davide/vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: aggiorna documentazione per wg-easy v15

Browse Source 
Rimuove le istruzioni per generare PASSWORD_HASH, aggiorna la tabella
variabili, descrive il wizard di setup al primo avvio e aggiunge
la raccomandazione di aggiornamento mensile per la sicurezza.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Davide Grilli
2026-05-04 23:58:36 +02:00
parent 2b38127156
commit e177300864
2 changed files with 23 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CLAUDE.md
+7 -10
View File
@@ -11,10 +11,7 @@ A Docker Compose setup for a self-hosted WireGuard VPN server using [wg-easy](ht
```bash
# First-time setup
cp .env.example .env
# Edit .env with WG_HOST, PASSWORD_HASH, TZ
# Generate bcrypt password hash (no extra dependencies)
docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'YourPassword'
# Edit .env: set TZ, optionally WG_PORT / WG_UI_PORT
# Start the VPN
docker compose up -d
@@ -28,20 +25,20 @@ docker compose logs -f wg-easy
## Configuration
All runtime configuration lives in `.env` (not committed). Required variables:
`.env` (not committed) controls only infrastructure-level settings:
| Variable | Description |
|---|---|
| `WG_HOST` | Public IP or DDNS hostname clients connect to |
| `PASSWORD_HASH` | bcrypt hash of the web UI password (prefix `$2a$`, `$2b$`, or `$2y$`) |
| `TZ` | IANA timezone (e.g. `Europe/Rome`) |
| `WG_PORT` | UDP VPN port (default 51820) |
| `WG_UI_PORT` | Web UI port (default 51821) |
Optional: `WG_PORT` (default 51820/udp), `WG_UI_PORT` (default 51821/tcp), `WG_DEFAULT_DNS` (default `1.1.1.1,8.8.8.8`).
**v15+:** Host, password, and DNS are configured through the web UI wizard on first launch — not via environment variables.
## Important constraints
- `wg-data/` is auto-generated by the container on first start and holds live WireGuard keys (`wg0.conf`, `wg0.json`). Never commit it.
- `.env` is gitignored — it holds the password hash and hostname.
- `.env` is gitignored.
- The container requires `NET_ADMIN` and `SYS_MODULE` capabilities plus `net.ipv4.ip_forward=1` sysctl — these are already set in `docker-compose.yml`.
- The router must forward UDP port 51820 (or `WG_PORT`) to the server's local IP.
- `openssl passwd` does **not** support bcrypt — use the Docker method, `htpasswd`, or Python's `bcrypt` library to generate `PASSWORD_HASH`.
- `INSECURE=true` is set in `docker-compose.yml` to allow HTTP access on the local network.