{"id":51153136,"url":"https://github.com/rafaelrpbelo/wireguard-vpn-setup","last_synced_at":"2026-06-26T08:01:49.776Z","repository":{"id":364461930,"uuid":"1268003500","full_name":"rafaelrpbelo/wireguard-vpn-setup","owner":"rafaelrpbelo","description":"Setup WireGuard VPN on any Ubuntu instance with one command.","archived":false,"fork":false,"pushed_at":"2026-06-13T05:48:04.000Z","size":9,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T06:15:13.690Z","etag":null,"topics":["self","vpn","vpn-","vpn-client"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rafaelrpbelo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-06-13T03:47:55.000Z","updated_at":"2026-06-13T05:48:07.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rafaelrpbelo/wireguard-vpn-setup","commit_stats":null,"previous_names":["rafaelrpbelo/wireguard-vpn-setup"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/rafaelrpbelo/wireguard-vpn-setup","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafaelrpbelo%2Fwireguard-vpn-setup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafaelrpbelo%2Fwireguard-vpn-setup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafaelrpbelo%2Fwireguard-vpn-setup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafaelrpbelo%2Fwireguard-vpn-setup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rafaelrpbelo","download_url":"https://codeload.github.com/rafaelrpbelo/wireguard-vpn-setup/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafaelrpbelo%2Fwireguard-vpn-setup/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34808043,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-26T02:00:06.560Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["self","vpn","vpn-","vpn-client"],"created_at":"2026-06-26T08:01:48.643Z","updated_at":"2026-06-26T08:01:49.768Z","avatar_url":"https://github.com/rafaelrpbelo.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Personal VPN — wg-easy + Cloudflare\n\nA self-hosted WireGuard VPN running on any Ubuntu server, with:\n- **wg-easy** for WireGuard management and web UI\n- **nginx** as reverse proxy with Let's Encrypt SSL\n- **Cloudflare** for dynamic DNS (no static IP needed)\n- **UFW** firewall with Docker compatibility\n\nDesigned for on-demand use — start the server when needed, stop it when done.\nDNS updates automatically on every boot via a systemd service.\n\n---\n\n## File Structure\n\n```\nvpn/\n├── .env.example            # secrets template — copy to .env and fill in\n├── .gitignore\n├── docker-compose.yml      # wg-easy + nginx + certbot\n├── nginx.conf              # reverse proxy config (full HTTPS version)\n└── scripts/\n    ├── vpn-setup.sh        # first-time setup — run once on a fresh server\n    ├── update-dns.sh       # updates Cloudflare DNS with current public IP\n    └── update-dns.service  # systemd service — runs update-dns.sh on every boot\n```\n\n---\n\n## Prerequisites\n\n- Any Ubuntu 24 server (VPS, cloud instance, bare metal)\n- Domain managed on Cloudflare\n- SSH access to the server\n- Ports open in your provider's firewall: 22/tcp, 80/tcp, 443/tcp, 51820/udp\n\n---\n\n## First-Time Setup\n\n### 1. Clone the repo\n\n```bash\ngit clone https://github.com/rafaelrpbelo/wireguard-vpn-setup.git /opt/vpn\n```\n\n### 2. Create and fill in `.env`\n\n```bash\ncp /opt/vpn/.env.example /opt/vpn/.env\nnano /opt/vpn/.env\n```\n\n| Variable | Description |\n|---|---|\n| `DOMAIN` | Your VPN subdomain e.g. `vpn.yourdomain.com` |\n| `EMAIL` | Email for Let's Encrypt notifications |\n| `CF_API_TOKEN` | Cloudflare API token with *Edit zone DNS* permission |\n| `CF_ZONE_ID` | Found on the Cloudflare dashboard for your domain |\n| `CF_RECORD_ID` | See below |\n\n**Getting your Cloudflare Record ID:**\n```bash\ncurl -X GET \"https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/dns_records?name=vpn.yourdomain.com\" \\\n  -H \"Authorization: Bearer YOUR_API_TOKEN\" \\\n  -H \"Content-Type: application/json\"\n```\nCopy the `id` field from the response.\n\n**Cloudflare DNS record settings:**\n- Type: `A`\n- Name: `vpn` (or your subdomain)\n- Proxy status: **grey cloud (DNS only)** — must NOT be proxied\n- TTL: **1 minute**\n\n### 3. Run the setup script\n\n```bash\nbash /opt/vpn/scripts/vpn-setup.sh\n```\n\nThis will:\n1. Update system packages\n2. Install Docker\n3. Set up UFW firewall rules\n4. Install and enable the DNS update systemd service\n5. Update Cloudflare DNS with the current public IP\n6. Bootstrap the Let's Encrypt certificate\n7. Start all containers\n\n---\n\n## Daily Usage\n\n### Start the VPN\n1. Start your server from your provider's console\n2. Wait ~2 minutes (boot + DNS propagation)\n3. Connect your WireGuard client using `vpn.yourdomain.com`\n\n### Access the web UI\n```\nhttps://vpn.yourdomain.com\n```\n\n### Stop the VPN\nStop the server from your provider's console when done.\n\n---\n\n## How It Works\n\n### Dynamic DNS\nOn every boot, `update-dns.service` runs `update-dns.sh` which:\n- Fetches the server's current public IP\n- Updates the Cloudflare A record via API\n- Renews the Let's Encrypt cert if within 30 days of expiry\n\n### Networking\n```\nClient → vpn.yourdomain.com:443 → nginx → wg-easy:51821 (internal only)\nClient → vpn.yourdomain.com:51820/udp → WireGuard\n```\n\nPort `51821` is never exposed to the host — only nginx can reach wg-easy internally via the Docker network.\n\n### Docker + UFW\nDocker manages its own iptables rules. Port `51821` is not exposed in `docker-compose.yml` so Docker never opens it — UFW is used only to allowlist the ports that should be public (22, 80, 443, 51820/udp).\n\n---\n\n## Troubleshooting\n\n**Can't connect after starting the server:**\n- Wait 2 minutes for DNS propagation\n- Check DNS updated: `dig vpn.yourdomain.com`\n- Check service ran: `sudo systemctl status update-dns.service`\n- Check log: `cat /var/log/update-dns.log`\n\n**SSL cert errors:**\n- Force renew: `sudo certbot renew --force-renewal`\n- Check nginx: `docker logs nginx`\n\n**wg-easy UI not loading:**\n- Check containers: `docker compose -f /opt/vpn/docker-compose.yml ps`\n- Check logs: `docker logs nginx` / `docker logs wg-easy`\n\n**Port 51821 still accessible:**\n- Verify there is no `ports:` mapping for `51821` in `docker-compose.yml`\n- Check UFW rules: `sudo ufw status`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frafaelrpbelo%2Fwireguard-vpn-setup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frafaelrpbelo%2Fwireguard-vpn-setup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frafaelrpbelo%2Fwireguard-vpn-setup/lists"}