Setup Your Own VPN With WireGuard & Caddy

Overview

medium.com blocks my country (Vietnam). Apparently, there are many spammers from Vietnam use medium to spread their content.

The solution to access medium when my country is blocked is to use a VPN. There are available solutions out there but they are not reliable. Some contain too much ads.

If you have a server running in a non-block area, you can setup your own VPN to access restricted websites services.

Why WireGuard?

WireGuard is opensource. There are desktop/mobile apps available. It’s an ideal solution, at least in my case.

Setup WireGuard Using Docker Compose

WireGuard itself has a docker image. However, setting up using WireGuard image could be challenging for beginners. There are a quicker solution: wg-easy.

Setting up WireGuard with wp-easy is actually easy.

version: "3.8"
volumes:
  etc_wireguard:

services:
  wg-easy:
    environment:
      # Change Language:
      # (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi)
      - LANG=en
      # ⚠️ Required:
      # Change this to your host's public address
      - WG_HOST=your_host_public_ip
      - PASSWORD=your_admin_password

    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    networks:
      - caddy-gateway
    volumes:
      - etc_wireguard:/etc/wireguard
    ports:
      - "51820:51820/udp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

networks:
  caddy-gateway:
    external: true

version: "3.8"

volumes:

  etc_wireguard:

​

services:

  wg-easy:

    environment:

      # Change Language:

      # (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi)

      - LANG=en

      # ⚠️ Required:

      # Change this to your host's public address

      - WG_HOST=your_host_public_ip

      - PASSWORD=your_admin_password

​

    image: ghcr.io/wg-easy/wg-easy

    container_name: wg-easy

    networks:

      - caddy-gateway

    volumes:

      - etc_wireguard:/etc/wireguard

    ports:

      - "51820:51820/udp"

    restart: unless-stopped

    cap_add:

      - NET_ADMIN

      - SYS_MODULE

    sysctls:

      - net.ipv4.ip_forward=1

      - net.ipv4.conf.all.src_valid_mark=1

​

networks:

  caddy-gateway:

    external: true

You should be able to run wg-easy using docker-compose up -d

Make sure you set a strong password (your_admin_password) and set the public IP (your_host_public_ip)

Make sure to check the log to see the service is running correctly (docker logs -f wg-easy)

Setup https domain with Caddy

As you can see in the docker compose file, I only mapped the UDP port. I didn’t map the tcp port because I want to use caddy to give the admin page a nice domain name.

If you already have Caddy up and running, setting up the forward is simple:

vpn.datmt.com {
  tls internal
  reverse_proxy wg-easy:51821
}

vpn.datmt.com {

  tls internal

  reverse_proxy wg-easy:51821

}

Here, I setup caddy to forward request to port 51821 (tcp) on wg-easy.

When I restart caddy, I can access the admin via my domain:

After entering my password, I can see the admin page:

To add a new client, simply click on new:

After that, there are several options to link your client. If you are on mobile, the simplest way is to use qr code option.

When you scan this qr with the WireGuard mobile app, you will have VPN enabled and you can access restricted websites.

Conclusion

In this post, I’ve shown you how to setup your own VPN with WiredGuard.

Đạt Trần

I build softwares that solve problems. I also love writing/documenting things I learn/want to learn.