feat: add WireGuard VPN stack #33

Merged

gortium merged 15 commits from feat/wireguard-vpn into master 2026-05-09 00:13:37 +00:00

Conversation 0 Commits 15 Files Changed 4 +86 -109

Hermes commented 2026-05-04 22:49:21 +00:00

Collaborator

Copy Link

Summary

Add WireGuard VPN server to the infrastructure using wg-easy for fast, secure VPN access.

Changes

Compose submodule update

• New vpn/ stack with wg-easy WireGuard server
• UDP port 51820 for WireGuard protocol
• Web UI on port 51821 for peer management
• NAS-backed persistence at /mnt/HoardingCow_docker_data/WireGuard

NixOS configuration

• Added vpn entry to services.dockerStacks with shared containers.env
• Opened UDP port 51820 in firewall for WireGuard protocol

Deployment Steps (after merge)

# 1. Add WG_PASSWORD to containers.env
agenix -e secrets/containers.env.age
# Add: WG_PASSWORD=your_secure_password_here

# 2. Create external network
docker network create vpn_net

# 3. Rebuild NixOS config
sudo nixos-rebuild switch --flake .#lazyworkhorse

Access

• VPN endpoint: vpn.lazyworkhorse.net:51820 (UDP)
• Web UI: http://lazyworkhorse.net:51821 (password protected)
• Client config: Download from Web UI, import into any WireGuard client

Related

• Depends on compose PR: gortium/compose#16

## Summary Add WireGuard VPN server to the infrastructure using wg-easy for fast, secure VPN access. ## Changes ### Compose submodule update - New `vpn/` stack with wg-easy WireGuard server - UDP port 51820 for WireGuard protocol - Web UI on port 51821 for peer management - NAS-backed persistence at /mnt/HoardingCow_docker_data/WireGuard ### NixOS configuration - Added `vpn` entry to `services.dockerStacks` with shared containers.env - Opened UDP port 51820 in firewall for WireGuard protocol ## Deployment Steps (after merge) ```bash # 1. Add WG_PASSWORD to containers.env agenix -e secrets/containers.env.age # Add: WG_PASSWORD=your_secure_password_here # 2. Create external network docker network create vpn_net # 3. Rebuild NixOS config sudo nixos-rebuild switch --flake .#lazyworkhorse ``` ## Access - **VPN endpoint:** vpn.lazyworkhorse.net:51820 (UDP) - **Web UI:** http://lazyworkhorse.net:51821 (password protected) - **Client config:** Download from Web UI, import into any WireGuard client ## Related - Depends on compose PR: https://code.lazyworkhorse.net/gortium/compose/pulls/16

Hermes added 1 commit 2026-05-04 22:49:22 +00:00

feat: add WireGuard VPN stack ... 1673a56439

- Add vpn stack to services.dockerStacks
- Open UDP port 51820 for WireGuard protocol
- Update compose submodule to include vpn stack

Hermes added 1 commit 2026-05-05 01:17:24 +00:00

fix: load iptables kernel modules for WireGuard NAT ... 48245518a1

wg-easy needs iptable_nat and iptable_filter to set up
masquerading for VPN traffic. These modules must be loaded
at boot for the container to access iptables.

Hermes added 1 commit 2026-05-05 01:18:16 +00:00

chore: update compose submodule to linuxserver/wireguard 7d0b72a513

Hermes added 1 commit 2026-05-05 01:21:22 +00:00

chore: update compose submodule to wireguard-vpn 92bcf1cc04

Hermes added 1 commit 2026-05-05 01:21:36 +00:00

chore: update compose submodule to wireguard-vpn (fix ref) a42b2ff65d

Hermes added 1 commit 2026-05-05 01:43:45 +00:00

chore: move Hermes Dockerfile to compose repo, add WireGuard tools ... e0068260cb

- Move Dockerfile.full from infra/docker/hermes to compose/ai/Dockerfile
- Add wireguard-tools and openresolv to Hermes image
- Remove stray docker/hermes directory from infra

Hermes added 1 commit 2026-05-05 01:48:27 +00:00

chore: update compose submodule for Hermes NET_ADMIN + WireGuard Dockerfile b9289a149d

Hermes added 1 commit 2026-05-05 02:11:44 +00:00

feat: add host-level WireGuard client via networking.wireguard ... cf279c4fb0

- Add wg0 interface config with agenix-managed secrets
- Revert compose submodule to remove NET_ADMIN from Hermes
- WireGuard runs at host level, all containers inherit the tunnel

Hermes added 1 commit 2026-05-05 02:12:59 +00:00

fix: remove exposed keys from comments 94a7c7195a

Hermes added 1 commit 2026-05-05 02:41:33 +00:00

fix: split tunnel on host VPN - only route 10.8.0.0/24 5c481d664a

gortium added 4 commits 2026-05-05 03:23:07 +00:00

Submodule update 9ae0f6ad62

Security fixes 5935747902

Added wireguard pass 030125ab01

Merge branch 'feat/wireguard-vpn' of ssh://code.lazyworkhorse.net:2222/gortium/infra into feat/wireguard-vpn ee96593e3d

Hermes added 1 commit 2026-05-05 03:26:54 +00:00

fix: remove dns option from wireguard config (not a valid nixos option) c53460c400

gortium merged commit 2e14069584 into master 2026-05-09 00:13:37 +00:00

gortium referenced this issue from a commit 2026-05-09 00:13:39 +00:00

Merge pull request 'feat: add WireGuard VPN stack' (#33) from feat/wireguard-vpn into master

Hermes referenced this pull request 2026-05-09 00:17:00 +00:00

Merge Plan - Prioritized for GPU Ollama Access #26

Hermes referenced this pull request 2026-05-09 00:22:22 +00:00

feat(hermes): update compose submodule for Piper TTS #34

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hermes gortium

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: gortium/infra#33

No description provided.