Note
Everypone use the
EDGE: noxcis/wiregate:jiaotu-beta-v0.3 docker image.
STABLE: noxcis/wiregate:vidar docker image.
Dont Expose your Dashboard.
Use Static State until Further Notice
Wiregate Supported architectures:
x86-64,arm64,armv7,armv6Test OS: Ubuntu LTS | Debian 12 Test Device: Raspberry Pi 5 | Apple M2 | x86 CPUs Build: Daily UTC
Show your support Give a ⭐ if this project helped you!
WireGate is a fully automated Docker Based Wireguard & AmneziaWG VPN Sever Deployment & Management Tool with and attachable intranet via docker private networks and support for Tor as an exit proxy.
It allows users to host web other applications on their existing server and be able to securely connect to said web applications without exposing them to the open internet. This is done by utilizing the WireGuard protocol in conjunction with Docker Networks and Containers. Hence applications hosted behind the WireGate private network need not expose any ports and can only be accessed via a WireGuard connection already registered to to an existing server interface on the deployed WireGate instance. Secure by Design, the WireGuard Dashboard & other services are only accessible on first deployment via the master configuration that is generated at install and encrypted after being outputted to the console. Wiregate also acts as a ISP DNS query logging bypass. Wiregate by default is configured to have minimal or no logging.
Wiregate is configured with 4 zones that peers can be added to. The zone a peer belongs to dictates the network access permissions of said peer.
| Zone | Internet Access | WireGuard Dashboard Access | Docker Network Access | Peer to Peer Access |
|---|---|---|---|---|
| Admin | ✅ | ✅ | ✅ | ✅ |
| Members | ✅ | ❌ | ✅ | ✅ |
| LAN Users | ❌ | ❌ | ❌ | ✅ |
| Guest | ✅ | ❌ | ❌ | ❌ |
Symbolic Network Map
To get started, run the installation script using the following command:
Note
The quick installer only supports Debian based Distros but will run on anything that runs Docker. Its main purpose is to serve as an aid to less teachincal users. Advanced users are expected to use the docker compose directly after using the installer to deploy.
Note
Use the installer after running the quick installer to avoid recursive downloads. The -e flag isnt required you can just pass your enviornment witout the flag.
Running the command below installs prerequsites and runs the terminal based menu.
curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
sudo chmod +x stackscript.sh && \
sudo ./stackscript.sh
Example Usage:
The last option must always be -e.
./stackscript.sh -b main -t Tor-br-snow -n {CH},{GB} -e E-P-D
The available options are:
| Flag | Usage | Example |
|---|---|---|
-b |
for specifying a branch. | main or <branch-name-here> |
-e |
for specifying Enviorment | E-A-D |
-t |
for specifying Tor. | -t Tor-br-webtun |
-n |
Tor Proxy Exit Nodes | -n {us},{ch},{gb} |
-l |
Tor DNS Exit Nodess | -l {us},{ch},{gb} |
-p |
Wireguard Protocol Type | -p awg for Amnezia Wireguard or -p wg for Vannilla WireGuard |
-s |
Deploy State | -s static or -s dynamic |
-d |
Docker In Docker | Dont Use In Prod, Dev Only. |
| For more exit node options go to Tor Country codes list. |
| Option String | Details |
|---|---|
| E-A-D: | Express, AdGuard, Darkwire |
| E-A-C: | Express, AdGuard, Channels |
| E-P-D: | Express, Pihole, Darkwire |
| E-P-C: | Express, Pihole, Channels |
| A-A-D: | Advanced, AdGuard, Darkwire |
| A-A-C: | Advanced, AdGuard, Channels |
| A-P-D: | Advanced, Pihole, Darkwire |
| A-P-C: | Advanced, Pihole, Channels |
| dev : | Development Build |
| help: | Display help menu |
| reset: | Reset WireGate |
| Option String | Details |
|---|---|
| off: | Disable TOR |
| Tor-br-snow: | Use Tor with bridges (snowflake) |
| Tor-br-webtun: | Use Tor with bridges (webtunnel) |
| Tor-br-obfs4: | Use Tor with bridges (obfs4) |
| Tor-snow: | Use Tor without bridges (snowflake) |
| Tor-webtun: | Use Tor without bridges (webtunnel) |
| Tor-obfs4: | Use Tor without bridges (obfs4) |
For more exit node options go to Tor Country codes list.
networks:
private_network:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_icc: "true"
attachable: true
internal: false
ipam:
config:
- subnet: 10.2.0.0/24
services:
dnscrypt:
depends_on: [wiregate]
image: "noxcis/dnscrypt:latest"
restart: unless-stopped
container_name: dnscrypt
volumes:
- ./configs/dnscrypt:/config
networks:
private_network:
ipv4_address: 10.2.0.42
unbound:
depends_on: [dnscrypt]
image: "noxcis/unbound:latest"
container_name: unbound
restart: unless-stopped
hostname: "unbound"
cap_add:
- NET_ADMIN
healthcheck:
test: ["CMD", "drill", "@127.0.0.1", "dnssec.works"]
interval: 30s
timeout: 30s
retries: 3
start_period: 30s
#volumes:
# - "./configs/unbound:/etc/unbound/custom.conf.d"
networks:
private_network:
ipv4_address: 10.2.0.200
adguard:
depends_on: [unbound]
container_name: adguard
image: adguard/adguardhome
restart: unless-stopped
hostname: adguard
# Volumes store your data between container upgrades
volumes:
- "./configs/adguard/Data:/opt/adguardhome/work"
- "./configs/adguard:/opt/adguardhome/conf"
networks:
private_network:
ipv4_address: 10.2.0.100
wiregate:
image: noxcis/wiregate:vidar
container_name: wiregate
hostname: wiregate
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
restart: unless-stopped
volumes:
- pf_conf:/WireGate/iptable-rules/
#- conf:/etc/wireguard
- db:/WireGate/db
- ./configs/dnscrypt:/WireGate/dnscrypt
- ./configs/tor:/etc/tor/
- ./configs/logs:/WireGate/log/
- ./configs/master-key:/WireGate/master-key
environment:
#Config Path Optional
#- WGDCONF_PATH=/etc/wireguard
#Use Ofuscated Wireguard (AmneziaWG)
- AMNEZIA_WG=true
#Set Timezone
- TZ=America/New_York
#Tor Settings
##########################################################
- WGD_TOR_PROXY=true #Enable Tor
- WGD_TOR_EXIT_NODES={ch} #Ex. {gb},{fr}
- WGD_TOR_DNS_EXIT_NODES={us}
- WGD_TOR_BRIDGES=true #Enable Tor Bridges
- WGD_TOR_PLUGIN=snowflake #OPTIONS webtunnel, obfs4, snowflake
#WGDashboard Global Settings
##########################################################
- WGD_WELCOME_SESSION=false ##Promts user accont creation after fist sign in.
- WGD_AUTH_REQ=true
- WGD_USER=admin
- WGD_PASS=admin
- WGD_REMOTE_ENDPOINT=0.0.0.0 #your domain or ip
- WGD_REMOTE_ENDPOINT_PORT=80
- WGD_PEER_ENDPOINT_ALLOWED_IP=0.0.0.0/0, ::/0
- WGD_KEEP_ALIVE=21
- WGD_MTU=1420
- WGD_PORT_RANGE_STARTPORT=4430
#DNS Setiings (Set To use Containers Above) You can use your own DNS
##########################################################
- WGD_DNS=10.2.0.100
- WGD_IPTABLES_DNS=10.2.0.100
ports:
- "4430-4433:4430-4433/udp" #UDP Interface Listen Ports For Zones
- 8000:80/tcp #Comment Out for full network lockdown, I.E only Accessible via VPN conttenction at http://wire.gate using config in generated ./configs/master-key folder
sysctls: #Otherwise access the dashboard @ your-sever-ip/domain:6060
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
private_network:
ipv4_address: 10.2.0.3
volumes:
db:
conf:
pf_conf:networks:
private_network:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_icc: "true"
attachable: true
internal: false
ipam:
config:
- subnet: 10.2.0.0/24
services:
wiregate:
#image: noxcis/wg-dashboard:chimera #Dynamic Image
image: noxcis/wiregate:vidar #Static Image
container_name: wiregate
hostname: wiregate
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
restart: unless-stopped
volumes:
- pf_conf:/WireGate/iptable-rules
- conf:/etc/wireguard
- db:/WireGate/db
- ./configs/tor:/etc/tor/
- ./configs/logs:/WireGate/log/
- ./configs/master-key:/WireGate/master-key
environment:
#Config Path Optional
#- WGDCONF_PATH=/etc/wireguard
#Use Ofuscated Wireguard (AmneziaWG)
- AMNEZIA_WG=true
#Set Timezone
- TZ=America/New_York
#Tor Settings
##########################################################
- WGD_TOR_PROXY=true #Enable Tor
- WGD_TOR_EXIT_NODES={ch} #Ex. {gb},{fr}
- WGD_TOR_DNS_EXIT_NODES={us}
- WGD_TOR_BRIDGES=true #Enable Tor Bridges
- WGD_TOR_PLUGIN=snowflake #OPTIONS webtunnel, obfs4, snowflake
#WGDashboard Global Settings
##########################################################
- WGD_WELCOME_SESSION=false #Promts user accont creation after fist sign in.
- WGD_AUTH_REQ=true
- WGD_USER=admin
- WGD_PASS=admin
- WGD_REMOTE_ENDPOINT=0.0.0.0 #your domain or ip
- WGD_REMOTE_ENDPOINT_PORT=80
- WGD_PEER_ENDPOINT_ALLOWED_IP=0.0.0.0/0, ::/0
- WGD_KEEP_ALIVE=21
- WGD_MTU=1420
- WGD_PORT_RANGE_STARTPORT=4430
#DNS Setiings (Set To use Containers Above) You can use your own DNS
##########################################################
- WGD_DNS=1.1.1.1
- WGD_IPTABLES_DNS=1.1.1.1
ports:
- "4430-4433:4430-4433/udp" #UDP Interface Listen Ports
- 8000:80/tcp #Comment Out for full network lockdown, I.E only Accessible via VPN conttenction at http://wire.gate using config in generated ./config/master-key folder
sysctls: #Otherwise access the dashboard @ your-sever-ip/domain:6060
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
private_network:
ipv4_address: 10.2.0.3
volumes:
db:
conf:
pf_conf:
While connected to WireGate Admins Zone:
- navigate to http://wire.gate/ to use the WireGate dashboard.
- navigate to http://ad.guard/ to use the AdGuard Dashboard
- navigate to http://pi.hole/ to use the PiHole Dashboard
- navigate to https://dark.wire/ to use the DarkWire (if configured)
The password & username are randomly generated and provided in the final output if not set manually.
Clients under the members zone cannot access the WireGuard, Pihole, or Adguard dashboards.
Note
All configs can be found in ./configs
WireGate includes the complied binaries for the following Tor Transort Plugins:
-
Lyrebird (meek_lite,obfs2,obfs3,obfs4,scramblesuit)
-
SnowFlake
-
WebTunnel
Plugin choice can be seleted during installation or updated with docker compose. Also at a random intervals between 100 & 1642 seconds, WireGate will Obtain a new Tor Circuit if Tor is Enabled.
NOTE Iptable routing is what makes proxying wireguard peers thorugh tor possible.
WireGuard User Network Restrictions Tor TransPort
All Wiregate supporting configurations can be found in the Global Configs Folder.
If you need assistance, simply run:
sudo ./install.sh help
This will display the usage instructions and available options.
The code in this repo is influenced by IAmStoxe's WireHole project & the WireAdmin project.
However, the upstream projects and their authors most certainly also deserve credit for making this all possible.
-
AdGuard -AdGuard
-
Pihole. - Pihole
-
NLnetLabs. -Unbound
-
Kyle Harding. -Distroless Unbound Docker Image
-
Donald Zou. -WG Dashboard (WireGuard UI)
Contributions are welcome! Feel free to fork the repository, make changes, and submit a pull request. For internet privacy and Freedom.
This project is licensed under the MIT License - see the LICENSE file for details.
