~/
Published on

How to Deploy Wireguard-Easy on Coolify with CloudFlare SSL

Authors
  • avatar
    Name
    Hachiro
    Twitter

Introduction

This guide provides a clear, step-by-step process to deploy Wireguard-Easy on Coolify. You'll configure a secure VPN server with:

  • A password-protected and SSL encrypted web interface.
  • A VPN server for handling connections.

Follow the steps below to get up and running quickly.

Prerequisites

Before you start, ensure you have:

  • A server with Coolify installed (installation guide)
  • An A record domain pointing to your server's public IP address.

Step 1: Initial Setup in Coolify

  1. Log into your Coolify dashboard.
  2. Create a new project.
  3. Click "Create new resource."
  4. In the services section, search for "Wireguard easy."
  5. Select and create a new instance.

Step 2: Domain Configuration

By default, Coolify assigns an sslip.io domain if a custom domain isn't provided. To use your domain:

  1. Edit the default sslip.io domain with your custom domain. Edit Domain

  2. Ensure the port configuration remains there. Feel free to change it to any port you want.

  3. The URL format should be:

    https://vpn.yourdomain.com:PORT

IMPORTANT

The port here maps to the container's internal port. See the Coolify Docker Compose for mapping details.

Step 3: Docker Compose Configuration

To separate the web interface from the VPN server, edit the Compose file with this configuration:

services:
  wg-easy:
    image: 'ghcr.io/wg-easy/wg-easy:latest'
    environment:
      - SERVICE_FQDN_WIREGUARDEASY_8000 # Can be left unchanged even if using a different port
      - WG_HOST=143.198.87.64 # Replace with your server's IP or domain
      - 'LANG=${LANG:-en}'
      - PORT=8000 # Web GUI port. Must be the same as the domain port we set earlier.
      - WG_PORT=51820 # VPN server port
    volumes:
      - 'wg-easy:/etc/wireguard'
    ports:
      - '51820:51820/udp' # VPN port mapping
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1

NOTE

If you change the web port, update it in the domain settings.

Step 4: Security Setup

Protect your web interface with password authentication:

  1. Generate a bcrypt hash for your desired password. Refer to the bcrypt guide.
  2. Add the generated hash to your environment variables, ensuring it's enclosed in single quotes and insert an additional $ before each existing $ symbol.
environment:
  - 'PASSWORD_HASH=your_bcrypt_hash_here'

WARNING

There is a known issue (Coolify Issue #3946).

  • Make sure to enclose the PASSWORD_HASH value in single quotes.
  • If a "/" character causes an error, generate a new hash without slashes.

Example working hash:

docker run --rm -it ghcr.io/wg-easy/wg-easy wgpw 'test'
PASSWORD_HASH='$2a$12$6dSABWhC0oU9dLpls/2v7uGZ3wSPSyQ0FMCd4esDf1eMQvuvp.gay'

Step 5: Deploy and Verify

  1. Save your changes and click "Deploy" in Coolify.
  2. Wait for the deployment to complete.
  3. Access your web interface via the domain we set earlier. e.g. https://vpn.yourdomain.com
Wireguard Login Interface

NOTE

If you encounter environment variable errors, go to the "Environment Variables" settings and remove any unwanted environment variables.

Troubleshooting

Web Interface Access

  • Verify that the port (default 8000, or custom) is open.
  • Check your CloudFlare SSL settings and DNS configurations.

VPN Connection Issues

  • Ensure the UDP port 51820 is accessible.
  • Confirm that WG_HOST is set correctly.
  • Review your server's firewall rules.

SSL and DNS

  • Turn on the proxy status in the Cloudflare DNS settings.
  • Set CloudFlare SSL/TLS mode to "Full."
  • Double-check your subdomain's SSL activation.
  • Allow time for DNS propagation.

Conclusion

You now have a secure, scalable VPN solution with:

  • A secure, password-protected web interface
  • Customizable port configuration
  • SSL security via CloudFlare
  • Direct VPN connectivity

For advanced customizations, refer to the Wireguard-Easy documentation and the Coolify knowledge base.

Complete Configuration Reference

Here's a Docker configuration with password protection and secure defaults:

services:
  wg-easy:
    image: 'ghcr.io/wg-easy/wg-easy:latest'
    environment:
      - SERVICE_FQDN_WIREGUARDEASY_8000
      - 'WG_HOST=${SERVICE_FQDN_WIREGUARDEASY}'
      - 'LANG=${LANG:-en}'
      - PORT=8000
      - WG_PORT=51820
      - 'PASSWORD_HASH=$$2a$$12$6UiAAgasdONLsZ6kbasdsdytYKzIUEjm3nkqxiv7V6rzfLCOUGW'
    volumes:
      - 'wg-easy:/etc/wireguard'
    ports:
      - '51820:51820/udp'
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1

Next Steps

After deployment, you can:

  1. Add new VPN clients through the web interface
  2. Monitor connected devices and their data usage
  3. Generate QR codes for easy mobile device configuration
  4. Set up automatic backups of your WireGuard configuration
Wireguard User Interface

If you need help, feel free to ask in the comments below.

Happy deploying!

Share
Share on X (Twitter)Share on LinkedInShare on FacebookShare on WhatsAppView on GitHub