From 0a7f83f6e815dfe737a02b103eabb8d07715714b Mon Sep 17 00:00:00 2001 From: Theis Date: Wed, 21 Jan 2026 13:45:40 +0100 Subject: [PATCH] edited docker compose --- docker-compose.prod.yml | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 6813cf0..6547f4f 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -55,6 +55,7 @@ services: --address=/frontend/172.25.0.2 --address=/backend/172.25.0.3 --address=/database/172.25.0.4 + --address=/wg-admin/172.25.0.10 networks: ca-lose-internal: ipv4_address: 172.25.0.53 @@ -67,37 +68,34 @@ services: cap_add: - NET_ADMIN - SYS_MODULE + env_file: + - wireguard.env environment: # Sprache - - LANG=de + LANG: de # Deine Server-URL/IP - - WG_HOST=dus3.the1s.de + WG_HOST: dus3.the1s.de # WireGuard Port (anders als dein bestehender VPN!) - - WG_PORT=51830 + WG_PORT: "51830" # Web-UI Port (intern) - - PORT=51821 - # Admin Passwort (als bcrypt hash) - Ändere dies! - # Generiere einen neuen Hash mit: docker run -it ghcr.io/wg-easy/wg-easy wgpw 'DEIN_PASSWORT' - #- PASSWORD_HASH="$2a$12$NcTLIp6gMnPoJ9rxSLf1pOEvxtoEfofOsGFUBxIAGoQJ0SbAVxK82" + PORT: "51821" # Internes Subnetz für VPN-Clients - - WG_DEFAULT_ADDRESS=10.14.14.x + WG_DEFAULT_ADDRESS: 10.14.14.x # DNS Server für VPN-Clients (zeigt auf unseren dnsmasq) - - WG_DEFAULT_DNS=172.25.0.53 + WG_DEFAULT_DNS: "172.25.0.53" # WICHTIG: Nur Zugriff auf das Frontend-Netzwerk erlauben! - - WG_ALLOWED_IPS=172.25.0.0/24 + WG_ALLOWED_IPS: 172.25.0.0/24 # Persistenter Keepalive für NAT - - WG_PERSISTENT_KEEPALIVE=25 + WG_PERSISTENT_KEEPALIVE: "25" # PostUp/PostDown für Routing - NUR Frontend erlauben - - WG_POST_UP=iptables -t nat -A POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -A FORWARD -i wg0 -j DROP - - WG_POST_DOWN=iptables -t nat -D POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -D FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -D FORWARD -i wg0 -j DROP + WG_POST_UP: "iptables -t nat -A POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -A FORWARD -i wg0 -j DROP" + WG_POST_DOWN: "iptables -t nat -D POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -D FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -D FORWARD -i wg0 -j DROP" volumes: - wireguard-data:/etc/wireguard - /lib/modules:/lib/modules:ro ports: - # WireGuard UDP Port + # WireGuard UDP Port (öffentlich für VPN-Verbindungen) - "51830:51830/udp" - # Web-UI Port (nur lokal oder über Reverse Proxy!) - - "0.0.0.0:51831:51821/tcp" sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 @@ -108,6 +106,8 @@ services: networks: ca-lose-internal: ipv4_address: 172.25.0.10 + proxynet: + ipv4_address: 172.20.0.50 volumes: ca-lose_mysql: @@ -120,3 +120,5 @@ networks: config: - subnet: 172.25.0.0/24 gateway: 172.25.0.1 + proxynet: + external: true