diff --git a/README.md b/README.md index d937b473..9192974a 100644 --- a/README.md +++ b/README.md @@ -1,261 +1,74 @@ # WireGuard Portal (v2 - testing) -[![Build Status](https://github.com/h44z/wg-portal/actions/workflows/docker-publish.yml/badge.svg)](https://github.com/h44z/wg-portal/actions) +[![Build Status](https://github.com/h44z/wg-portal/actions/workflows/docker-publish.yml/badge.svg?event=push)](https://github.com/h44z/wg-portal/actions/workflows/docker-publish.yml) [![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](https://opensource.org/licenses/MIT) -![GitHub last commit](https://img.shields.io/github/last-commit/h44z/wg-portal) +![GitHub last commit](https://img.shields.io/github/last-commit/h44z/wg-portal/master) [![Go Report Card](https://goreportcard.com/badge/github.com/h44z/wg-portal)](https://goreportcard.com/report/github.com/h44z/wg-portal) ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/h44z/wg-portal) ![GitHub code size in bytes](https://img.shields.io/github/languages/code-size/h44z/wg-portal) [![Docker Pulls](https://img.shields.io/docker/pulls/h44z/wg-portal.svg)](https://hub.docker.com/r/wgportal/wg-portal/) -> :warning: **IMPORTANT** Version 2 is currently under development and may contain bugs. It is currently not advised to use this version -in production. Use version [v1](https://github.com/h44z/wg-portal/tree/stable) instead. +> [!CAUTION] +> Version 2 is currently under development and may contain bugs and breaking changes. +> It is not advised to use this version in production. Use version [v1](https://github.com/h44z/wg-portal/tree/stable) instead. -Since the project was accepted by the Docker-Sponsored Open Source Program, the Docker image location has moved to: https://hub.docker.com/r/wgportal/wg-portal. -Please update the Docker image from **h44z/wg-portal** to **wgportal/wg-portal**. +> [!IMPORTANT] +> Since the project was accepted by the Docker-Sponsored Open Source Program, the Docker image location has moved to [wgportal/wg-portal](https://hub.docker.com/r/wgportal/wg-portal). +> Please update the Docker image from **h44z/wg-portal** to **wgportal/wg-portal**. -A simple, web based configuration portal for [WireGuard](https://wireguard.com). +## Introduction + +**WireGuard Portal** is a simple, web-based configuration portal for [WireGuard](https://wireguard.com) server management. The portal uses the WireGuard [wgctrl](https://github.com/WireGuard/wgctrl-go) library to manage existing VPN -interfaces. This allows for seamless activation or deactivation of new users, without disturbing existing VPN +interfaces. This allows for the seamless activation or deactivation of new users without disturbing existing VPN connections. -The configuration portal supports using a database (SQLite, MySQL, MsSQL or Postgres), OAuth or LDAP (Active Directory or OpenLDAP) as a user source for authentication and profile data. - +The configuration portal supports using a database (SQLite, MySQL, MsSQL or Postgres), OAuth or LDAP +(Active Directory or OpenLDAP) as a user source for authentication and profile data. ## Features - * Self-hosted - the whole application is a single binary - * Responsive web UI written in Vue.JS - * Automatically select IP from the network pool assigned to client - * QR-Code for convenient mobile client configuration - * Sent email to client with QR-code and client config - * Enable / Disable clients seamlessly - * Generation of wg-quick configuration file (`wgX.conf`) if required - * User authentication (database, OAuth or LDAP) - * IPv6 ready - * Docker ready - * Can be used with existing WireGuard setups - * Support for multiple WireGuard interfaces - * Peer Expiry Feature - * Handle route and DNS settings like wg-quick does - * Exposes Prometheus [metrics](#metrics) - * REST API for management and client deployment - -![Screenshot](screenshot.png) - - -## Configuration -You can configure WireGuard Portal using a yaml configuration file. -The filepath of the yaml configuration file defaults to **config/config.yml** in the working directory of the executable. -It is possible to override the configuration filepath using the environment variable **WG_PORTAL_CONFIG**. -For example: `WG_PORTAL_CONFIG=/home/test/config.yml ./wg-portal-amd64`. -Also, environment variable substitution in config file is supported. Refer to [syntax](https://github.com/a8m/envsubst?tab=readme-ov-file#docs) - -By default, WireGuard Portal uses a SQLite database. The database is stored in **data/sqlite.db** in the working directory of the executable. - -### Configuration Options -The following configuration options are available: - -| configuration key | parent key | default_value | description | -|----------------------------------|------------|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------| -| admin_user | core | admin@wgportal.local | The administrator user. This user will be created as default admin if it does not yet exist. | -| admin_password | core | wgportal | The administrator password. If unchanged, a random password will be set on first startup. | -| editable_keys | core | true | Allow to edit key-pairs in the UI. | -| create_default_peer | core | false | If an LDAP user logs in for the first time and has no peers associated, a new WireGuard peer will be created for all server interfaces. | -| create_default_peer_on_creation | core | false | If an LDAP user is created (e.g. through LDAP sync), a new WireGuard peer will be created for all server interfaces. | -| re_enable_peer_after_user_enable | core | true | Re-enable all peers that were previously disabled due to a user disable action. | -| delete_peer_after_user_deleted | core | false | Delete all linked peers if a user gets disabled. Otherwise the peers only get disabled. | -| self_provisioning_allowed | core | false | Allow registered users to automatically create peers via their profile page. | -| import_existing | core | true | Import existing WireGuard interfaces and peers into WireGuard Portal. | -| restore_state | core | true | Restore the WireGuard interface state after WireGuard Portal has started. | -| log_level | advanced | info | The loglevel, can be one of: trace, debug, info, warn, error. | -| log_pretty | advanced | false | Uses pretty, colorized log messages. | -| log_json | advanced | false | Logs in JSON format. | -| start_listen_port | advanced | 51820 | The first port number that will be used as listening port for new interfaces. | -| start_cidr_v4 | advanced | 10.11.12.0/24 | The first IPv4 subnet that will be used for new interfaces. | -| start_cidr_v6 | advanced | fdfd:d3ad:c0de:1234::0/64 | The first IPv6 subnet that will be used for new interfaces. | -| use_ip_v6 | advanced | true | Enable IPv6 support. | -| config_storage_path | advanced | | If a wg-quick style configuration should be stored to the filesystem, specify a storage directory. | -| expiry_check_interval | advanced | 15m | The interval after which existing peers will be checked if they expired. | -| rule_prio_offset | advanced | 20000 | The default offset for ip route rule priorities. | -| route_table_offset | advanced | 20000 | The default offset for ip route table id's. | -| api_admin_only | advanced | true | This flag specifies if the public REST API is available to administrators only. The API Swagger documentation is available under /api/v1/doc.html | -| use_ping_checks | statistics | true | If enabled, peers will be pinged periodically to check if they are still connected. | -| ping_check_workers | statistics | 10 | Number of parallel ping checks that will be executed. | -| ping_unprivileged | statistics | false | If set to false, the ping checks will run without root permissions (BETA). | -| ping_check_interval | statistics | 1m | The interval time between two ping check runs. | -| data_collection_interval | statistics | 1m | The interval between the data collection cycles. | -| collect_interface_data | statistics | true | A flag to enable interface data collection like bytes sent and received. | -| collect_peer_data | statistics | true | A flag to enable peer data collection like bytes sent and received, last handshake and remote endpoint address. | -| collect_audit_data | statistics | true | If enabled, some events, like portal logins, will be logged to the database. | -| listening_address | statistics | :8787 | The listening address of the Prometheus metric server. | -| host | mail | 127.0.0.1 | The mail-server address. | -| port | mail | 25 | The mail-server SMTP port. | -| encryption | mail | none | SMTP encryption type, allowed values: none, tls, starttls. | -| cert_validation | mail | false | Validate the mail server certificate (if encryption tls is used). | -| username | mail | | The SMTP user name. | -| password | mail | | The SMTP password. | -| auth_type | mail | plain | SMTP authentication type, allowed values: plain, login, crammd5. | -| from | mail | Wireguard Portal | The address that is used to send mails. | -| link_only | mail | false | Only send links to WireGuard Portal instead of the full configuration. | -| oidc | auth | Empty Array - no providers configured | A list of OpenID Connect providers. See auth/oidc properties to setup a new provider. | -| oauth | auth | Empty Array - no providers configured | A list of plain OAuth providers. See auth/oauth properties to setup a new provider. | -| ldap | auth | Empty Array - no providers configured | A list of LDAP providers. See auth/ldap properties to setup a new provider. | -| provider_name | auth/oidc | | A unique provider name. This name must be unique throughout all authentication providers (even other types). | -| display_name | auth/oidc | | The display name is shown at the login page (the login button). | -| base_url | auth/oidc | | The base_url is the URL identifier for the service. For example: "https://accounts.google.com". | -| client_id | auth/oidc | | The OAuth client id. | -| client_secret | auth/oidc | | The OAuth client secret. | -| extra_scopes | auth/oidc | | Extra scopes that should be used in the OpenID Connect authentication flow. | -| field_map | auth/oidc | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department, is_admin and user_groups. | -| admin_mapping | auth/oidc | | Contains regex values admin_value_regex and admin_group_regex to map the is_admin field and user_groups respectively. | -| registration_enabled | auth/oidc | | If registration is enabled, new user accounts will created in WireGuard Portal. | -| log_user_info | auth/oidc | | If true, the user info retrieved from the OIDC provider will be logged in trace level. | -| provider_name | auth/oauth | | A unique provider name. This name must be unique throughout all authentication providers (even other types). | -| display_name | auth/oauth | | The display name is shown at the login page (the login button). | -| client_id | auth/oauth | | The OAuth client id. | -| client_secret | auth/oauth | | The OAuth client secret. | -| auth_url | auth/oauth | | The URL for the authentication endpoint. | -| token_url | auth/oauth | | The URL for the token endpoint. | -| user_info_url | auth/oauth | | The URL for the user information endpoint. | -| scopes | auth/oauth | | OAuth scopes. | -| field_map | auth/oauth | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department and is_admin and user_groups. | -| admin_mapping | auth/oauth | | Contains regex values admin_value_regex and admin_group_regex to map the is_admin field and user_groups respectively. | -| registration_enabled | auth/oauth | | If registration is enabled, new user accounts will created in WireGuard Portal. | -| log_user_info | auth/oauth | | If true, the user info retrieved from the OAuth provider will be logged in trace level. | -| url | auth/ldap | | The LDAP server url. For example: ldap://srv-ad01.company.local:389 | -| start_tls | auth/ldap | | Use STARTTLS to encrypt LDAP requests. | -| cert_validation | auth/ldap | | Validate the LDAP server certificate. | -| tls_certificate_path | auth/ldap | | A path to the TLS certificate. | -| tls_key_path | auth/ldap | | A path to the TLS key. | -| base_dn | auth/ldap | | The base DN for searching users. For example: DC=COMPANY,DC=LOCAL | -| bind_user | auth/ldap | | The bind user. For example: company\\ldap_wireguard | -| bind_pass | auth/ldap | | The bind password. | -| field_map | auth/ldap | | Mapping of user fields. Internal fields: user_identifier, email, firstname, lastname, phone, department and memberof. | -| login_filter | auth/ldap | | LDAP filters for users that should be allowed to log in. {{login_identifier}} will be replaced with the login username. | -| admin_group | auth/ldap | | Users in this group are marked as administrators. | -| disable_missing | auth/ldap | | If synchronization is enabled, missing LDAP users will be disabled in WireGuard Portal. | -| auto_re_enable | auth/ldap | | If auto re-enable is true, users that where disabled because they were missing will be re-enabled once they are found again. | -| sync_filter | auth/ldap | | LDAP filters for users that should be synchronized to WireGuard Portal. | -| sync_interval | auth/ldap | | The time interval after which users will be synchronized from LDAP. Empty value or `0` disables synchronization. | -| registration_enabled | auth/ldap | | If registration is enabled, new user accounts will created in WireGuard Portal. | -| log_user_info | auth/ldap | | If true, the user info retrieved from the LDAP provider will be logged in trace level. | -| debug | database | false | Debug database statements (log each statement). | -| slow_query_threshold | database | | A threshold for slow database queries. If the threshold is exceeded, a warning message will be logged. | -| type | database | sqlite | The database type. Allowed values: sqlite, mssql, mysql or postgres. | -| dsn | database | data/sqlite.db | The database DSN. For example: user:pass@tcp(1.2.3.4:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local | -| request_logging | web | false | Log all HTTP requests. | -| external_url | web | http://localhost:8888 | The URL where a client can access WireGuard Portal. | -| listening_address | web | :8888 | The listening port of the web server. | -| session_identifier | web | wgPortalSession | The session identifier for the web frontend. | -| session_secret | web | very_secret | The session secret for the web frontend. | -| csrf_secret | web | extremely_secret | The CSRF secret. | -| site_title | web | WireGuard Portal | The title that is shown in the web frontend. | -| site_company_name | web | WireGuard Portal | The company name that is shown at the bottom of the web frontend. | -| cert_file | web | | (Optional) Path to the TLS certificate file | -| key_file | web | | (Optional) Path to the TLS certificate key file | - -A sample config file can be found in the repository: [config.yml.sample](config.yml.sample). -More detailed information about the configuration can be found in the [documentation](https://wgportal.org/master/documentation/overview/) on [wgportal.org](https://wgportal.org/master/documentation/overview/). - - -## Upgrading from V1 - -> :warning: Before upgrading from V1, make sure that you have a backup of your currently working configuration files and database! - -To start the upgrade process, start the wg-portal binary with the **-migrateFrom** parameter. -The configuration (config.yml) for WireGuard Portal must be updated and valid before starting the upgrade. - -To upgrade from a previous SQLite database, start wg-portal like: - -```shell -./wg-portal-amd64 -migrateFrom=old_wg_portal.db -``` - -You can also specify the database type using the parameter **-migrateFromType**, supported types: mysql, mssql, postgres or sqlite. -For example: - -```shell -./wg-portal-amd64 -migrateFromType=mysql -migrateFrom=user:pass@tcp(1.2.3.4:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local -``` - -The upgrade will transform the old, existing database and store the values in the new database specified in config.yml. -Ensure that the new database does not contain any data! +* Self-hosted - the whole application is a single binary +* Responsive multi-language web UI written in Vue.JS +* Automatically selects IP from the network pool assigned to the client +* QR-Code for convenient mobile client configuration +* Sends email to the client with QR-code and client config +* Enable / Disable clients seamlessly +* Generation of wg-quick configuration file (`wgX.conf`) if required +* User authentication (database, OAuth, or LDAP) +* IPv6 ready +* Docker ready +* Can be used with existing WireGuard setups +* Support for multiple WireGuard interfaces +* Peer Expiry Feature +* Handles route and DNS settings like wg-quick does +* Exposes Prometheus metrics for monitoring and alertingt +* REST API for management and client deployment + + +![Screenshot](docs/assets/images/screenshot.png) + +## Documentation + +For the complete documentation visit [wgportal.org](https://wgportal.org). ## V2 TODOs - * Audit UI - -## Building - -To build a standalone application, use the Makefile provided in the repository. -Go version 1.23 or higher has to be installed to build WireGuard Portal. -If you want to re-compile the frontend, NodeJS 18 and NPM >= 9 is required. - -```shell -# build the frontend -make frontend - -# build the binary -make build -``` +* Audit UI ## What is out of scope - * Automatic generation or application of any `iptables` or `nftables` rules. - * Support for operating systems other than linux. - * Automatic import of private keys of an existing WireGuard setup. +* Automatic generation or application of any `iptables` or `nftables` rules. +* Support for operating systems other than linux. +* Automatic import of private keys of an existing WireGuard setup. ## Application stack - * [wgctrl-go](https://github.com/WireGuard/wgctrl-go) and [netlink](https://github.com/vishvananda/netlink) for interface handling - * [Gin](https://github.com/gin-gonic/gin), HTTP web framework written in Go - * [Bootstrap](https://getbootstrap.com/), for the HTML templates - * [Vue.JS](https://vuejs.org/), for the frontend - -## Metrics - -Metrics are available if interface/peer statistic data collection is enabled. - -Add following scrape job to your Prometheus config file: - -```yaml -# prometheus.yaml -scrape_configs: - - job_name: "wg-portal" - scrape_interval: 60s - static_configs: - - targets: ["wg-portal:8787"] -``` - -Exposed metrics: - -```console -# HELP wireguard_interface_info Interface info. -# TYPE wireguard_interface_info gauge - -# HELP wireguard_interface_received_bytes_total Bytes received througth the interface. -# TYPE wireguard_interface_received_bytes_total gauge - -# HELP wireguard_interface_sent_bytes_total Bytes sent through the interface. -# TYPE wireguard_interface_sent_bytes_total gauge - -# HELP wireguard_peer_info Peer info. -# TYPE wireguard_peer_info gauge - -# HELP wireguard_peer_received_bytes_total Bytes received from the peer. -# TYPE wireguard_peer_received_bytes_total gauge - -# HELP wireguard_peer_sent_bytes_total Bytes sent to the peer. -# TYPE wireguard_peer_sent_bytes_total gauge - -# HELP wireguard_peer_up Peer connection state (boolean: 1/0). -# TYPE wireguard_peer_up gauge - -# HELP wireguard_peer_last_handshake_seconds Seconds from the last handshake with the peer. -# TYPE wireguard_peer_last_handshake_seconds gauge -``` +* [wgctrl-go](https://github.com/WireGuard/wgctrl-go) and [netlink](https://github.com/vishvananda/netlink) for interface handling +* [Gin](https://github.com/gin-gonic/gin), HTTP web framework written in Go +* [Bootstrap](https://getbootstrap.com/), for the HTML templates +* [Vue.JS](https://vuejs.org/), for the frontend ## License - * MIT License. [MIT](LICENSE.txt) or https://opensource.org/licenses/MIT +* MIT License. [MIT](LICENSE.txt) or diff --git a/docs/assets/images/dashboard.png b/docs/assets/images/dashboard.png new file mode 100755 index 00000000..9360474f Binary files /dev/null and b/docs/assets/images/dashboard.png differ diff --git a/docs/documentation/configuration/examples.md b/docs/documentation/configuration/examples.md index 9e7eae6c..f5be8add 100644 --- a/docs/documentation/configuration/examples.md +++ b/docs/documentation/configuration/examples.md @@ -1,6 +1,7 @@ -Below are some sample YAML configurations demonstrating how to override some default values. +Below are some sample YAML configurations demonstrating how to override some default values. + +## Basic -## Basic Configuration ```yaml core: admin_user: test@example.com @@ -8,7 +9,7 @@ core: import_existing: false create_default_peer: true self_provisioning_allowed: true - + web: site_title: My WireGuard Server site_company_name: My Company @@ -31,13 +32,13 @@ database: dsn: data/sqlite.db ``` -## LDAP Authentication and Synchronization Configuration +## LDAP Authentication and Synchronization + ```yaml # ... (basic configuration) auth: ldap: - # a sample LDAP provider with user sync enabled - id: ldap provider_name: Active Directory @@ -63,14 +64,26 @@ auth: log_user_info: true ``` -## OpenID Connect (OIDC) Authentication Configuration +## OpenID Connect (OIDC) Authentication + ```yaml # ... (basic configuration) auth: oidc: - - # a sample provider where users with the attribute `wg_admin` set to `true` are considered as admins + # a sample Entra ID provider with environment variable substitution + - id: azure + provider_name: azure + display_name: Login with
Entra ID + registration_enabled: true + base_url: "https://login.microsoftonline.com/${AZURE_TENANT_ID}/v2.0" + client_id: "${AZURE_CLIENT_ID}" + client_secret: "${AZURE_CLIENT_SECRET}" + extra_scopes: + - profile + - email + + # a sample provider where users with the attribute `wg_admin` set to `true` are considered as admins - id: oidc-with-admin-attribute provider_name: google display_name: Login with
Google @@ -93,7 +106,7 @@ auth: registration_enabled: true log_user_info: true - # a sample provider where users in the group `the-admin-group` are considered as admins + # a sample provider where users in the group `the-admin-group` are considered as admins - id: oidc-with-admin-group provider_name: google2 display_name: Login with
Google2 @@ -117,15 +130,15 @@ auth: log_user_info: true ``` -## Plain OAuth2 Authentication Configuration +## Plain OAuth2 Authentication + ```yaml # ... (basic configuration) auth: oauth: - # a sample provider where users with the attribute `this-attribute-must-be-true` set to `true` or `True` - # are considered as admins + # are considered as admins - id: google_plain_oauth-with-admin-attribute provider_name: google3 display_name: Login with
Google3 @@ -148,7 +161,7 @@ auth: registration_enabled: true # a sample provider where either users with the attribute `this-attribute-must-be-true` set to `true` or - # users in the group `admin-group-name` are considered as admins + # users in the group `admin-group-name` are considered as admins - id: google_plain_oauth_with_groups provider_name: google4 display_name: Login with
Google4 @@ -173,4 +186,4 @@ auth: admin_group_regex: ^admin-group-name$ registration_enabled: true log_user_info: true -``` \ No newline at end of file +``` diff --git a/docs/documentation/configuration/overview.md b/docs/documentation/configuration/overview.md index 61b66b60..8ba9b645 100644 --- a/docs/documentation/configuration/overview.md +++ b/docs/documentation/configuration/overview.md @@ -1,17 +1,106 @@ -# WireGuard Portal Configuration +This page provides an overview of **all available configuration options** for WireGuard Portal. -This page provides an overview of **all available configuration options** for WireGuard Portal. You can supply these configurations in a **YAML** file (e.g. `config.yaml`) when starting the Portal. -Complete configuration examples are available in the [Configuration Examples](./examples.md) page. - -Below you will find sections like `core`, `advanced`, `statistics`, `mail`, `auth`, `database`, and `web`. +The path of the configuration file defaults to **config/config.yml** in the working directory of the executable. +It is possible to override configuration filepath using the environment variable `WG_PORTAL_CONFIG`. +For example: `WG_PORTAL_CONFIG=/etc/wg-portal/config.yaml ./wg-portal`. +Also, environment variable substitution in config file is supported. Refer to [syntax](https://github.com/a8m/envsubst?tab=readme-ov-file#docs). + +Configuration examples are available on the [Examples](./examples.md) page. + +
+Default configuration + +```yaml +core: + admin_user: admin@wgportal.local + admin_password: wgportal + editable_keys: true + create_default_peer: false + create_default_peer_on_creation: false + re_enable_peer_after_user_enable: true + delete_peer_after_user_deleted: false + self_provisioning_allowed: false + import_existing: true + restore_state: true + +advanced: + log_level: info + log_pretty: false + log_json: false + start_listen_port: 51820 + start_cidr_v4: 10.11.12.0/24 + start_cidr_v6: fdfd:d3ad:c0de:1234::0/64 + use_ip_v6: true + config_storage_path: "" + expiry_check_interval: 15m + rule_prio_offset: 20000 + api_admin_only: true + +database: + debug: false + slow_query_threshold: 0 + type: sqlite + dsn: data/sqlite.db + +statistics: + use_ping_checks: true + ping_check_workers: 10 + ping_unprivileged: false + ping_check_interval: 1m + data_collection_interval: 1m + collect_interface_data: true + collect_peer_data: true + collect_audit_data: true + listening_address: :8787 + +mail: + host: 127.0.0.1 + port: 25 + encryption: none + cert_validation: false + username: "" + password: "" + auth_type: plain + from: Wireguard Portal + link_only: false + +auth: + oidc: [] + oauth: [] + ldap: [] + +web: + listening_address: :8888 + external_url: http://localhost:8888 + site_company_name: WireGuard Portal + site_title: WireGuard Portal + session_identifier: wgPortalSession + session_secret: very_secret + csrf_secret: extremely_secret + request_logging: false + cert_file: "" + key_File: "" +``` + +
+ + +Below you will find sections like +[`core`](#core), +[`advanced`](#advanced), +[`database`](#database), +[`statistics`](#statistics), +[`mail`](#mail), +[`auth`](#auth) and +[`web`](#web). Each section describes the individual configuration keys, their default values, and a brief explanation of their purpose. --- ## Core -These are the primary configuration options that control fundamental WireGuard Portal behavior. +These are the primary configuration options that control fundamental WireGuard Portal behavior. More advanced options are found in the subsequent `Advanced` section. ### `admin_user` @@ -108,7 +197,6 @@ Additional or more specialized configuration options for logging and interface c - **Default:** `true` - **Description:** If `true`, the public REST API is accessible only to admin users. The API docs live at [`/api/v1/doc.html`](../rest-api/api-doc.md). - --- ## Database @@ -224,12 +312,12 @@ Options for configuring email notifications or sending peer configurations via e ## Auth -WireGuard Portal supports multiple authentication strategies, including **OpenID Connect** (`oidc`), **OAuth** (`oauth`), and **LDAP** (`ldap`). +WireGuard Portal supports multiple authentication strategies, including **OpenID Connect** (`oidc`), **OAuth** (`oauth`), and **LDAP** (`ldap`). Each can have multiple providers configured. Below are the relevant keys. --- -### OIDC Provider Properties +### OIDC The `oidc` array contains a list of OpenID Connect providers. Below are the properties for each OIDC provider entry inside `auth.oidc`: @@ -264,7 +352,7 @@ Below are the properties for each OIDC provider entry inside `auth.oidc`: - Available fields: `user_identifier`, `email`, `firstname`, `lastname`, `phone`, `department`, `is_admin`, `user_groups`. | **Field** | **Typical OIDC Claim** | **Explanation** | - |-------------------|-----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | ----------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `user_identifier` | `sub` or `preferred_username` | A unique identifier for the user. Often the OIDC `sub` claim is used because it’s guaranteed to be unique for the user within the IdP. Some providers also support `preferred_username` if it’s unique. | | `email` | `email` | The user’s email address as provided by the IdP. Not always verified, depending on IdP settings. | | `firstname` | `given_name` | The user’s first name, typically provided by the IdP in the `given_name` claim. | @@ -290,7 +378,7 @@ Below are the properties for each OIDC provider entry inside `auth.oidc`: --- -### OAuth Provider Properties +### OAuth The `oauth` array contains a list of plain OAuth2 providers. Below are the properties for each OAuth provider entry inside `auth.oauth`: @@ -333,7 +421,7 @@ Below are the properties for each OAuth provider entry inside `auth.oauth`: - Available fields: `user_identifier`, `email`, `firstname`, `lastname`, `phone`, `department`, `is_admin`, `user_groups`. | **Field** | **Typical Claim** | **Explanation** | - |-------------------|-----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | ----------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `user_identifier` | `sub` or `preferred_username` | A unique identifier for the user. Often the OIDC `sub` claim is used because it’s guaranteed to be unique for the user within the IdP. Some providers also support `preferred_username` if it’s unique. | | `email` | `email` | The user’s email address as provided by the IdP. Not always verified, depending on IdP settings. | | `firstname` | `given_name` | The user’s first name, typically provided by the IdP in the `given_name` claim. | @@ -359,7 +447,7 @@ Below are the properties for each OAuth provider entry inside `auth.oauth`: --- -### LDAP Provider Properties +### LDAP The `ldap` array contains a list of LDAP authentication providers. Below are the properties for each LDAP provider entry inside `auth.ldap`: @@ -402,7 +490,7 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`: - Available fields: `user_identifier`, `email`, `firstname`, `lastname`, `phone`, `department`, `memberof`. | **WireGuard Portal Field** | **Typical LDAP Attribute** | **Short Description** | - |----------------------------|----------------------------|--------------------------------------------------------------| + | -------------------------- | -------------------------- | ------------------------------------------------------------ | | user_identifier | sAMAccountName / uid | Uniquely identifies the user within the LDAP directory. | | email | mail / userPrincipalName | Stores the user's primary email address. | | firstname | givenName | Contains the user's first (given) name. | @@ -455,3 +543,47 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`: #### `log_user_info` - **Default:** *(empty)* - **Description:** If `true`, logs LDAP user data at the trace level upon login. + +--- + +## Web + +### `listening_address` +- **Default:** `:8888` +- **Description:** The listening port of the web server. + +### `external_url` +- **Default:** `http://localhost:8888` +- **Description:** The URL where a client can access WireGuard Portal. + +### `site_company_name` +- **Default:** `WireGuard Portal` +- **Description:** The company name that is shown at the bottom of the web frontend. + +### `site_title` +- **Default:** `WireGuard Portal` +- **Description:** The title that is shown in the web frontend. + +### `session_identifier` +- **Default:** `wgPortalSession` +- **Description:** The session identifier for the web frontend. + +### `session_secret` +- **Default:** `very_secret` +- **Description:** The session secret for the web frontend. + +### `csrf_secret` +- **Default:** `extremely_secret` +- **Description:** The CSRF secret. + +### `request_logging` +- **Default:** `false` +- **Description:** Log all HTTP requests. + +### `cert_file` +- **Default:** *(empty)* +- **Description:** (Optional) Path to the TLS certificate file. + +### `key_file` +- **Default:** *(empty)* +- **Description:** (Optional) Path to the TLS certificate key file. diff --git a/docs/documentation/getting-started/binaries.md b/docs/documentation/getting-started/binaries.md new file mode 100644 index 00000000..81841b72 --- /dev/null +++ b/docs/documentation/getting-started/binaries.md @@ -0,0 +1,34 @@ +Starting from v2, each [release](https://github.com/h44z/wg-portal/releases) includes compiled binaries for supported platforms. +These binary versions can be manually downloaded and installed. + +## Download + +With `curl`: + + ```shell + curl -L -o wg-portal https://github.com/h44z/wg-portal/releases/download/${WG_PORTAL_VERSION}/wg-portal_linux_amd64 + ``` + +With `wget`: + + ```shell + wget -O wg-portal https://github.com/h44z/wg-portal/releases/download/${WG_PORTAL_VERSION}/wg-portal_linux_amd64 + ``` + +with `gh cli`: + + ```shell + gh release download ${WG_PORTAL_VERSION} --repo h44z/wg-portal --output wg-portal --pattern '*amd64' + ``` + +## Install + +```shell +sudo mkdir -p /opt/wg-portal +sudo install wg-portal /opt/wg-portal/ +``` + +## Unreleased + +Unreleased versions could be downloaded from +[GitHub Workflow](https://github.com/h44z/wg-portal/actions/workflows/docker-publish.yml?query=branch%3Amaster) artifacs also. diff --git a/docs/documentation/getting-started/building.md b/docs/documentation/getting-started/building.md deleted file mode 100644 index 25f9e9b9..00000000 --- a/docs/documentation/getting-started/building.md +++ /dev/null @@ -1,11 +0,0 @@ -To build a standalone application, use the Makefile provided in the repository. -Go version **1.23** or higher has to be installed to build WireGuard Portal. -If you want to re-compile the frontend, NodeJS **18** and NPM >= **9** is required. - -```shell -# build the frontend (optional) -make frontend - -# build the binary -make build -``` \ No newline at end of file diff --git a/docs/documentation/getting-started/docker.md b/docs/documentation/getting-started/docker.md index 518a9318..93d45cd7 100644 --- a/docs/documentation/getting-started/docker.md +++ b/docs/documentation/getting-started/docker.md @@ -5,20 +5,7 @@ The preferred way to start WireGuard Portal as Docker container is to use Docker A sample docker-compose.yml: ```yaml -version: '3.6' -services: - wg-portal: - image: wgportal/wg-portal:latest - restart: unless-stopped - cap_add: - - NET_ADMIN - network_mode: "host" - ports: - - "8888:8888" - volumes: - - /etc/wireguard:/etc/wireguard - - ./data:/app/data - - ./config:/app/config +--8<-- "docker-compose.yml::17" ``` By default, the webserver is listening on port **8888**. @@ -31,6 +18,7 @@ All images are hosted on Docker Hub at [https://hub.docker.com/r/wgportal/wg-por There are three types of tags in the repository: #### Semantic versioned tags + For example, `1.0.19`. These are official releases of WireGuard Portal. They correspond to the GitHub tags that we make, and you can see the release notes for them here: [https://github.com/h44z/wg-portal/releases](https://github.com/h44z/wg-portal/releases). @@ -44,16 +32,17 @@ If you only want to stay at the same major or major+minor version, use either `v Version **1** is currently **stable**, version **2** is in **development**. #### latest + This is the most recent build to master! It changes a lot and is very unstable. We recommend that you don't use it except for development purposes. #### Branch tags -For each commit in the master and the stable branch, a corresponding Docker image is build. These images use the `master` or `stable` tags. - +For each commit in the master and the stable branch, a corresponding Docker image is build. These images use the `master` or `stable` tags. ## Configuration + You can configure WireGuard Portal using a yaml configuration file. The filepath of the yaml configuration file defaults to `/app/config/config.yml`. It is possible to override the configuration filepath using the environment variable **WG_PORTAL_CONFIG**. @@ -61,6 +50,7 @@ It is possible to override the configuration filepath using the environment vari By default, WireGuard Portal uses a SQLite database. The database is stored in `/app/data/sqlite.db`. You should mount those directories as a volume: + - /app/data - /app/config diff --git a/docs/documentation/getting-started/kubernetes.md b/docs/documentation/getting-started/kubernetes.md new file mode 100644 index 00000000..9c4477b7 --- /dev/null +++ b/docs/documentation/getting-started/kubernetes.md @@ -0,0 +1 @@ +--8<-- "./deploy/helm/README.md:16" diff --git a/docs/documentation/getting-started/sources.md b/docs/documentation/getting-started/sources.md new file mode 100644 index 00000000..2d92237a --- /dev/null +++ b/docs/documentation/getting-started/sources.md @@ -0,0 +1,24 @@ +To build the application from source files, use the Makefile provided in the repository. + +## Requirements + +- [Git](https://git-scm.com/downloads) +- [Make](https://www.gnu.org/software/make/) +- [Go](https://go.dev/dl/): `>=1.23.0` +- [NodeJS with npm](https://nodejs.org/en/download): `node>=18, npm>=9` + +## Build + +```shell +# Get source code +git clone https://github.com/h44z/wg-portal -b ${WG_PORTAL_VERSION:-master} --depth 1 +cd wg-portal +# Build the frontend +make frontend +# Build the backend +make build +``` + +## Install + +Complied binary will be available in `./dist` directory. diff --git a/docs/documentation/monitoring/prometheus.md b/docs/documentation/monitoring/prometheus.md new file mode 100644 index 00000000..cf2aa62b --- /dev/null +++ b/docs/documentation/monitoring/prometheus.md @@ -0,0 +1,32 @@ +By default WG-Portal exposes Prometheus metrics on port `8787` if interface/peer statistic data collection is enabled. + +## Exposed Metrics + +| Metric | Type | Description | +|--------------------------------------------|-------|------------------------------------------------| +| `wireguard_interface_received_bytes_total` | gauge | Bytes received through the interface. | +| `wireguard_interface_sent_bytes_total` | gauge | Bytes sent through the interface. | +| `wireguard_peer_last_handshake_seconds` | gauge | Seconds from the last handshake with the peer. | +| `wireguard_peer_received_bytes_total` | gauge | Bytes received from the peer. | +| `wireguard_peer_sent_bytes_total` | gauge | Bytes sent to the peer. | +| `wireguard_peer_up` | gauge | Peer connection state (boolean: 1/0). | + +## Prometheus Config + +Add following scrape job to your Prometheus config file: + +```yaml +# prometheus.yaml +scrape_configs: + - job_name: wg-portal + scrape_interval: 60s + static_configs: + - targets: + - localhost:8787 # Change localhost to IP Address or hostname with WG-Portal +``` + +# Grafana Dashboard + +You may import [`dashboard.json`](https://github.com/h44z/wg-portal/blob/master/deploy/helm/files/dashboard.json) into your Grafana instance. + +![Dashboard](../../assets/images/dashboard.png) diff --git a/docs/documentation/overview.md b/docs/documentation/overview.md index 87429e8e..03456ac0 100644 --- a/docs/documentation/overview.md +++ b/docs/documentation/overview.md @@ -1,29 +1 @@ -**WireGuard Portal** is a simple, web based configuration portal for [WireGuard](https://wireguard.com). -The portal uses the WireGuard [wgctrl](https://github.com/WireGuard/wgctrl-go) library to manage existing VPN -interfaces. This allows for seamless activation or deactivation of new users, without disturbing existing VPN -connections. - -The configuration portal supports using a database (SQLite, MySQL, MsSQL or Postgres), OAuth or LDAP -(Active Directory or OpenLDAP) as a user source for authentication and profile data. - -## Features -* Self-hosted - the whole application is a single binary -* Responsive web UI written in Vue.JS -* Automatically select IP from the network pool assigned to client -* QR-Code for convenient mobile client configuration -* Sent email to client with QR-code and client config -* Enable / Disable clients seamlessly -* Generation of wg-quick configuration file (`wgX.conf`) if required -* User authentication (database, OAuth or LDAP) -* IPv6 ready -* Docker ready -* Can be used with existing WireGuard setups -* Support for multiple WireGuard interfaces -* Peer Expiry Feature -* Handle route and DNS settings like wg-quick does -* REST API for management and client deployment - -## Quick-Start - -The easiest way to get started is to use the provided [Docker image](./getting-started/docker.md). - +--8<-- "README.md:20:47" diff --git a/docs/documentation/getting-started/upgrade.md b/docs/documentation/upgrade/v1.md similarity index 88% rename from docs/documentation/getting-started/upgrade.md rename to docs/documentation/upgrade/v1.md index eb37c99f..b97374f7 100644 --- a/docs/documentation/getting-started/upgrade.md +++ b/docs/documentation/upgrade/v1.md @@ -1,4 +1,4 @@ -For production deployments of WireGuard Portal, we strongly recommend using version 1. +For production deployments of WireGuard Portal, we strongly recommend using version 1. If you want to use version 2, please be aware that it is still in beta and not feature complete. ## Upgrade from v1 to v2 @@ -18,7 +18,7 @@ You can also specify the database type using the parameter **-migrateFromType**, For example: ```shell -./wg-portal-amd64 -migrateFromType=mysql -migrateFrom=user:pass@tcp(1.2.3.4:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local +./wg-portal-amd64 -migrateFromType=mysql -migrateFrom='user:pass@tcp(1.2.3.4:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local' ``` The upgrade will transform the old, existing database and store the values in the new database specified in the **config.yml** configuration file. @@ -33,4 +33,4 @@ services: # ... other settings restart: no command: ["-migrateFrom=/app/data/wg_portal.db"] -``` \ No newline at end of file +``` diff --git a/mkdocs.yml b/mkdocs.yml index a128ddba..bb632004 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -19,6 +19,7 @@ theme: favicon: assets/images/favicon-large.png language: en features: + - content.code.copy - navigation.instant - navigation.tabs - navigation.expand @@ -46,6 +47,7 @@ markdown_extensions: - admonition - meta - pymdownx.details + - pymdownx.snippets - pymdownx.superfences - pymdownx.tabbed: alternate_style: true @@ -59,10 +61,13 @@ nav: - Documentation: - Overview: documentation/overview.md - Getting Started: - - Building: documentation/getting-started/building.md - - Docker Container: documentation/getting-started/docker.md - - Upgrade from V1: documentation/getting-started/upgrade.md + - Binaries: documentation/getting-started/binaries.md + - Docker: documentation/getting-started/docker.md + - Kubernetes: documentation/getting-started/kubernetes.md + - Sources: documentation/getting-started/sources.md - Configuration: - Overview: documentation/configuration/overview.md - Examples: documentation/configuration/examples.md + - Upgrade: documentation/upgrade/v1.md + - Monitoring: documentation/monitoring/prometheus.md - REST API: documentation/rest-api/api-doc.md diff --git a/screenshot.png b/screenshot.png deleted file mode 100644 index 010c7b73..00000000 Binary files a/screenshot.png and /dev/null differ