Note
Obfs4 Plugin: Has alot of latency and connection drops, use webtunnel or snowflake plugins if possible.
AmneziaWG support is fully functional but is still in devlopement under the amneziawg branch for those that want to use AmneziaWG with WGDashboard.
Note
DOCKER INSTALL
DOCKER REPO WireGate Docker Repo
DEV (ONGING DEBUGING) (Has Bugs): noxcis/wiregate:acid-rain-beta-v0.4.2 docker image.
EDGE (ONGOING PROD TESTING) (Pre Release Images):noxcis/wiregate:jasper-beta docker image.
STABLE (PROD TESTED) (Stable Tested Images) : noxcis/wiregate:vidar docker image.
Important
BARE METAL INSTALL
Pull the update staging branch and .... Supported Distros Ubuntu/Debian, Alpine, Fedora, Arch, SUSE, CentOS|RHEL Other Distros may be supported with manual build dependacy install.
#Install these packages before wiregate
wireguard-tools
amneziawg linux kernel module (amneziawg-go already installed)
iptables
tor
curl
ip6tables (Optional Per Disto)
tzdata
sudo
git clone -b update-staging https://github.com/NOXCIS/Wiregate.git
cd Wiregate/Src
sudo ./wiregate.sh metal_install &&
cd ../WireGate_Built
./wiregate.sh startDont Expose your Dashboard :).
Wiregate Supported architectures:
x86-64,arm64,armv7,armv6Test OS: Ubuntu LTS | Debian 12 Test Device: Raspberry Pi 5 | Apple M2 | x86 CPUs Build: Daily UTC
Show your support
Give a ⭐ if this project helped you!
WireGate is a fully automated Docker Based Wireguard & AmneziaWG VPN Sever Deployment & Management Tool with and attachable intranet via docker private networks and support for Tor as an exit proxy.
It allows users to host web other applications on their existing server and be able to securely connect to said web applications without exposing them to the open internet. This is done by utilizing the WireGuard protocol in conjunction with Docker Networks and Containers. Hence applications hosted behind the WireGate private network need not expose any ports and can only be accessed via a WireGuard connection already registered to to an existing server interface on the deployed WireGate instance. Secure by Design, the WireGuard Dashboard & other services are only accessible on first deployment via the master configuration that is generated at install and encrypted after being outputted to the console. Wiregate also acts as a ISP DNS query logging bypass. Wiregate by default is configured to have minimal or no logging.
Wiregate is configured with 4 zones that peers can be added to. The zone a peer belongs to dictates the network access permissions of said peer.
| Zone | Internet Access | WireGuard Dashboard Access | Docker Network Access | Peer to Peer Access |
|---|---|---|---|---|
| Admin | ✅ | ✅ | ✅ | ✅ |
| Members | ✅ | ❌ | ✅ | ✅ |
| LAN Users | ❌ | ❌ | ❌ | ✅ |
| Guest | ✅ | ❌ | ❌ | ❌ |
Symbolic Network Map
To get started, run the installation script using the following command:
Note
The quick installer only supports Debian based Distros but will run on anything that runs Docker. Its main purpose is to serve as an aid to less teachincal users. Advanced users are expected to use the docker compose directly after using the installer to deploy.
Note
Use the installer after running the quick installer to avoid recursive downloads. The -e flag isnt required you can just pass your enviornment witout the flag.
Running the command below installs prerequsites and runs the terminal based menu.
curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
sudo chmod +x stackscript.sh && \
sudo ./stackscript.sh
Example Usage:
The last option must always be -e.
./stackscript.sh -b main -t Tor-br-snow -n {CH},{GB} -e E-P-D
The available options are:
| Flag | Usage | Example |
|---|---|---|
-b |
for specifying a branch. | main or <branch-name-here> |
-e |
for specifying Enviorment | E-A-D |
-t |
for specifying Tor. | -t Tor-br-webtun |
-n |
Tor Proxy Exit Nodes | -n {us},{ch},{gb} |
-l |
Tor DNS Exit Nodess | -l {us},{ch},{gb} |
-p |
Wireguard Protocol Type | -p awg for Amnezia Wireguard or -p wg for Vannilla WireGuard |
-s |
Deploy State | -s static or -s dynamic |
-d |
Docker In Docker | Dont Use In Prod, Dev Only. |
| For more exit node options go to Tor Country codes list. |
| Option String | Details |
|---|---|
| E-A-D: | Express, AdGuard, Darkwire |
| E-A-C: | Express, AdGuard, Channels |
| E-P-D: | Express, Pihole, Darkwire |
| E-P-C: | Express, Pihole, Channels |
| A-A-D: | Advanced, AdGuard, Darkwire |
| A-A-C: | Advanced, AdGuard, Channels |
| A-P-D: | Advanced, Pihole, Darkwire |
| A-P-C: | Advanced, Pihole, Channels |
| dev : | Development Build |
| help: | Display help menu |
| reset: | Reset WireGate |
| Option String | Details |
|---|---|
| off: | Disable TOR |
| Tor-br-snow: | Use Tor with bridges (snowflake) |
| Tor-br-webtun: | Use Tor with bridges (webtunnel) |
| Tor-br-obfs4: | Use Tor with bridges (obfs4) |
| Tor-snow: | Use Tor without bridges (snowflake) |
| Tor-webtun: | Use Tor without bridges (webtunnel) |
| Tor-obfs4: | Use Tor without bridges (obfs4) |
For more exit node options go to Tor Country codes list.
networks:
private_network:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_icc: "true"
attachable: true
internal: false
ipam:
config:
- subnet: 10.2.0.0/24
services:
dnscrypt:
depends_on: [wiregate]
image: "noxcis/dnscrypt:latest"
restart: unless-stopped
container_name: dnscrypt
volumes:
- ./configs/dnscrypt:/config
networks:
private_network:
ipv4_address: 10.2.0.42
unbound:
depends_on: [dnscrypt]
image: "noxcis/unbound:latest"
container_name: unbound
restart: unless-stopped
hostname: "unbound"
cap_add:
- NET_ADMIN
healthcheck:
test: ["CMD", "drill", "@127.0.0.1", "dnssec.works"]
interval: 30s
timeout: 30s
retries: 3
start_period: 30s
#volumes:
# - "./configs/unbound:/etc/unbound/custom.conf.d"
networks:
private_network:
ipv4_address: 10.2.0.200
adguard:
depends_on: [unbound]
container_name: adguard
image: adguard/adguardhome
restart: unless-stopped
hostname: adguard
# Volumes store your data between container upgrades
volumes:
- "./configs/adguard/Data:/opt/adguardhome/work"
- "./configs/adguard:/opt/adguardhome/conf"
networks:
private_network:
ipv4_address: 10.2.0.100
wiregate:
image: noxcis/wiregate:vidar
container_name: wiregate
hostname: wiregate
cap_add:
- NET_ADMIN
- SYS_MODULE
devices:
- /dev/net/tun:/dev/net/tun
restart: unless-stopped
volumes:
- /lib/modules:/lib/modules:ro
- pf_conf:/WireGate/iptable-rules/
#- conf:/etc/wireguard
- db:/WireGate/db
- ./configs/dnscrypt:/WireGate/dnscrypt
- ./configs/tor:/etc/tor/
- ./configs/logs:/WireGate/log/
- ./configs/master-key:/WireGate/master-key
environment:
#Config Path Optional
#- WGDCONF_PATH=/etc/wireguard
#Use Ofuscated Wireguard (AmneziaWG)
- AMNEZIA_WG=true
#Set Timezone
- TZ=America/New_York
#Tor Settings
##########################################################
- WGD_TOR_PROXY=true #Enable Tor
- WGD_TOR_EXIT_NODES={ch} #Ex. {gb},{fr}
- WGD_TOR_DNS_EXIT_NODES={us}
- WGD_TOR_BRIDGES=true #Enable Tor Bridges
- WGD_TOR_PLUGIN=snowflake #OPTIONS webtunnel, obfs4, snowflake
#WGDashboard Global Settings
##########################################################
- WGD_WELCOME_SESSION=false ##Promts user accont creation after fist sign in.
- WGD_AUTH_REQ=true
- WGD_USER=admin
- WGD_PASS=admin
- WGD_REMOTE_ENDPOINT=0.0.0.0 #your domain or ip
- WGD_REMOTE_ENDPOINT_PORT=80
- WGD_PEER_ENDPOINT_ALLOWED_IP=0.0.0.0/0, ::/0
- WGD_KEEP_ALIVE=21
- WGD_MTU=1420
- WGD_PORT_RANGE_STARTPORT=4430
#DNS Setiings (Set To use Containers Above) You can use your own DNS
##########################################################
- WGD_DNS=10.2.0.100
- WGD_IPTABLES_DNS=10.2.0.100
ports:
- "4430-4433:4430-4433/udp" #UDP Interface Listen Ports For Zones
- 8000:80/tcp #Comment Out for full network lockdown, I.E only Accessible via VPN conttenction at http://wire.gate using config in generated ./configs/master-key folder
sysctls: #Otherwise access the dashboard @ your-sever-ip/domain:6060
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
private_network:
ipv4_address: 10.2.0.3
volumes:
db:
conf:
pf_conf:networks:
private_network:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_icc: "true"
attachable: true
internal: false
ipam:
config:
- subnet: 10.2.0.0/24
services:
wiregate:
#image: noxcis/wg-dashboard:chimera #Dynamic Image
image: noxcis/wiregate:vidar #Static Image
container_name: wiregate
hostname: wiregate
cap_add:
- NET_ADMIN
- SYS_MODULE
devices:
- /dev/net/tun:/dev/net/tun
restart: unless-stopped
volumes:
- /lib/modules:/lib/modules:ro
- pf_conf:/WireGate/iptable-rules
- conf:/etc/wireguard
- db:/WireGate/db
- ./configs/tor:/etc/tor/
- ./configs/logs:/WireGate/log/
- ./configs/master-key:/WireGate/master-key
environment:
#Config Path Optional
#- WGDCONF_PATH=/etc/wireguard
#Use Ofuscated Wireguard (AmneziaWG)
- AMNEZIA_WG=true
#Set Timezone
- TZ=America/New_York
#Tor Settings
##########################################################
- WGD_TOR_PROXY=true #Enable Tor
- WGD_TOR_EXIT_NODES={ch} #Ex. {gb},{fr}
- WGD_TOR_DNS_EXIT_NODES={us}
- WGD_TOR_BRIDGES=true #Enable Tor Bridges
- WGD_TOR_PLUGIN=snowflake #OPTIONS webtunnel, obfs4, snowflake
#WGDashboard Global Settings
##########################################################
- WGD_WELCOME_SESSION=false #Promts user accont creation after fist sign in.
- WGD_AUTH_REQ=true
- WGD_USER=admin
- WGD_PASS=admin
- WGD_REMOTE_ENDPOINT=0.0.0.0 #your domain or ip
- WGD_REMOTE_ENDPOINT_PORT=80
- WGD_PEER_ENDPOINT_ALLOWED_IP=0.0.0.0/0, ::/0
- WGD_KEEP_ALIVE=21
- WGD_MTU=1420
- WGD_PORT_RANGE_STARTPORT=4430
#DNS Setiings (Set To use Containers Above) You can use your own DNS
##########################################################
- WGD_DNS=1.1.1.1
- WGD_IPTABLES_DNS=1.1.1.1
ports:
- "4430-4433:4430-4433/udp" #UDP Interface Listen Ports
- 8000:80/tcp #Comment Out for full network lockdown, I.E only Accessible via VPN conttenction at http://wire.gate using config in generated ./config/master-key folder
sysctls: #Otherwise access the dashboard @ your-sever-ip/domain:6060
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
private_network:
ipv4_address: 10.2.0.3
volumes:
db:
conf:
pf_conf:
While connected to WireGate Admins Zone:
- navigate to http://wire.gate/ to use the WireGate dashboard.
- navigate to http://ad.guard/ to use the AdGuard Dashboard
- navigate to http://pi.hole/ to use the PiHole Dashboard
- navigate to https://dark.wire/ to use the DarkWire (if configured)
The password & username are randomly generated and provided in the final output if not set manually.
Clients under the members zone cannot access the WireGuard, Pihole, or Adguard dashboards.
Note
All configs can be found in ./configs
WireGate includes the complied binaries for the following Tor Transort Plugins:
-
Lyrebird (meek_lite,obfs2,obfs3,obfs4,scramblesuit)
-
SnowFlake
-
WebTunnel
Plugin choice can be seleted during installation or updated with docker compose. Also at a random intervals between 100 & 1642 seconds, WireGate will Obtain a new Tor Circuit if Tor is Enabled.
NOTE Iptable routing is what makes proxying wireguard peers thorugh tor possible.
WireGuard User Network Restrictions Tor TransPort
All Wiregate supporting configurations can be found in the Global Configs Folder.
If you need assistance, simply run:
sudo ./install.sh help
This will display the usage instructions and available options.
The code in this repo is influenced by IAmStoxe's WireHole project & the WireAdmin project.
However, the upstream projects and their authors most certainly also deserve credit for making this all possible.
-
AdGuard -AdGuard
-
Pihole. - Pihole
-
NLnetLabs. -Unbound
-
Kyle Harding. -Distroless Unbound Docker Image
-
Donald Zou. -WG Dashboard (WireGuard UI)
Contributions are welcome! Feel free to fork the repository, make changes, and submit a pull request. For internet privacy and Freedom.
This project is licensed under the MIT License - see the LICENSE file for details. v
Wiregate Supported architectures:
x86-64,arm64,armv7Test OS: Ubuntu LTS | Debian 12 Test Device: Raspberry Pi 5 | Apple M2 | x86 CPUs Build: Daily
This document evaluates the difficulty of traffic correlation and deobfuscation for a privacy-focused network configuration. The setup combines multiple privacy-enhancing technologies to ensure anonymity and protect against potential adversaries attempting to analyze network traffic.
Traffic correlation involves analyzing packet timings, sizes, and patterns to identify relationships between incoming and outgoing traffic at different points on the network. Adversaries, such as ISPs, government agencies, or other actors with access to multiple parts of the network, may attempt to correlate traffic between your device and the Tor exit nodes.
Goal: WireGuard normally uses fixed headers, which could be recognizable by Deep Packet Inspection (DPI) systems. However, by using obfuscation techniques (like randomized junk headers), you ensure the WireGuard traffic appears as generic encrypted UDP traffic.
Effectiveness: The randomized headers make it nearly impossible for DPI systems to distinguish WireGuard traffic from other encrypted UDP protocols like DTLS (used by WebRTC) or QUIC (used by HTTP/3). This technique would require the adversary to perform more complex statistical analysis, rather than relying on signature-based detection.
Mathematical Complexity: Let N be the number of possible random header combinations. The obfuscation adds entropy to the headers, making the detection problem require searching a space of size O(N). The higher N, the more difficult it is to accurately detect WireGuard.
Goal: Tor provides anonymity by routing traffic through multiple hops with different Tor nodes. Tor's TransPort feature hides the traffic as if it’s normal Tor traffic without needing SOCKS proxies.
Effectiveness: Since Tor circuits are updated every 2-8 minutes and each circuit uses different Tor relays, the probability of successful correlation diminishes significantly. The use of Tor Vanguard further complicates analysis by frequently changing guards and using isolation techniques.
Mathematical Complexity: For traffic correlation, the adversary would need to match patterns between obfuscated WireGuard traffic and the Tor exit nodes. Let T denote the Tor network's size. The correlation problem involves searching a space of size O(T^n), where n is the number of Tor hops (typically 3). Given the randomized circuit rotation, it becomes a stochastic process, making the correlation require significant computational resources.
DNS requests can be a weak link in privacy if not properly obfuscated. However, WireGates, DNS chain is quite robust via Multi-layer DNS Handling.
DNS Path: WireGuard > Pi-hole/AdGuard > Unbound > DNSCrypt > Tor SOCKS > Tor network > ODoH (Oblivious DoH).
Effectiveness: Each layer (especially DNSCrypt, Tor, and ODoH) adds encryption and anonymization. ODoH ensures that DNS queries cannot be linked back to your IP address, as Cloudflare only sees requests from the Oblivious proxy. Also the notion that DNS traffic is proxied through tor before it even reaches the ODOH relay for the upstream ODOH DNS resolver.
Mathematical Complexity: An adversary would need to track the DNS queries through multiple encrypted layers, with each layer adding its own level of obfuscation. The complexity grows as O(E^n), where E is the entropy from encryption/anonymization at each layer, and n is the number of layers.
Goal: By keeping each container isolated and exposing minimal ports, you reduce the attack surface. Even if an adversary compromises one container, they would have a hard time moving laterally to others.
Mathematical Complexity: Assuming an attacker can only observe encrypted traffic and cannot perform man-in-the-middle attacks, the probability of correlating traffic across containers is low. The complexity would be proportional to O(P^C), where P is the number of ports/protocols an attacker can observe, and C is the number of containers.
The overall difficulty of traffic correlation and deobfuscation can be approximated as the combined complexity of breaking through each layer:
Difficulty ≈ O(N) × O(T^n) × O(E^n) × O(P^C)
Given the setup:
- N is large due to WireGuard obfuscation.
- T is large (thousands of Tor nodes) with n = 3 hops.
- E is high due to multiple layers of DNS encryption and anonymization.
- C is relatively small, but the adversary sees minimal exposed ports.
In practical terms, the adversary would need access to multiple points in your network and the ability to perform extensive statistical analysis over time. Given the entropy added at each stage and frequent circuit updates, the mathematical effort required scales exponentially, making traffic correlation and deobfuscation extremely difficult for most adversaries, especially those without global surveillance capabilities.
WireGate is a fully automated Docker Based VPN Sever Deployment Tool with and attachable intranet via docker private networks and support for Tor as an exit proxy.
It allows users to host web other applications on their existing server and be able to securely connect to said web applications without exposing them to the open internet. This is done by utilizing the WireGuard protocol in conjunction with Docker Networks and Containers. Hence applications hosted behind the WireGate private network need not expose any ports and can only be accessed via a WireGuard connection already registered to to an existing server interface on the deployed WireGate instance. Secure by Design, the WireGuard Dashboard & other services are only accessible on first deployment via the master configuration that is generated at install and encrypted after being outputted to the console. Wiregate also acts as a ISP DNS query logging bypass. Wiregate by default is configured to have minimal or no logging.
Wiregate uses a modified version of WG Dashboard that allows the enviorment to be set from the docker compose or docker run command. Below are comparissions to the other GUI dashboard options for Wireguard.
| Project | Easy Setup | Client Firewall Rules | GUI | DNS Filtering | Tor Proxy | 2FA | 3FA |
|---|---|---|---|---|---|---|---|
| WireGate | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| WireHole | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| WG-Easy | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| WireAdmin | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
Wiregate is configured with 4 zones that peers can be added to. The zone a peer belongs to dictates the network access permissions of said peer.
| Zone | Internet Access | WireGuard Dashboard Access | Docker Network Access | Peer to Peer Access |
|---|---|---|---|---|
| Admin | ✅ | ✅ | ✅ | ✅ |
| Members | ✅ | ❌ | ✅ | ✅ |
| LAN Users | ❌ | ❌ | ❌ | ✅ |
| Guest | ✅ | ❌ | ❌ | ❌ |
Symbolic Network Map
To get started, run the installation script using the following command:
Running the command below installs prerequsites and runs the terminal based menu.
curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
sudo chmod +x stackscript.sh && \
sudo ./stackscript.shThe command can also accept passed arguments to skip the menu. BRANCH -Selects the target branch of the repo pull from, otherwise set as main if ommited. ARG4 is Optional, see below.
curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
sudo chmod +x stackscript.sh && \
sudo ./stackscript.sh [-b branch] [-r arg1] [-t arg2] [-n arg3] Example Usage:
./stackscript.sh -b main -r E-P-D -t Tor-br-snow -n {CH},{GB} The available options are:
-bfor specifying a branch.-rfor specifying Resolvers-tfor specifying Tor.-nfor specifying Exit Node.
Interactive Menu
docker run --privileged --name wiregate-dind -d -p 4430-4433:4430-4433/udp docker:dind && \
docker exec -it wiregate-dind /bin/sh -c "
apk add curl git ncurses sudo bash && \
mkdir -p /opt && cd /opt && \
curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
chmod +x stackscript.sh && \
./stackscript.sh -d dind
"Preset & Automated
docker run --privileged --name wiregate-dind -d -p 4430-4433:4430-4433/udp docker:dind && \
docker exec -it wiregate-dind /bin/sh -c "
apk add curl git ncurses sudo bash && \
mkdir -p /opt && cd /opt && \
curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
chmod +x stackscript.sh && \
./stackscript.sh [-b branch] [-r arg1] [-t arg2] [-n arg3] -d dind
" Example Usage:
./stackscript.sh -b main -r E-P-D -t Tor-br-snow -n {CH},{GB} -d dindThe available options are:
-bfor specifying a branch.-rfor specifying Resolvers-tfor specifying Tor.-nfor specifying Exit Node.-dfor specifying Docker in Docker.
| E-A-D: | Express, AdGuard, Darkwire |
| E-A-C: | Express, AdGuard, Channels |
| E-P-D: | Express, Pihole, Darkwire |
| E-P-C: | Express, Pihole, Channels |
| A-A-D: | Advanced, AdGuard, Darkwire |
| A-A-C: | Advanced, AdGuard, Channels |
| A-P-D: | Advanced, Pihole, Darkwire |
| A-P-C: | Advanced, Pihole, Channels |
| dev : | Development Build |
| help: | Display help menu |
| reset: | Reset WireGate |
| off: | Disable TOR |
| Tor-br-snow: | Use Tor with bridges (snowflake) |
| Tor-br-webtun: | Use Tor with bridges (webtunnel) |
| Tor-br-obfs4: | Use Tor with bridges (obfs4) |
| Tor-snow: | Use Tor without bridges (snowflake) |
| Tor-webtun: | Use Tor without bridges (webtunnel) |
| Tor-obfs4: | Use Tor without bridges (obfs4) |
| Format Example: | {US},{GB},{AU} |
| Default | default |
| For more exit node options go to Tor Country codes list. |
| dind: | Docker in Docker Enviorment Setup |
networks:
private_network:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_icc: "true"
attachable: true
internal: false
ipam:
config:
- subnet: 10.2.0.0/24
services:
dnscrypt:
image: "klutchell/dnscrypt-proxy"
restart: unless-stopped
container_name: dnscrypt
volumes:
- ./Global-Configs/DnsCrypt/dnscrypt-proxy.toml:/config/dnscrypt-proxy.toml
networks:
private_network:
ipv4_address: 10.2.0.42
unbound:
image: "klutchell/unbound:latest"
container_name: unbound
restart: unless-stopped
hostname: "unbound"
cap_add:
- NET_ADMIN
- SYS_MODULE
volumes:
- ./Global-Configs/Unbound/custom-unbound.conf:/etc/unbound/custom.conf.d/custom-unbound.conf
networks:
private_network:
ipv4_address: 10.2.0.200
adguard:
depends_on: [unbound]
container_name: adguard
image: adguard/adguardhome
restart: unless-stopped
hostname: adguard
# Volumes store your data between container upgrades
volumes:
- "./Global-Configs/AdGuard/Data:/opt/adguardhome/work"
- "./Global-Configs/AdGuard/Config:/opt/adguardhome/conf"
networks:
private_network:
ipv4_address: 10.2.0.100
wiregate:
image: noxcis/wg-dashboard:terra-firma
container_name: wiregate
hostname: wiregate
cap_add:
- NET_ADMIN
- SYS_MODULE
restart: unless-stopped
volumes:
- wgd_configs:/etc/wireguard
- wgd_db:/opt/wireguarddashboard/src/db
- wgd_db:/opt/wireguarddashboard/src/dashboard_config
environment:
- TZ=UTC
- WGD_TOR_PROXY=true
- WGD_TOR_PLUGIN=webtunnel #OPTIONS webtunnel, obfs4, snowflake
- WGD_TOR_BRIDGES=true
- WGD_WELCOME_SESSION=false
- WGD_USER=james
- WGD_PASS=admin
- WGD_REMOTE_ENDPOINT=192.168.1.199
- WGD_REMOTE_ENDPOINT_PORT=80
- WGD_DNS="10.2.0.100, 10.2.0.100"
- WGD_IPTABLES_DNS=10.2.0.100
- WGD_PEER_ENDPOINT_ALLOWED_IP=0.0.0.0/0
- WGD_KEEP_ALIVE=21
- WGD_MTU=1420
- WGD_PORT_RANGE_STARTPORT=443
ports:
- "443-448:443-448/udp"
- 8000:80/tcp #Comment Out and Compose Up for 3FA via WireGuard
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
networks:
private_network:
ipv4_address: 10.2.0.3
darkwire:
image: noxcis/darkwire:terra-firma
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
networks:
private_network:
ipv4_address: 10.2.0.4
volumes:
wgd_configs:
wgd_db:To reset the deployment, use:
sudo ./install.sh reset To run a development build, use:
sudo ./install.sh dev While connected to WireGate Admins Zone:
- navigate to http://wire.gate/ to use the WireGuard dashboard.
- navigate to http://ad.guard/ to use the AdGuard Dashboard
- navigate to http://pi.hole/ to use the PiHole Dashboard
- navigate to https://dark.wire/ to use the DarkWire (if configured)
The password & username are randomly generated and provided in the final output if not set manually. Clients under the members zone cannot access the WireGuard, Pihole, or Adguard dashboards.
WireGate includes the complied binaries for the following Tor Transort Plugins:
- Lyrebird (meek_lite,obfs2,obfs3,obfs4,scramblesuit)
- SnowFlake
- WebTunnel
Plugin choice can be seleted during installation or updated with docker compose. Also at a random intervals between 100 & 1642 seconds, WireGate will Obtain a new Tor Circuit if Tor is Enabled.
All Wiregate supporting configurations can be found in the Global Configs Folder. If you need assistance, simply run:
sudo ./install.sh helpThis will display the usage instructions and available options.
The code in this repo is influenced by IAmStoxe's WireHole project & the WireAdmin project. However, the upstream projects and their authors most certainly also deserve credit for making this all possible.
- AdGuard -AdGuard
- Pihole. - Pihole
- NLnetLabs. -Unbound
- Kyle Harding. -Distroless Unbound Docker Image
- Donald Zou. -WG Dashboard (WireGuard UI)
Show your support Give a ⭐ if this project helped you!
Contributions are welcome! Feel free to fork the repository, make changes, and submit a pull request. For internet privacy and Freedom.
This project is licensed under the MIT License - see the LICENSE file for details.