Subspace is a simple opensource WireGuard VPN server graphical user interface(GUI). You can install subspace directly on your server which would allow you to track and create client configurations.

Subspace is an open-source, self-hosted front end GUI (graphical user interface) for the Wireguard VPN system on the server-side. Once set up it provides a browser-accessible system to track clients and create client configurations for connecting to the server.

Some of the features of Subspace are:

  • WireGuard VPN Protocol.
  • Single Sign-On (SSO) with SAML.
  • Add new devices, connect from Mac OS X, Windows, Linux, Android, or iOS.
  • Remove Devices, removes client key, and disconnect clients.
  • Auto-generated Configs.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers

Prerequisites

In order to complete this guide, you will first need to perform the following tasks on your Ubuntu 18.04 Droplet:

Step 1 — Install WireGuard

First, update your existing list of packages:

  • sudo apt update

Add the WireGuard PPA to the system to configure access to the project’s packages:

  • sudo add-apt-repository -y ppa:wireguard/wireguard

Once the PPA has been added, update the local package index to pull down information about the newly available packages and then install the WireGuard kernel module and userland components:

  • sudo apt update
  • sudo apt install wireguard-dkms wireguard-tools

Remove dnsmasq because it will run inside the container:

  • sudo apt remove -y dnsmasq

Disable systemd-resolved if it blocks port 53.

  • sudo systemctl disable systemd-resolved
  • sudo systemctl stop systemd-resolved

After that setup CloudFlare as your DNS server:

echo nameserver 1.1.1.1 | sudo tee /etc/resolv.conf

Step 2 — WireGuard modules

In order to load the required WireGuard modules you need to run the following commands:

  • sudo modprobe wireguard
  • sudo modprobe iptable_nat
  • sudo modprobe ip6table_nat

Once the modules have been enabled you need to run the following commands in order to enable the modules when the server gets rebooted:

  • echo "wireguard" | sudo tee /etc/modules-load.d/wireguard.conf
  • echo "iptable_nat" | sudo tee /etc/modules-load.d/iptable_nat.conf
  • echo "ip6table_nat" | sudo tee /etc/modules-load.d/ip6table_nat.conf

Finally check if systemd-modules-load service is active:

sudo systemctl status systemd-modules-load.service

Step 3 - Enable packet Packet forwarding

In order to get WireGuired to work as expected, we need to make sure that package forwarding is enabled. Packet forwarding means allowing packets to go from one network to another.

To do that you need to run the following commands:

  • sudo sysctl -w net.ipv4.ip_forward=1
  • sudo sysctl -w net.ipv6.conf.all.forwarding=1

Step 4 - Configure Domain name DNS

In order to use Let’s Encrypt and secure our Subspace instance, we need to make sure that we have a domain name that points to our Droplet’s IP address.

To do that make sure to create a DNS A record for your domain or subdomain name and point it to your server’s IP address.

Example:

subspace.your_domain.com A 172.16.1.1

Step 5 - Firewall Rules

As subspace runs a TLS (“SSL”) https server on port 443/tcp and a standard web server on port 80/tcp, we need to make sure that the two ports are open for incoming TCP traffic via our firewall. To do that run the following commands

  • sudo ufw allow 80
  • sudo ufw allow 443

Also, as port 51820/udp is the default WireGurad port, we need to make sure that it is open as well:

  • sudo ufw allow 51820/udp

Next, we need to start the subspace Docker container.

Step 6 - Start subspace

Your data directory should be bind-mounted as /data inside the container using the --volume flag.

  • sudo mkdir /data

After that, we need to create our container. Make sure to change the --env SUBSPACE_HTTP_HOST to your domain name which is pointing to your Droplet.

docker create \
    --name subspace \
    --restart always \
    --network host \
    --cap-add NET_ADMIN \
    --volume /usr/bin/wg:/usr/bin/wg \
    --volume /data:/data \
    --volume /lib/x86_64-linux-gnu/libc.so.6:/lib/x86_64-linux-gnu/libc.so.6:ro \
    --volume /lib64/ld-linux-x86-64.so.2:/lib64/ld-linux-x86-64.so.2:ro \
    --env SUBSPACE_HTTP_HOST="subspace.example.com" \
    --env SUBSPACE_NAMESERVER="1.1.1.1" \
    subspacecommunity/subspace:latest

Then start your container:

  • sudo docker start subspace

You can also check the logs of your container to make sure that it starts as expected:

  • sudo docker logs subspace

Then visit your domain name via your browser and you will be able to see your subspace installation!

Conclusion

The subspacecommunity/subspace project is community maintained and is a fork of the simple WireGuard VPN server GUI. If you notice any problems feel free to submit an issue or a pull request!

Hope that this helps!
Regards,
Bobby

by Justin Ellingwood
When you first create a new Ubuntu 18.04 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent...
  • Hi Bobby,

    I noticed that the DNS A record for to the server has a private IP address (Step 4). Will the SSL still work if it’s pointed to a public IP address which is then forwarded to the private IP?

    That is the setup I am currently trying but I’m getting an SSL internal error.

    • Hi there @whizzard,

      I would recommend using the public IP so that Let’s Encrypt could validate your domain name.

      Let me know how it goes!
      Regards,
      Bobby

      • Is it possible to do this without the the SSL?

        • Hi there @whizzard,

          I have not tested it without an SSL certificate, but if you don’t have a domain name that you could use, I could suggest using Freenom and getting a free domain name for 1 year.

          Then you can point the domina name to your DigitalOcean Droplet and issue a Let’s Encrypt certificate.

          You can follow the steps on how to do that here.

          Regards,
          Bobby

That’s what I used but I keep getting a “ERRSSLPROTOCOL_ERROR” or

“*Secure Connection Failed

An error occurred during a connection to subdomain.example.com. Peer reports it experienced an internal error.

Error code: SSLERRORINTERNALERRORALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.*"

Depending on browser used.

  • Hi there @whizzard,

    Have you tried checking the docker container logs for more information on what the actual error is? To do so run the following command:

    • docker logs container_id

    Regards,
    Bobby

    • I am seeing a repeat of errors like this:

      2020/08/16 20:02:44 http: TLS handshake error from 192.168.0.143:34861: autocert: host “xxx.xxx.xxx(localIPaddress)” not permitted by HostPolicy
      2020/08/16 20:04:33 http: TLS handshake error from 192.168.0.1:27850: acme/autocert: missing server name
      2020/08/16 20:15:24 http: TLS handshake error from 192.168.0.1:37772: acme/autocert: missing server name
      2020/08/16 20:30:44 http: TLS handshake error from 192.168.0.1:55774: autocert: host “xxx.xxx.xxx (publicIPaddress)” not permitted by HostPolicy
      2020/08/16 20:44:37 http: TLS handshake error from 192.168.0.1:53983: acme/autocert: missing server name
      2020/08/16 20:57:49 http: TLS handshake error from xxx.xxx.xxx(gatewayIP):65168: tls: first record does not look like a TLS handshake
      2020/08/16 21:46:25 http: TLS handshake error from 192.168.0.1:18111: acme/autocert: missing server name
      2020/08/16 23:17:46 http: TLS handshake error from 192.168.0.1:46534: tls: unsupported SSLv2 handshake received
      2020/08/17 00:02:24 http: TLS handshake error from 192.168.0.143:4958: EOF
      2020/08/17 00:02:45 http: TLS handshake error from 192.168.0.1:65451: acme/autocert: unable to satisfy “https://acme-v02.api.letsencrypt.org/acme/authz-v3/6583826515” for domain “subspace.fitzwilliamstone.com”: no viable challenge type found
      2020/08/17 00:02:45 http: TLS handshake error from 192.168.0.143:5304: autocert: host “xxx.xxx.xxx(local
      IP_address)” not permitted by HostPolicy
      2020/08/17 01:50:40 http: TLS handshake error from 192.168.0.1:32988: acme/autocert: missing server name

403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

someone forgot to update subspace ACME client…

Submit an Answer