前言

先前文章教學 如何架設 WireGuard VPN 和 AdGuard 擋廣告 使用 Docker Compose 部屬。然而新版本 WireGuard 已不使用 PASSWORD,如果部屬失敗請使用 PASSWORD_HASH 哈希值,提升安全性。

wg-easy      | Node.js v20.17.0
wg-easy      | /app/lib/Server.js:311
wg-easy      |       throw new Error('DO NOT USE PASSWORD ENVIRONMENT VARIABLE.                                                                   USE PASSWORD_HASH INSTEAD.\nSee https://github.com/wg-easy/wg-easy/blob/master/H                                                                  ow_to_generate_an_bcrypt_hash.md');
wg-easy      |       ^
wg-easy      |
wg-easy      | Error: DO NOT USE PASSWORD ENVIRONMENT VARIABLE. USE PASSWORD_HAS                                                                  H INSTEAD.
wg-easy      | See https://github.com/wg-easy/wg-easy/blob/master/How_to_generat                                                                  e_an_bcrypt_hash.md
wg-easy      |     at new Server (/app/lib/Server.js:311:13)
wg-easy      |     at Object.<anonymous> (/app/services/Server.js:5:18)
wg-easy      |     at Module._compile (node:internal/modules/cjs/loader:1469:14)
wg-easy      |     at Module._extensions..js (node:internal/modules/cjs/loader:1                                                                  548:10)
wg-easy      |     at Module.load (node:internal/modules/cjs/loader:1288:32)
wg-easy      |     at Module._load (node:internal/modules/cjs/loader:1104:12)
wg-easy      |     at Module.require (node:internal/modules/cjs/loader:1311:19)
wg-easy      |     at require (node:internal/modules/helpers:179:18)
wg-easy      |     at Object.<anonymous> (/app/server.js:3:1)
wg-easy      |     at Module._compile (node:internal/modules/cjs/loader:1469:14)

產生哈希值

透過 wg-easy 的 wgpw 指令產生哈希值,以下示範登入密碼:apple123

$ docker run -it ghcr.io/wg-easy/wg-easy wgpw apple123
PASSWORD_HASH='$2a$12$3SqIVeJWRE2wnM8ryXWjsOR01YCHWD.8mb9owL46juxkTOvCnXyT6'

apple123 的哈希值為:$2a$12$3SqIVeJWRE2wnM8ryXWjsOR01YCHWD.8mb9owL46juxkTOvCnXyT6

修改 docker-compose.yml

將哈希值的所有錢符號 $ 改為 $$

所以會變成:$$2a$$12$$3SqIVeJWRE2wnM8ryXWjsOR01YCHWD.8mb9owL46juxkTOvCnXyT6

再把修改後的值寫入 PASSWORD_HASH 中。

services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    environment:
      - LANG=cht
      - WG_HOST=公網IP
      - PASSWORD_HASH=$$2a$$12$$xkGUzsl56OYJqxdhebh7jegTW753ox6MArlr13DZiSibT3fOuZrBe
      - PORT=51821
      - WG_PORT=51820
    volumes:
      - ./wg-easy:/etc/wireguard
    ports:
      - 51820:51820/udp
      - 51821:51821/tcp
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    restart: unless-stopped

重新啟動 WireGuard 輸入密碼 apple123 就可以順利登入。

如果登入出現 Unauthorized,表示密碼錯誤,請回頭重新檢查哈希值是否正確修改成功,另外 PASSWORD_HASH= 後面不要有單引號 '

參考資料

https://github.com/wg-easy/wg-easy/blob/master/How_to_generate_an_bcrypt_hash.md