Wireguard

Wireguard

  • You can support more guides like this Click to Donate
  • Version 1.00
  • Create Date August 18, 2024
  • Last Updated November 28, 2024
  • Download 26
  • File Count 2
  • Installation Support Ask Support
File
task scheduler.txt
wireguard.yml

Fast, modern, secure VPN tunnel

About: https://www.wireguard.com

In this tutorial, i will show you how to install Wireguard using Docker Manager on your TerraMaster NAS.
This tutorial works only on TOS6 > 6.0.420.

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

Wireguard kernel module is implemented only on TOS6 from version 6.0.420 onward.
Only that, in the current version 6.0.436, the kernel module is not loaded automatically during NAS boot. In order to use our wireguard app, we need to configure TOS to load the kernel module at startup.
We'll achive this by creating a task to run during NAS shutdown, which will check if the module is present in the list of kernel modules to load during startup. The command to add you can find it in the file task scheduler.

From TOS top menu click on Control Panel and then scroll to General Settings and click on Scheduled Tasks.

Click now on the + icon to create new task

Select the type as below and click on Next.

On the name, type as example Enable wireguard kernel module and trigger the task to run during Shut Down.
This way we are sure that the module is enabled to be loaded during next startup.

Enable notification if you want to be notified when the task run.
In the Custom command script, add the command from the downloaded file task scheduler.

Click on Next

In the next window, click on Create button.

The task is now created an enabled.

Reboot your NAS now to load the wireguard kernel

Once the NAS is rebooted and you are loged in back to TOS, you can check the Notification center to see if the task runned succesfully.

Now we can proceed to install the wireguard container. Follow the steps below:

Download from above the wireguard.yml file and save it locally on your computer.

If you already have Docker Engine and Docker Manager apps installed, proceed to next step.
If not, follow this guide to install them: How to install Docker Engine and Docker Manager.

If you already have these 2 shared folders, proceed to next step.
If not, follow this guide to create the folders: How to create DockerYAML and DockerAppsData shared folders

For TOS5 and TOS6, we are going to run these containers as the superuser account (the account that was created during initial NAS setup).
For TOS4, we are going to run these containers as the root account.

If you already know your username id and group id from a previous container deployment, proceed to next step.

If not, for TOS6, the username id and group id for the superuser account should be both 0.

You can double check this by by running a command in terminal.
You can simple install the ttyd app and find your uid and gid following this guide: How to install and use ttyd app (share your terminal over web).

You can also use putty or any other SSH client and type id command. In this case, ssh service must run on your NAS.

Find your current time zone on this website, as example for Brussels is:

TZ=Europe/Brussels

In order to protect the Wireguard WebUI with a password, the wireguard.yml should contain your hashed password variable.
The hashed password included in the downloaded wireguard.yml the hash value for the password terra

In order to generate a hash value for your own password, you have to be sure that Docker Engine app is runnig and then connect to terminal and run the command below (relace terra with your own password). To connect to the terminal, you can simple install the ttyd using this guide: How to install and use ttyd app (share your terminal over web). You can also use putty or any other SSH client but in this case, ssh service must run on your NAS (TOS ssh service or OkmSSHD).

user@TNAS:~# docker run ghcr.io/wg-easy/wg-easy wgpw terra

After you run the command, the hash password will be generated:

PASSWORD_HASH='$2a$12$w/uNk19UsGQd2oyLVTJw.OVh7sDF/hcurUWa3Th1eVrBBC3JBi1Wi

The generated hash value will be used on the config file at Step 7. Save it somewhere.

Now run the command below to delete the container created to generate the hash password

user@TNAS:~# docker rm charming_williams

Please note: don't wrap the generated hash password in single quotes when you add it in the config file. Instead, replace each $ symbol with two $$ symbols. For example, for the hash generate above for password terra, in our config file we have to use:

PASSWORD_HASH=$$2a$$12$$w/uNk19UsGQd2oyLVTJw.OVh7sDF/hcurUWa3Th1eVrBBC3JBi1Wi

Open Docker Manager by using the icon on the desktop or from the top menu.
Click on Project from the left menu and then on the small + icon to add new project.

  • On the Project name type wireguard
  • On the Project path type /Volume1/DockerYAML or use the Browse button to navigate and select the DockerYAML folder
  • Configuration file source select Your computer from the dropdown list
  • Click on the folder icon to browse your local computer for the yml file

On the file browser window, choose the wireguard.yml that you downloaded on Step 1.
After you select the file, click on Open.

The file will be loaded and the content will appear on the code section.
Before you proceed further, adapt the code to your particular values for these variables:

  • PUID and PGID change to the values for your user found on Step 3.
  • TZ change to the value for your specific zone found on Step 4.
  • WG_HOST change to your dynamic DNS or your fixed external IP
  • PASSWORD_HASH replaced with your hashed password generated at Step 6.

Config files will be stored at /Volume1/DockerAppsData/Wireguard

Scroll down in the code window to review the config.

After you adapt all the required values, click on Verify YAML button. If the code is OK, the Apply button will become available.
Click on it to deploy the project.

The project will start building.

If the building went well, our project will show the status as Running.

When the project is selected, the buttons on top will be available from where you can stop/start the project, restart, delete or force stop.

Now go to Container section were you can see some info about the newly created container.

In order to be able to access the VPN server from outside your local network, you need now to create a port forward rule on your router.
Here below a picture from my UniFi router (different router have different interface, you have to find yourself where the port forward option is).
In our port forward rule, we need to forward the port 51820/tcp to the IP address of our NAS.

You can click on the accessing address to access the WebUI (port 51821) or navigate in the web browser to http://yournasip:51821
Use your password to login on the WebUI and click on Sign In.

Press on New Client, type a name for your client and press on Create button.

Once the client config was created, press on QR code (if you add client on PC, you can press on the download config button. Then this config must be uploaded on Wireguard client on your PC)

Install the Wireguard app on your android phone, press the + icon on the bottom of your screen and select Scan from QR code.
Give a name to your tunnel and press Create Tunnel.

Now turn on the tunnel and you are ready to access your NAS from external connection via VPN.

Now you can access your NAS at http://yournasip from external network and you can see traffic going on through VPN.

Wachtower
Bitmagnet