WireGate

Wiregate Supported architectures: x86-64 , arm64, armv7 Test OS: Ubuntu LTS | Debian 12 Test Device: Raspberry Pi 5 | M2 | x86 CPUs Build: Daily

Table of Contents

• About
• Infrastructure Map
• Installation
• Usage
• Tor
• Help
• Acknowledgements
• Contributing
• License

About

WireGate is a fully automated Docker Based VPN Sever Deployment Tool with and attachable intranet via docker private networks and support for Tor as an exit proxy.

It allows users to host web other applications on their existing server and be able to securely connect to said web applications without exposing them to the open internet. This is done by utilizing the WireGuard protocol in conjunction with Docker Networks and Containers. Hence applications hosted behind the WireGate private network need not expose any ports and can only be accessed via a WireGuard connection already registered to to an existing server interface on the deployed WireGate instance. Secure by Design, the WireGuard Dashboard & other services are only accessible on first deployment via the master configuration that is generated at install and encrypted after being outputted to the console. Wiregate also acts as a ISP DNS query logging bypass. Wiregate by default is configured to have minimal or no logging.

Wiregate vs Wirehole vs WG-Easy vs WG Dashboard (standalone)

Wiregate uses a modified version of WG Dashboard that allows the enviorment to be set from the docker compose or docker run command. Below are comparissions to the other GUI dashboard options for Wireguard.

Project	Easy Setup	Client Firewall Rules	GUI	DNS Filtering	Tor Proxy	2FA	3FA
WireGate	✅	✅	✅	✅	✅	✅	✅
WireHole	✅	❌	❌	❌	❌	❌	❌
WG-Easy	✅	❌	✅	❌	❌	❌	❌
WireAdmin	✅	✅	✅	❌	✅	❌	❌

Zone Permissions

Wiregate is configured with 4 zones that peers can be added to. The zone a peer belongs to dictates the network access permissions of said peer.

Zone	Internet Access	WireGuard Dashboard Access	Docker Network Access	Peer to Peer Access
Admin	✅	✅	✅	✅
Members	✅	❌	✅	✅
LAN Users	❌	❌	❌	✅
Guest	✅	❌	❌	❌

Infrastructure

Symbolic Network Map

Installation

To get started, run the installation script using the following command:

Via Quick Installer

Running the command below installs prerequsites and runs the terminal based menu.

curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
sudo chmod +x stackscript.sh && \
sudo ./stackscript.sh

The command can also accept passed arguments to skip the menu. BRANCH -Selects the target branch of the repo pull from, otherwise set as main if ommited. ARG4 is Optional, see below.

curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
sudo chmod +x stackscript.sh && \
sudo ./stackscript.sh [-b branch]  [-r arg1]  [-t arg2]  [-n arg3] 

Example Usage:

./stackscript.sh -b main -r E-P-D -t Tor-br-snow -n {CH},{GB} 

The available options are:

• -b for specifying a branch.
• -r for specifying Resolvers
• -t for specifying Tor.
• -n for specifying Exit Node.

Via Docker In Docker

Interactive Menu

docker run --privileged --name wiregate-dind -d -p 4430-4433:4430-4433/udp docker:dind && \
docker exec -it wiregate-dind /bin/sh -c "

apk add curl git ncurses sudo bash && \
mkdir -p /opt && cd /opt && \
curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
chmod +x stackscript.sh && \
./stackscript.sh -d dind
"

Preset & Automated

docker run --privileged --name wiregate-dind -d -p 4430-4433:4430-4433/udp docker:dind && \
docker exec -it wiregate-dind /bin/sh -c "

apk add curl git ncurses sudo bash && \
mkdir -p /opt && cd /opt && \
curl -O https://raw.githubusercontent.com/NOXCIS/Wiregate/main/stackscript.sh && \
chmod +x stackscript.sh && \
./stackscript.sh [-b branch]  [-r arg1]  [-t arg2]  [-n arg3]  -d dind
" 

Example Usage:

./stackscript.sh -b main -r E-P-D -t Tor-br-snow -n {CH},{GB} -d dind

The available options are:

• -b for specifying a branch.
• -r for specifying Resolvers
• -t for specifying Tor.
• -n for specifying Exit Node.
• -d for specifying Docker in Docker.

ARG1: Resolver Install Options

E-A-D:	Express, AdGuard, Darkwire
E-A-C:	Express, AdGuard, Channels
E-P-D:	Express, Pihole, Darkwire
E-P-C:	Express, Pihole, Channels
A-A-D:	Advanced, AdGuard, Darkwire
A-A-C:	Advanced, AdGuard, Channels
A-P-D:	Advanced, Pihole, Darkwire
A-P-C:	Advanced, Pihole, Channels
dev :	Development Build
help:	Display help menu
reset:	Reset WireGate

ARG2: TOR Options

off:	Disable TOR
Tor-br-snow:	Use Tor with bridges (snowflake)
Tor-br-webtun:	Use Tor with bridges (webtunnel)
Tor-br-obfs4:	Use Tor with bridges (obfs4)
Tor-snow:	Use Tor without bridges (snowflake)
Tor-webtun:	Use Tor without bridges (webtunnel)
Tor-obfs4:	Use Tor without bridges (obfs4)

ARG3: TOR Exit Node Country Code String

Format Example:	{US},{GB},{AU}
Default	default
For more exit node options go to Tor Country codes list.

ARG4: OPTIONAL Docker in Docker Deployment

dind:	Docker in Docker Enviorment Setup

Install via Docker Compose

networks:
  private_network:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_icc: "true"
    attachable: true
    internal: false
    ipam:
      config:
        - subnet: 10.2.0.0/24



services:
  dnscrypt:
    image: "klutchell/dnscrypt-proxy"
    restart: unless-stopped
    container_name: dnscrypt
    volumes:
      - ./Global-Configs/DnsCrypt/dnscrypt-proxy.toml:/config/dnscrypt-proxy.toml
    networks:
      private_network:
        ipv4_address: 10.2.0.42

  unbound:
    image: "klutchell/unbound:latest"
    container_name: unbound
    restart: unless-stopped
    hostname: "unbound"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - ./Global-Configs/Unbound/custom-unbound.conf:/etc/unbound/custom.conf.d/custom-unbound.conf
    networks:
      private_network:
        ipv4_address: 10.2.0.200


  adguard:
    depends_on: [unbound]
    container_name: adguard
    image: adguard/adguardhome
    restart: unless-stopped
    hostname: adguard
    # Volumes store your data between container upgrades
    volumes:
      - "./Global-Configs/AdGuard/Data:/opt/adguardhome/work"
      - "./Global-Configs/AdGuard/Config:/opt/adguardhome/conf"
    networks:
      private_network:
        ipv4_address: 10.2.0.100

  wiregate:
    image: noxcis/wg-dashboard:terra-firma
    container_name: wiregate
    hostname: wiregate
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped
    volumes:
      - wgd_configs:/etc/wireguard 
      - wgd_db:/opt/wireguarddashboard/src/db 
      - wgd_db:/opt/wireguarddashboard/src/dashboard_config

    environment:
      - TZ=UTC
      - WGD_TOR_PROXY=true
      - WGD_TOR_PLUGIN=webtunnel #OPTIONS webtunnel, obfs4, snowflake
      - WGD_TOR_BRIDGES=true
      - WGD_WELCOME_SESSION=false
      - WGD_USER=james
      - WGD_PASS=admin
      - WGD_REMOTE_ENDPOINT=192.168.1.199
      - WGD_REMOTE_ENDPOINT_PORT=80
      - WGD_DNS="10.2.0.100, 10.2.0.100"
      - WGD_IPTABLES_DNS=10.2.0.100
      - WGD_PEER_ENDPOINT_ALLOWED_IP=0.0.0.0/0
      - WGD_KEEP_ALIVE=21
      - WGD_MTU=1420
      - WGD_PORT_RANGE_STARTPORT=443
    ports:
      - "443-448:443-448/udp"
      - 8000:80/tcp #Comment Out and Compose Up for 3FA via WireGuard
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      private_network:
        ipv4_address: 10.2.0.3
  
  darkwire:
      image: noxcis/darkwire:terra-firma
      cap_add:
        - NET_ADMIN
      sysctls:
        - net.ipv4.ip_forward=1
        - net.ipv4.conf.all.src_valid_mark=1
      networks:
        private_network:
          ipv4_address: 10.2.0.4

volumes:
    wgd_configs:
    wgd_db:

Usage

Utilities

To reset the deployment, use:

sudo ./install.sh reset 

To run a development build, use:

sudo ./install.sh dev 

Access

While connected to WireGate Admins Zone:

• navigate to http://wire.gate/ to use the WireGuard dashboard.
• navigate to http://ad.guard/ to use the AdGuard Dashboard
• navigate to http://pi.hole/ to use the PiHole Dashboard
• navigate to https://dark.wire/ to use the DarkWire (if configured)

The password & username are randomly generated and provided in the final output if not set manually. Clients under the members zone cannot access the WireGuard, Pihole, or Adguard dashboards.

Tor

WireGate includes the complied binaries for the following Tor Transort Plugins:

• Lyrebird (meek_lite,obfs2,obfs3,obfs4,scramblesuit)
• SnowFlake
• WebTunnel

Plugin choice can be seleted during installation or updated with docker compose. Also at a random intervals between 100 & 1642 seconds, WireGate will Obtain a new Tor Circuit if Tor is Enabled.

Help

All Wiregate supporting configurations can be found in the Global Configs Folder. If you need assistance, simply run:

sudo ./install.sh help

This will display the usage instructions and available options.

Acknowledgements

The code in this repo is influenced by IAmStoxe's WireHole project & the WireAdmin project. However, the upstream projects and their authors most certainly also deserve credit for making this all possible.

• AdGuard -AdGuard
• Pihole. - Pihole
• NLnetLabs. -Unbound
• Kyle Harding. -Distroless Unbound Docker Image
• Donald Zou. -WG Dashboard (WireGuard UI)

Show your support Give a ⭐ if this project helped you!

Contributing

Contributions are welcome! Feel free to fork the repository, make changes, and submit a pull request. For internet privacy and Freedom.

License

This project is licensed under the MIT License - see the LICENSE file for details.