# Networking # Wireguard VPN # Was ist Wireguard? Wireguard ist ein moderner VPN Tunnel. *In meinem Setup:* ``` Internet → Hetzner (46.54.2.140) ↓ Wireguard-Tunnel (verschlüsselt) ↓ Homeserver (10.100.0.2) ↓ Services (Docker) ``` **Vorteile:** - Verschlüsselt - Schnell - Einfach - Stabil # Installation auf Hetzner **Auf Hetzner-Server:** ``` ssh hetzner # Wireguard installieren apt install -y wireguard # Keys generieren cd /etc/wireguard umask 077 wg genkey | tee hetzner-private.key | wg pubkey > hetzner-public.key # Keys anzeigen und notieren! cat hetzner-private.key cat hetzner-public.key ``` **Config erstellen** ``` nano /etc/wireguard/wg0.conf ``` **Inhalt:** ``` ini [Interface] Address = 10.100.0.1/24 ListenPort = 51820 PrivateKey = PostUp = sysctl -w net.ipv4.ip_forward=1 PostDown = sysctl -w net.ipv4.ip_forward=0 [Peer] PublicKey = AllowedIPs = 10.100.0.2/32 PersistentKeepalive = 25 ``` **Aktivieren** ```bash echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf sysctl -p systemctl enable wg-quick@wg0 systemctl start wg-quick@wg0 systemctl status wg-quick@wg0 ``` # Installation auf Homeserver **Auf Homeserver:** ```bash # Wireguard installieren sudo apt update sudo apt install -y wireguard # Keys generieren sudo -i cd /etc/wireguard umask 077 wg genkey | tee homeserver-private.key | wg pubkey > homeserver-public.key # Keys anzeigen und notieren! cat homeserver-private.key cat homeserver-public.key ``` **Config erstellen:** ```bash sudo nano /etc/wireguard/wg0.conf ``` **Inhalt:** ```ini [Interface] Address = 10.100.0.2/24 PrivateKey = [Peer] PublicKey = Endpoint = 46.224.8.110:51820 AllowedIPs = 10.100.0.1/32 PersistentKeepalive = 25 ``` **Akivieren:** ```bash sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 sudo systemctl status wg-quick@wg0 ``` # Tunnel setzen **Von Hetzner zum Homeserver:** ```bash # Auf Hetzner ping -c 4 10.100.0.2 ``` **Von Homeserver auf Hetzner:** ```bash # Auf Homeserver ping -c 4 10.100.0.1 ``` -> Beide sollten Antworten **Status prüfen** ```wg show``` **Troubleshooting** ```bash # Wireguard neu starten sudo systemctl restart wg-quick@wg0 # Logs ansehen journalctl -u wg-quick@wg0 -f ``` # Caddy Reverse Proxy # Was ist Caddy? Caddy ist ein moderner Webserver und Reverse Proxy. *Features:* - automatische SSL Zertifikate (Let's Encrypt) - Einfache Konfiguration - HTTP/2 & HTTP/3 Support - Reverse Proxy funktionalität **In meinem Setup** - Caddy auf Hetzner: Öffentlicher Eingang, SSL-Termination - Caddy auf Homeserver: Lokales Routing zu Services # Caddy auf Hetzner **Installation:** ```bash ssh hetzner apt install -y debian-keyring debian-archive-keyring apt-transport-https curl curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list apt update apt install -y caddy ``` **Caddyfile:** ```bash nano /etc/caddy/Caddyfile ``` **Inhalt:** ``` enode.eu { basicauth { denode $2a$14$ } root * /var/www/denode file_server encode gzip } nextcloud.denode.eu { encode gzip reverse_proxy 10.100.0.2:80 { header_up Host {host} header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} } } notes.denode.eu { basicauth { denode $2a$14$ } encode gzip reverse_proxy 10.100.0.2:4567 { header_up Host {host} header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} } } overleaf.denode.eu { basicauth { denode $2a$14$ } encode gzip reverse_proxy 10.100.0.2:4568 { header_up Host {host} header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} } } ``` **Passwort hashen** ```bash caddy hash-password ``` **Caddy reload** ```bash systemctl reload caddy systemctl status caddy ``` # Caddy auf Homeserver **Caddyfile** ```bash sudo nano /etc/caddy/Caddyfile ``` **Inhalt:** ``` enode.eu { basicauth { denode $2a$14$ } root * /var/www/denode file_server encode gzip } nextcloud.denode.eu { encode gzip reverse_proxy 10.100.0.2:80 { header_up Host {host} header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} } } notes.denode.eu { basicauth { denode $2a$14$ } encode gzip reverse_proxy 10.100.0.2:4567 { header_up Host {host} header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} } } overleaf.denode.eu { basicauth { denode $2a$14$ } encode gzip reverse_proxy 10.100.0.2:4568 { header_up Host {host} header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} } } ``` **Caddy reload** ```bash sudo systemctl reload caddy sudo systemctl status caddy ``` # Wichtige Caddy-Befehle **Config testen** ```bash caddy validate --config /etc/caddy/Caddyfile ``` **Caddy neuladen** ```bash sytemctl reload caddy ``` **Status prüfen** ```bash systemctl status caddy ``` **Logs ansehen** ```bash journalctl -u caddy -f ``` **Config Pfad:** - Hetzner: ```/etc/caddy/Caddyfile``` - Homeserver: ```/etc/caddy/Caddyfile```