Hey all,
I'm planning to expose multiple services using Traefik behind a Wireguard VPN only to make it harder to attack it.
I already played around with it and have now a working solution where I have on server a the Wireguard VPN running and on server b the Traefik service running where I ipallowlist only the VPN (server a): 'traefik.http.middlewares.wireguard-ipallowlist-middleware.ipallowlist.sourcerange=IpServerA/32'.
This works as expected and awesome but do you see there a problem with this approach? If so, how would you archive it?
I would let Traefik just listen on an internal IP.
And/Or you could place your WireGuard (like wg-easy) and Traefik in the same Docker network.
Thanks for your input!
That sounds not bad as well.
I want to be able to use this method on different services on different servers that's why the separate VPN server but yes, wg-easy will be the way to go.
The wg-easy container can also route outside of the container and Docker network.
That sounds interesting, can you elaborate this a bit further please?
Read the wg-easy doc, it just acts like a regular VPN when deployed on a server in a container. You can connect to local IPs, but it can also route to external IPs.
docker run -d \
--name=wg-easy \
-e LANG=de \
-e WG_HOST=<🚨YOUR_SERVER_IP> \
-e PASSWORD_HASH=<🚨YOUR_ADMIN_PASSWORD_HASH> \
-e PORT=51821 \
-e WG_PORT=51820 \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
ghcr.io/wg-easy/wg-easy
It really depends on what IP range you use in the WG "client" configuration for allowed IPs.
I got two configurations, one 10.0.0.0/24 to just connect to the server network, and one 0.0.0.0/0 to route all IP traffic through WG and the server when traveling.