this was a small project i had in mind randomly. essentially i wanted to create my own cloud vpn so that whenever i travel and connect to public wifi, i have encrypted data. as well as blocked ads. this is so that i can offload usage of the cloudflare one vpn. i just wanted more granular control and an ad blocker where ever i go.
i already have this implemented in my home network, but having an always ad blocking network is great. the idea made sense in my mind, but to put it into practice i had to think a bit harder. i first thought of deploying as a docker container as that is what i am currently doing for adguard. wireguard, i am using pivpn which is inside an lxc container. but the alternative is wg easy, which can be deployed in docker.
the first time around i installed them both in separate containers and was able to setup both containers just fine. adguard took a bit of fiddling with since my cloud provider is oracle, and it does not like being assigned a port other than 80 for its management. i tunnel all my traffic from the vps through cloudflare, so it was a matter of changing the service from port 3000 to port 80 once the install was complete.
in order for adguard to work, you have to disable systemd-resolved so that the container can take charge of the dns queries. this is pretty easy and requires the command to stop and disable it.
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
for wg easy, the docker install was very easy and the management port was more easier to change. the setup is easy and you setup either an ip address or a domain name. i chose domain name as i can point the server to vpn.domain.com.
creating clients is easy and you can control expiration, access, and links. you can also assign dns servers and allow ips and servers. it has a qr code feature, so adding it to mobile devices is quick and easy.
the main thing was getting the wireguard clients to use the adguard dns resolver, which took a bit of thinking. eventually i found out that i had to point the dns to the docker container’s ip address of adguard home. i have the docker compose file on my github and it pretty much is a copy and paste into docker, or if you use dockge. since it is a bridged network, it acts as its own network to the rest of the local vps traffic.
verified it by checking the query log, and queries were logging from the wireguard docker container’s ip address. and the traffic matched what was on my phone.
these services do have a web interfaces, so i blocked access to those behind my cloudflare access policies.
overall, this is pretty intuitive and great for ‘hiding’ internet traffic and blocking ads wherever you go.
if you want to do peer restrictions, it can be done through iptables for the postup and postdown. though i was lazy and allowed all public ip address ranges:
0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3