket-proxy

Many of you might already be familiar with Tecnativa's docker-socket-proxy which says:

version: "3.7" services: traefik: image: traefik:v2.6 command: # Entrypoints configuration - --entrypoints.web.address=:80 # Docker provider configuration - --providers.docker=true # Makes sure that services have to explicitly direct Traefik to expose them - --providers.docker.exposedbydefault=false # Use the secure docker socket proxy - --providers.docker.endpoint=tcp://socket_proxy:2375 # Default docker network to use for connections to all containers - --providers.docker.network=traefik_public # Logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. - --log.level=info ports: - 80:80 networks: - traefik_public - socket_proxy restart: unless-stopped depends_on: - socket_proxy # https://github.com/traefik/whoami whoami: image: traefik/whoami:v1.7.1 labels: # Explicitly instruct Traefik to expose this service - traefik.enable=true # Router configuration ## Listen to the `web` entrypoint - traefik.http.routers.whoami_route.entrypoints=web ## Rule based on the Host of the request - traefik.http.routers.whoami_route.rule=Host(`whoami.karvounis.tutorial`) - traefik.http.routers.whoami_route.service=whoami_service # Service configuration ## 80 is the port that the whoami container is listening to - traefik.http.services.whoami_service.loadbalancer.server.port=80 networks: - traefik_public # https://github.com/Tecnativa/docker-socket-proxy # Security-enhanced proxy for the Docker Socket socket_proxy: image: tecnativa/docker-socket-proxy:latest restart: unless-stopped environment: NETWORKS: 1 SERVICES: 1 CONTAINERS: 1 TASKS: 1 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro networks: - socket_proxy networks: traefik_public: external: true socket_proxy: external: true

# This file was generated using wireguard-ui (https://github.com/ngoduykhanh/wireguard-ui) # Please don't modify it manually, otherwise your change might get replaced. [Interface] Address = 10.25.0.1/24,2001:db8:abcd:AA10::1/60 ListenPort = 51820 PrivateKey = MTU = 1420 PostUp = iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -s 10.25.0.0/24 -o eth0 -j MASQUERADE PostUp = iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT PostDown = Table = auto [Peer] PublicKey = PresharedKey = AllowedIPs = 10.25.0.2/32,192.168.32.0/24,192.168.56.0/24,2001:db8:abcd:aa11::/64 # AllowedIPs are for site to site connection [Peer] PublicKey = PresharedKey = AllowedIPs = 10.25.0.3/32,10.0.0.0/16,2001:db8:abcd:aa12::/64 [Peer] PublicKey = PresharedKey = AllowedIPs = 10.25.0.4/32,2001:db8:abcd:aa13::/64 [Peer] PublicKey = PresharedKey = AllowedIPs = 10.25.0.5/32,2001:db8:abcd:aa14::/64 [Peer] PublicKey = PresharedKey = AllowedIPs = 10.25.0.6/32,2001:db8:abcd:aa15::/64

My previous experience was using this wireguard-ui container, super easy to create clients, and spits out a config file and/or QR code. Couldn't be any easier and removes all of the mumbo jumbo from the client's hands. And how that I'm looking at that package again I think I could potentially map it to the router's API, assuming there is one available for the VPN configs.

Wireguard log Uname info: Linux wireguard 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 6 07:48:48 UTC 2023 x86_64 GNU/Linux 2023-08-13 22:01:40 **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. **** 2023-08-13 22:01:41 **** Server mode is selected **** 2023-08-13 22:01:41 **** PersistentKeepalive will be set for: all **** 2023-08-13 22:01:42 **** SERVERURL var is either not set or is set to "auto", setting external IP to auto detected value of 78.72.85.114 **** 2023-08-13 22:01:42 **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container **** 2023-08-13 22:01:42 **** Internal subnet is set to 10.13.13.0 **** 2023-08-13 22:01:42 **** AllowedIPs for peers 0.0.0.0/0 **** 2023-08-13 22:01:42 **** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. **** 2023-08-13 22:01:42 **** Server mode is selected **** 2023-08-13 22:01:42 **** No changes to parameters. Existing configs are used. **** 2023-08-13 22:01:42 [custom-init] No custom files found, skipping... 2023-08-13 22:01:46 .:53 2023-08-13 22:01:46 CoreDNS-1.10.1 2023-08-13 22:01:46 linux/amd64, go1.20.7, 2023-08-13 22:01:47 [#] ip link add wg0 type wireguard 2023-08-13 22:01:47 [#] wg setconf wg0 /dev/fd/63 2023-08-13 22:01:47 [#] ip -4 address add 10.13.13.1 dev wg0 2023-08-13 22:01:47 [#] ip link set mtu 1420 up dev wg0 2023-08-13 22:01:47 [#] ip -4 route add 10.13.13.5/32 dev wg0 2023-08-13 22:01:47 [#] ip -4 route add 10.13.13.4/32 dev wg0 2023-08-13 22:01:47 [#] ip -4 route add 10.13.13.3/32 dev wg0 2023-08-13 22:01:47 [#] ip -4 route add 10.13.13.2/32 dev wg0 2023-08-13 22:01:47 [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE 2023-08-13 22:01:47 [ls.io-init] done. wireguard ui logs 2023-08-13 21:50:03 ⇨ http server started on [::]:5000 2023-08-13 22:01:20 [#] ip link delete dev wg0 2023-08-13 22:01:21 [#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE 2023-08-13 22:01:27 [#] ip link add wg0 type wireguard 2023-08-13 22:01:27 [#] wg setconf wg0 /dev/fd/63 2023-08-13 22:01:27 [#] ip -4 address add 10.252.1.0/24 dev wg0 2023-08-13 22:01:27 [#] ip link set mtu 1450 up dev wg0 2023-08-13 22:01:27 [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE 2023-08-13 22:01:29 Wireguard UI 2023-08-13 22:01:29 App Version : dev 2023-08-13 22:01:29 Git Commit : b55543f 2023-08-13 22:01:29 Git Ref : N/A 2023-08-13 22:01:29 Build Time : 08-13-2023 20:01:29 2023-08-13 22:01:29 Git Repo : https://github.com/ngoduykhanh/wireguard-ui 2023-08-13 22:01:29 Authentication : true 2023-08-13 22:01:29 Bind address : 0.0.0.0:5000 2023-08-13 22:01:29 Email from : 2023-08-13 22:01:29 Email from name : WireGuard UI 2023-08-13 22:01:29 Custom wg.conf : 2023-08-13 22:01:29 Base path : / 2023-08-13 22:01:29 ⇨ http server started on [::]:5000

you can always setup wireguard on your vps. its not that hard, this article by digital ocean article is quite thorough. That article has a lot on information so it looks harder than it actually is. You could also use something like this to help set things up faster. ive used that ui before but dont actively host it, only when i need to add peers. If you do actively host the ui make sure you dont expose it to the internet. Not because there is some security issue just because its imo not best practice. You can also use hamachi or any of the other hamachi like services

Maybe this, https://github.com/ngoduykhanh/wireguard-ui

I have 2 VPS servers running Debian 11. I have installed Wireguard, and Wureguard UI I can connect those two sites, but there is no traffic going between them. I want to create Site to site tunnel. And than later I Will also want to create Client VPN so I can use it on my laptop when needed. but currently I am not able to get any traffic between those 2 VPS servers.

A couple of days ago I stumbled upon this awesome project (https://github.com/ngoduykhanh/wireguard-ui). I immediately tried to get it running in order to access my local home network from the outside.

# This file was generated using wireguard-ui (https://github.com/ngoduykhanh/wireguard-ui)

Hello, i am running wireguard in a container on a raspberry4 with the docker-compose.yml from linuxserver. I'd like now to use a gui but I am stuck with the docker-compose example from ngoduykhanh / wireguard-ui

Personally, I’ve stopped using pi VPN quite a while ago. I’ve only used there console interface. Don’t know if there’s a official GUI by now. But there are a few gui alternatives available. I’ve been using this: https://github.com/ngoduykhanh/wireguard-ui