How to Setup WireGuard VPN Server with Traefik and Authelia

Veerendra K
2 min readAug 9, 2024

--

In this write-up, I will show you how I set up my own WireGuard VPN server with Traefik reverse proxy to access WireGuard UI and Authelia for authentication.

1. Clone the GitHub repository and install dependencies

git clone https://github.com/veerendra2/wireguard-traefik-authelia.git
cd wireguard-traefik-authelia

2. Export Environmental Variables

I’m using DuckDNS as a DNS provider, you can also use other DNS providers like Cloudfalre, etc. Make sure you specify a token for the DNS provider you choose.

export MY_PROVIDER="duckdns"
export MY_DOMAIN="<your-sub-domain>.duckdns.org"
export DUCKDNS_TOKEN="[REDACTED]"

3. Configuring User Authentication in Authelia

Create password hash for user

docker run --rm authelia/authelia:latest \
authelia crypto hash generate argon2 \
--password 'your-password'

Update configuration like below in config/users_database.yml

users:
your-user-name:
disabled: false
displayname: "User Name"
password: "<generated-password-hash>"
email: "root@localhost"

4. Deploy docker compose stack

docker-compose up -d

Docker compose stack deploys Traefik, wg-easy, Authelia and WatchTower and automatically setups HTTPS for domain.

The endpoint for WireGuard(wg-easy) UI

https://wg.<your-sub-domain>.duckdns.org

5. Register 2FA Device

Go to the domain https://wg.<your-sub-domain>.duckdns.org, enter your username and password

The existing configuration enforces 2FA, in order to get first OTP to register device, click “Register Device” like below image

2FA Registration

To get first OTP, check config/notification.txt which contains the OTP. This config/notification.txt is automatically generated by Authelia. For example below.

cat config/notification.txt
Date: 2024-07-21 14:55:11.30894104 +0000 UTC m=+43.154509640
Recipient: {Test User authelia@authelia.com}
Subject: Confirm your identity
Hi Test User,

This email has been sent to you in order to validate your identity. Purpose: Confirm your identity.

If you did not initiate the process, your credentials might have been compromised and you should:
1. Visit the revocation link.
2. Reset your password or other login credentials.
3. Contact an Administrator.

To confirm your identity, please use the following single-use code: TXQAT55T

This email was generated by a user with the IP XXXXXX.

The following link can be used to revoke the code (this is a logged event): XXXX

--

--

Veerendra K
Veerendra K

Written by Veerendra K

I’m Veerendra, Senior Site Reliability Engineer, passionate about tech. You can also find my blog posts in https://veerendra2.github.io/

No responses yet