A Wireguard VPN Server Manager and API to add and remove clients

Wireguard Manager And API

A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a client after inactivity to increase their privacy by removing their IP address from memory.

This GoLang application runs an API which can be made https ready using a LetsEncrypt certificate. The program creates directories in the directory /opt/wgManagerAPI (This needs to be created manually before hand). In the /opt/wgManagerAPI directory we have a few more sub-directories such as /logs which contain logs of the application and /wg which contains our SQLite database.

The SQLite database contains tables which store information such as generated and available IPs, client configuration (public key and preshared key) as well as the Wireguard server own private key, public key, IP Addresses and ListenPort.

How to use

.env File

A .env file needs to be placed in the directory /opt/wgManagerAPI/.env containing the following:

MAX_IP=350
SERVER_SECURITY=enabled
FULLCHAIN_CERT=
PK_CERT=
AUTH=ABCDEFG
IP_ADDRESS=
DNS=1.1.1.1
ALLOWED_IP=0.0.0.0/0, ::/0

WG_IPV4=10.6.0.1
WG_IPV6=fe22:22:22::1
PORT=8443
AUTOCHECK=enabled
Variable Purpose
MAX_IP The number of IPs that will be generated in the SQLite database as well as the maximum number of clients that the server can host
SERVER_SECURITY Enables HTTPS on the server. A FULLCHAIN_CERT and PK_CERT must be specified. Set to disabled to use a HTTP connection and anything else to enable HTTPS.
FULLCHAIN_CERT The path to your LetsEncrypt fullchain.pem certificate. For example: /etc/letsencrypt/live/domain.com/fullchain.pem
PK_CERT The path to your LetsEncrypt privkey.pem certificate. For example: /etc/letsencrypt/live/domain.com/privkey.pem
AUTH The Authorisation key that is needed in an API request Authentication header. Setting this to a - will disable API authentication
IP_ADDRESS The public IP address of your server.
DNS The DNS address that you want wireguard clients to connect to. Can also be a local address if you are running a Pihole instance or local DNS.
ALLOWED_IP By default it allows all IPv4 and IPv6 addresses through. Change to allow split tunneling.
WG_IPV4 The local IPv4 address which will be assigned to the Wireguard instance. IMPORTANT: the application creates a subnet of /16, please make sure you have space for this. By default it is set to 10.6.0.1 (p.s. this was tested with a Pihole instance running locally on the same address).
WG_IPV6 The local IPv6 address which will be assigned to the Wireguard instance. IMPORTANT 1.1: the application creates a subnet of /64, please make sure you have space for this. By default it is set to fe22:22:22::1 IMPORTANT 1.2: At the current stage the docker container is not able to access IPv6, only IPv4. If you would like to disable/not use IPv6, set this to -.
PORT The port that is used to run the API server (this is not the Wireguard server port).
AUTOCHECK Enable the autochecker (automatically deletes and re-adds client keys after inactivity to increase privacy of user) by setting this to enabled. Disable by setting to -.

Deployment

Docker

A docker container is automatically built on a new release. For this repository, the container registry has tags relevant to the docker image. The main tag refers to a stable release and latest refers to a newly built image. This may be unreleased or buggy software so use the latest tag with caution.

Our docker image is built with Debian buster and CoreDNS is used to allow the internal docker container DNS to communicate with the host DNS.

IMPORTANT: Currently with the Docker setup IPv6 addresses cannot passthrough, only IPv4 addresses.

Docker Compose

version: "3"

services:
    wireguard-manager-and-api:
      image:  registry.gitlab.com/mawthuq-software/wireguard-manager-and-api:main
      volumes:
      - /etc/letsencrypt:/etc/letsencrypt
      - /opt/wgManagerAPI:/opt/wgManagerAPI
      - /lib/modules:/lib/modules
      ports:
      - "8443:8443"
      - "51820:51820/udp"
      cap_add:
        - NET_ADMIN
        - SYS_MODULE
      sysctls:
        - net.ipv4.conf.all.src_valid_mark=1
        - net.ipv6.conf.all.disable_ipv6=0

The docker-compose file is the easiest way to get software up and running. Do not forget to add your .env file to /opt/wgManagerAPI/.env

Building from source

Building from source allows you to create an executable file which can be created into a Systemd service or equivalent. Running the executable must be run with sudo (recommended) or root (not recommended).

Do not forget to add your .env file to /opt/wgManagerAPI/.env

  1. Install Go 1.14+ on to your machine
  2. git clone this repository
  3. cd wireguard-manager-and-api to open the repo
  4. go get to get packages
  5. go build -o wgManagerAPI main.go to build an output a executable file
  6. sudo ./wgManagerAPI to run the application.

Communicating with the API

Adding keys

URL: POST request to http(s)://domain.com:PORT/manager/keys

Header: Content-Type: application/json

Header (If authentication is enabled): authorization:(AUTH key from .env)

Body:

{
  "publicKey": "(Wireguard client public key)",
  "presharedKey": "(Wireguard client preshared key)"
}

Response:

{
  "allowedIPs": "0.0.0.0/0, ::/0",
  "dns": "10.6.0.1",
  "ipAddress": "(public IP of server)",
  "ipv4Address": "(internal IPv4 Address assigned to client) 10.6.0.10/32", 
  "ipv6Address": "(internal IPv6 Address assigned to client) fe22:22:22::10/128",
  "keyID": "(KeyID in database) 1",
  "listenPort": "(wireguard default listenport) 51820",
  "publicKey": "(Public key of wireguard server) ghyewr34A0wzT1b7ZdJgPjWwS3F/9PgRzlNWcX/QlA0=",
  "response": "Added key successfully"
}

Parsing response into client config:

[Interface]
PrivateKey = (Wireguard client private key)
Address = (internal IPv4 Address assigned to client), (internal IPv6 Address assigned to client)
DNS = 10.6.0.1

[Peer]
PublicKey = (Public key of wireguard server)
PresharedKey = (Wireguard client preshared key)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = (public IP of server):51820

Removing keys

URL: DELETE request to http(s)://domain.com:PORT/manager/keys

Header: Content-Type: application/json

Header (If authentication is enabled): authorization:(AUTH key from .env)

Body:

{
  "keyID": "(Database keyID)"
}

Response:

{
  "response": "Key deleted"
}

Debugging

Logs

If the Wireguard Manager and API application fails to start you should always look at your logs and the errors to see the problems look at /opt/wgManagerAPI/logs/ folder and open the latest log using nano or any other text editor.

FAQ

Haha nothing here

Comments
  • No internet connection after connecting to the WireGuard tunnel

    No internet connection after connecting to the WireGuard tunnel

    Hi,

    I've set up wireguard-manager-and-api via Docker and created keys like this on a different machine:

    root@server ~ # wg genkey | tee private.key | wg pubkey > public.key root@server ~ # cat private.key iBjbKpaS5MKLE0umMciE7kQD0u3fBm5LD8L2rRe02VY= root@server ~ # cat public.key 8KbN4MeEflQS1nX3J6Ts1Piq19ohjNHnQcjXs94yF0g= root@server ~ # wg genpsk QanbVcZd2gWMyiHZU3pTO8V5vmQplLCaenvYM8cBdqM=

    Then I called the API like this:

    root@server ~ # curl --request POST --url http://1.2.3.4:8443/manager/key --header 'Content-Type: application/json' --data '{ "publicKey": "8KbN4MeEflQS1nX3J6Ts1Piq19ohjNHnQcjXs94yF0g=", "presharedKey": "QanbVcZd2gWMyiHZU3pTO8V5vmQplLCaenvYM8cBdqM=", "bwLimit": 1000, "subExpiry": "2022-Mar-31 12:39:05 PM", "ipIndex": 0 }' {"allowedIPs":"0.0.0.0/0, ::0","dns":"1.1.1.1","ipAddress":"1.2.3.4","ipv4Address":"10.8.0.10/32","ipv6Address":"fe22:22:22::10/128","keyID":"1","listenPort":"443","publicKey":"T2Rs6GA5d9Wcxa5TysQahaF6O/GRWvliUNv7BvxVsx0=","response":"Added key successfully"}root@server ~ #

    and created a wireguard.conf like this:

    [Interface] PrivateKey = iBjbKpaS5MKLE0umMciE7kQD0u3fBm5LD8L2rRe02VY= Address = 10.8.0.10/32 DNS = 1.1.1.1

    [Peer] PublicKey = T2Rs6GA5d9Wcxa5TysQahaF6O/GRWvliUNv7BvxVsx0= PresharedKey = QanbVcZd2gWMyiHZU3pTO8V5vmQplLCaenvYM8cBdqM= Endpoint = 1.2.3.4:443 AllowedIPs = 0.0.0.0/0,::/0

    On the client I can activate the connection and the status is "active" (green) afterwards and I can see in the WireGuard client that I send data to the tunnel. On the server I docker exec -t -i container_name /bin/bash and look at the WireGuard status:

    docker@37c9107db68a:/usr/src/wireguard-manager-and-api$ sudo wg show interface: wg0 public key: T2Rs6GA5d9Wcxa5TysQahaF6O/GRWvliUNv7BvxVsx0= private key: (hidden) listening port: 443

    peer: 8KbN4MeEflQS1nX3J6Ts1Piq19ohjNHnQcjXs94yF0g= preshared key: (hidden) allowed ips: 10.8.0.10/32, fe22:22:22::10/128

    So no handshakes visible and the peer line is yellow. On the client I can't connect to the Internet. How can I debug this further? Do I have to do sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE for the docker interface or for the host eth0 interface? Do I have to set net.ipv4.ip_forward=1 in the sysctl.conf on the host? Is my wireguard.conf correct for the keys generated?

  • [FEATURE] port management (port-forwarding)

    [FEATURE] port management (port-forwarding)

    Is your feature request related to a problem? Please describe. Offering VPN support for a special case where all of our clients need an exposed (forwarded) port for incoming traffic, it would be very handy and comfortable for us if wg manager had the opportunity to add/remove/edit/store forwarded ports as well.

    Describe the solution you'd like A way to request / delete / edit a forwarded port the same way a peer is added / removed / edited on wireguard instances. On adding a peer the port should be reported back via API to be added to the peer's auto-configured wiregard.conf file.

    Describe alternatives you've considered Guess we need to do it manually. I don't know any other solution to automatically manage this. Open and grateful for any hints on this topic.

  • [BUG] Disabling IPv6 doesn't work

    [BUG] Disabling IPv6 doesn't work

    Hi,

    I try to set up wireguard-manager-and-api via Docker. Since IPv6 is not yet supported via Docker, I've tried to set INSTANCE.IP.LOCAL.IPV6.ADDRESS to "-" and INSTANCE.IP.LOCAL.IPV6.ENABLED to "false" as advised in the documentation. When starting the container without a database, it tries to populate the database with many entries where each ips.ipv6_address is set to "-" which failes because of the UNIQUE contraint, resulting in only the first IPv4 address written to the database correctly:

    root@server:~# docker-compose up Starting root_wireguard-manager-and-api_1 ... done Attaching to root_wireguard-manager-and-api_1 wireguard-manager-and-api_1 | WG MANAGER AND API STARTING UP wireguard-manager-and-api_1 | Env file loading - 1/6 wireguard-manager-and-api_1 | Logger starting up - 2/6 wireguard-manager-and-api_1 | Starting database - 3/6 wireguard-manager-and-api_1 | wireguard-manager-and-api_1 | 2022/03/30 19:31:00 /usr/src/wireguard-manager-and-api/src/db/db.go:95 record not found wireguard-manager-and-api_1 | [0.115ms] [rows:0] SELECT * FROM ips WHERE ipv4_address = "10.8..0.108" ORDER BY ips.ipv4_address LIMIT 1 wireguard-manager-and-api_1 | wireguard-manager-and-api_1 | 2022/03/30 19:31:00 /usr/src/wireguard-manager-and-api/src/db/db.go:108 UNIQUE constraint failed: ips.ipv6_address wireguard-manager-and-api_1 | [0.120ms] [rows:0] INSERT INTO ips (ipv4_address,ipv6_address,in_use,wg_interface) VALUES ("10.8.0.4","-","false","wg0") wireguard-manager-and-api_1 | wireguard-manager-and-api_1 | 2022/03/30 19:31:00 /usr/src/wireguard-manager-and-api/src/db/db.go:108 UNIQUE constraint failed: ips.ipv6_address wireguard-manager-and-api_1 | [0.087ms] [rows:0] INSERT INTO ips (ipv4_address,ipv6_address,in_use,wg_interface) VALUES ("10.8.0.5","-","false","wg0") ...

    The same happens when I keep INSTANCE.IP.LOCAL.IPV6.ENABLED as "false" but set INSTANCE.IP.LOCAL.IPV6.ADDRESS to "fe22:22:22::3". It populates the database as intended when I set INSTANCE.IP.LOCAL.IPV6.ENABLED to "true".

  • Adding keys doesn't work, maybe issue with ipIndex?

    Adding keys doesn't work, maybe issue with ipIndex?

    Hi,

    thanks again for your project, I got the docker-compose running but am unable to add keys:

    root@server ~ # curl -X POST -H "Content-Type: application/json" -d '{"publicKey": "0AYPFxOJtFumrUGwERWxPOHN26FvCq1RGwE/loji7no=","presharedKey": "1DKCLcUVEwglPHDUqexY22VLKtq412TwAX/YnLxKg8c=","bwLimit": 0,"subExpiry": "2022-Mar-29 12:39:05 PM","ipIndex": "10.6.1.4"}' https://mydomain.com:8443/manager/keys returns: 404 page not found

    I don't understand what you refer to with "the integer index of the ip address you want to use" to put as "ipIndex". I tried the above example which didn't work and then changed it to "3" but had the same result. I looked into the database with sqlite3 /opt/wgManagerAPI/wg/wireguardPeers.db and select * from ips; and din't see any form of database index, just the plain IPs. I noticed that in your new GUI there is no such ipIndex form field when adding keys and I would prefer to have the selection of IPs completely automatically.

    Any idea why this is failing? A simple curl https://mydomain.com:8443/manager/key seems to work fine, it returns {"Response":"All key successfully parsed","Keys":[]}.

  • 404 Error while calling api vai postman

    404 Error while calling api vai postman

    trying to call Api vai postman, everything looks good but throwing of error 404 not Found.

    I am not using lets encrypt . can you make detailed guide to use this i am not experienced. with api .

  • [FEATURE] Client-side option when running the container

    [FEATURE] Client-side option when running the container

    Hello,

    Is your feature request related to a problem? Please describe. Connecting automatically wireguard client to the server using the API.

    Describe the solution you'd like A container running as "client" which can generate public/private key and PSK, requesting the server (API) and starting wireguard based on the response. This could be useful for auto-provisionning of wireguard clients. Use case : server templates which can connect to the wireguard server automatically on boot.

    Describe alternatives you've considered I've been trying to use this : https://github.com/perara/wg-manager It basically does the same thing and has a client option when running the container, but i've been unable to make it work.

    I'll probably make a simple dockerfile that works in bash, but wondering if you could add this or if this was planned.

    Thanks in advance,

    Regards,

  • [FEATURE] Include a local DNS server (e.g. unbound) in the docker file

    [FEATURE] Include a local DNS server (e.g. unbound) in the docker file

    Is your feature request related to a problem? Please describe. Currently by default, users have to set INSTANCE.IP.GLOBAL.DNS to a public DNS server like 1.1.1.1 or 8.8.8.8 so that wireguard-manager-and-api can provide it to the end users to include in their wireguard.conf. But for anonymity purposes it is not ideal to use such a public DNS server, it would be better to be able to resolve domains locally.

    Describe the solution you'd like It would be great to have a local DNS server (for example unbound) created along the WireGuard service. I've found a basic setup of unbound for WireGuard here: https://gist.github.com/Anachron/e2ba7ace4e4ef6988182adc7462ffb80

    Describe alternatives you've considered Sorry, didn't try to include unbound setup in the docker file myself, yet.

  • [FEATURE] Creating publicKey/presharedKey via this API?

    [FEATURE] Creating publicKey/presharedKey via this API?

    Hi,

    as far as I understood this project, it allows me to roll out existing publicKeys and presharedKeys to (potentially many) VPN nodes, correct? I am looking for a solution that takes care of the wg genkey and wg genpsk part of the user setup as well, so an API that I can call to create the keys and giving me the complete connection details in return. Would this be possible with your project? I especially like the Expiry feature!

  • [BUG] API server binds to IPv6

    [BUG] API server binds to IPv6

    Describe the bug The API server binds to an IPv6 address which prevents an IPv4 address from sending requests to the API server

    To Reproduce Steps to reproduce the behavior:

    1. Get an oracle ARM Ampere server
    2. Build from source
    3. Run command

    Expected behavior The server to bind to IPv4 for legacy support

    Screenshots image

  • [FEATURE] Add SAML Auth

    [FEATURE] Add SAML Auth

    Is your feature request related to a problem? Please describe. The authentication is much easier when working with GitHub/GitLab/Okta/etc,

    Describe the solution you'd like Allow exchanging keys with any SAML IdP.

    Describe alternatives you've considered Adding usernames and passwords for everyone.

    Additional context SAML on Wikipedia

  • Potential security vunerability

    Potential security vunerability

  • [FEATURE] Add iptables rule in program

    [FEATURE] Add iptables rule in program

    Is your feature request related to a problem? Please describe. On a fresh system and running the program from source, the iptables rule that is required to allow data to client is not present. Users can connect to the VPN and send data but no data is received. To mitigate this the iptables rule is required. Describe the solution you'd like Implement sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE into the program. enp0s3 needs to be the correct interface such as eth0, eth1, enp1s3 etc.

    Describe alternatives you've considered Creating a .sh file which runs the command and then starts the program up.

A fork of the simple WireGuard VPN server GUI community maintained
A fork of the simple WireGuard VPN server GUI community maintained

Subspace - A simple WireGuard VPN server GUI Subspace - A simple WireGuard VPN server GUI Slack Screenshots Features Contributing Setup 1. Get a serve

Dec 25, 2022
🐉 Simple WireGuard proxy with minimal overhead for WireGuard traffic.

swgp-go ?? Simple WireGuard proxy with minimal overhead for WireGuard traffic. Proxy Modes 1. Zero overhead Simply AES encrypt the first 16 bytes of a

Jan 8, 2023
A flexible configuration manager for Wireguard networks
A flexible configuration manager for Wireguard networks

Drago A flexible configuration manager for WireGuard networks Drago is a flexible configuration manager for WireGuard networks which is designed to ma

Jan 7, 2023
⛵ EdgeVPN: the immutable, decentralized, statically built VPN. NO central server!

⛵ EdgeVPN Fully Decentralized. Immutable. Portable. Easy to use Statically compiled VPN Usage Generate a config: ./edgevpn -g > config.yaml Run it on

Jan 3, 2023
Terraform Provider for Pritunl VPN Server
 Terraform Provider for Pritunl VPN Server

Terraform Provider for Pritunl VPN Server Website: https://www.terraform.io Pritunl VPN Server: https://pritunl.com/ Provider: disc/pritunl Requiremen

Dec 24, 2022
A memory-safe SSH server, focused on listening only on VPN networks such as Tailscale

Features Is tested to work with SCP Integrates well with systemd Quickstart Download binary for your architecture. We only support Linux. If you don't

Jun 10, 2022
A HTTP proxy server tunnelling through wireguard

wg-http-proxy This project hacks together the excellent https://github.com/elazarl/goproxy and https://git.zx2c4.com/wireguard-go into an HTTP proxy s

Dec 30, 2022
SplitVPN - Split Internet and VPN routing

SplitVPN - Split Internet and VPN routing

Jul 15, 2022
IP2Proxy Go package allows users to query an IP address to determine if it was being used as open proxy, web proxy, VPN anonymizer and TOR exits.

IP2Proxy Go Package This package allows user to query an IP address if it was being used as VPN anonymizer, open proxies, web proxies, Tor exits, data

Sep 15, 2022
Kiwi-balancer - A balancer is a gateway between the clients and the server

Task description Imagine a standard client-server relationship, only in our case

Feb 11, 2022
Decentralized VPN in golang
Decentralized VPN in golang

LCVPN - Light decentralized VPN in golang Originally this repo was just an answer on a question "how much time it'll take to write my own simple VPN i

Dec 28, 2022
SonicWall VPN-SSL Exploit* using Golang
SonicWall VPN-SSL Exploit* using Golang

goshock SonicWall VPN-SSL Exploit* using Golang ( * and other targets vulnerable to shellshock ).

Jul 6, 2022
Smart VPN client

Smart VPN client Performs all the standard functions of a VPN client, i.e. manages a connection to a VPN headend. The "smart" functionality includes:

Sep 2, 2022
Decentralized VPN
Decentralized VPN

Decentralized VPN The RadVPN doesn't need any central point as it connects to other nodes directly (full mesh) it has built-in router that helps packe

Jan 8, 2023
Standalone client for proxies of Opera VPN

opera-proxy Standalone Opera VPN client. Younger brother of hola-proxy. Just run it and it'll start a plain HTTP proxy server forwarding traffic throu

Jan 9, 2023
A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.
A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.

Hyprspace A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks. demo.mp4 Table of Contents A Bit of Backstory Use Cases A Digital N

Dec 29, 2022
CLI to drive SAML based auth for Global Protect VPN

GlobalProtect VPN Helper This tool is a CLI friendly tool used to perform POST based SAML authentication for GlobalProtect VPN. It displays a browser

Aug 28, 2022
A VPN Proxy Helper

VPN Proxy Helper Sometimes, VPN clients do not change the routing table of the computer but it still exists the VPN interface. Sometimes, you don't wa

Aug 19, 2022
KeeneticRouteToVpn is simple app updating Keenetic Router rules for some hosts to go through VPN interface.

KeeneticRouteToVpn KeeneticRouteToVpn is simple app updating Keenetic Router rules for some hosts to go through VPN interface. It has defaults values

Oct 8, 2022