WireGuard Web UI for self-serve client configurations, with optional auth.

Overview

WG UI

Build Status Embark Contributor Covenant

A basic, self-contained management service for WireGuard with a self-serve web UI.
Current stable release: v1.3.0

Features

  • Self-serve and web based
  • QR-Code for convenient mobile client configuration
  • Optional multi-user support behind an authenticating proxy
  • Zero external dependencies - just a single binary using the wireguard kernel module
  • Binary and container deployment

Screenshot

Running

The easiest way to run wg-ui is using the container image. To test it, run:

docker run --rm -it --privileged --entrypoint "/wireguard-ui" -v /tmp/wireguard-ui:/data -p 8080:8080 embarkstudios/wireguard-ui:latest --data-dir=/data --log-level=debug

When running in production, we recommend using the latest release as opposed to latest.

Important to know is that you need to have WireGuard installed on the machine in order for this to work, as this is 'just' a UI to manage WireGuard configs.

Configuration

You can configure wg-ui using commandline flags or environment variables. To see all available flags run:

docker run --rm -it embarkstudios/wireguard-ui:latest -h
./wireguard-ui -h

You can alternatively specify each flag through an environment variable of the form WIREGUARD_UI_<FLAG_NAME>, where <FLAG_NAME> is replaced with the flag name transformed to CONSTANT_CASE, e.g.

docker run --rm -it embarkstudios/wireguard-ui:latest --log-level=debug

and

docker run --rm -it -e WIREGUARD_UI_LOG_LEVEL=debug embarkstudios/wireguard-ui:latest

are the same.

Docker images

There are two ways to run wg-ui today, you can run it with kernel module installed on your host which is the best way to do it if you want performance.

docker pull embarkstudios/wireguard-ui:latest

If you however do not have the possibility or interest in having kernel module loaded on your host, there is now a solution for that using a docker image based on wireguard-go. Keep in mind that this runs in userspace and not in kernel module.

docker pull embarkstudios/wireguard-ui:userspace

Both images are built for linux/amd64, linux/arm64 and linux/arm/v7. If you would need it for any other platform you can build wg-ui binaries with help from the documentation.

Install without Docker

You need to have WireGuard installed on the machine running wg-ui.

Unless you use the userspace version with docker you're required to have WireGuard installed on your host machine.

A few installation guides:
Ubuntu 20.04 LTS
CentOS 8
Debian 10

Go installation (Debian)

Install latest version of Go from (https://golang.org/dl/)

sudo tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz

Setup environment

Bash: ~/.bash_profile
ZSH: ~/.zshrc

export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin
export GOPATH=$HOME/go

Install LTS version of nodejs for frontend.

sudo apt-get install curl software-properties-common
curl -sL https://deb.nodesource.com/setup_12.x | sudo bash -
sudo apt-get install nodejs

Fetch wg-ui

git clone https://github.com/EmbarkStudios/wg-ui.git && cd wg-ui

Build binary with ui

make build

Crosscompiling

make build-amd64
make build-armv5
make build-armv6
make build-armv7

Build step by step

make ui
make build

Developing

Start frontend server

npm install --prefix=ui
npm run --prefix=ui dev

Use frontend server when running the server

make build
sudo ./bin/wireguard-ui --log-level=debug --dev-ui-server http://localhost:5000

Contributing

We welcome community contributions to this project.

Please read our Contributor Guide for more information on how to get started.

License

Licensed under either of

at your option.

Issues
  • Configuration is not applied on ArchLinux

    Configuration is not applied on ArchLinux

    Describe the bug Configuration is not applied on Archlinux

    uname -a
    Linux squanchy 5.4.8-arch1-1 #1 SMP PREEMPT Sat, 04 Jan 2020 23:46:18 +0000 x86_64 GNU/Linux
    

    To Reproduce My docker-compose.yml

      wireguard-ui:
        image: embarkstudios/wireguard-ui:latest
        container_name: wireguard-ui
        restart: unless-stopped
        networks:
          br_docker:
            ipv6_address: fd9f::10:0:0:37
            ipv4_address: 10.0.0.37
        expose:
          - "8080/tcp"
          - "5555/tcp"
        volumes:
          - /mnt/raid-lv-data/docker-persistent-data/wireguard-ui:/data
        command: --data-dir=/data --log-level=debug --client-ip-range=10.6.6.0/24 --nat-device=eno1 --wg-endpoint=wireguard.127-0-0-1.fr:123 --wg-dns=10.0.0.2 --wg-device-name=wg1
        privileged: true
    

    wg command on host is not showing anything. How wireguard-ui is supposed to configure host from docker ? Can you please elaborate in documentation ?

    bug 
    opened by vx3r 17
  • 'no such file or directory' error when using docker image

    'no such file or directory' error when using docker image

    Describe the bug When I use the latest docker image, I get the following error: standard_init_linux.go:219: exec user process caused: no such file or directory

    To Reproduce Steps to reproduce the behavior:

    1. I added the following to my docker-compose.yml:
      wireguard-ui:
        image: embarkstudios/wireguard-ui:latest
        container_name: wireguard-ui
        privileged: true
        network_mode: "host"
        ports:
          - 25444:25444
          - 51820:51820/udp
        volumes:
          - /opt/wireguard-ui:/data
        environment:
          - PGID=1000
          - PUID=1000
          - WIREGUARD_UI_LISTEN_ADDRESS=:25444
          - WIREGUARD_UI_LOG_LEVEL=debug
          - WIREGUARD_UI_DATA_DIR=/data
          - WIREGUARD_UI_WG_ENDPOINT=vpn.somehost.com:51820
          - WIREGUARD_UI_CLIENT_IP_RANGE=10.8.0.1/24
          - WIREGUARD_UI_WG_DNS=94.140.14.14
     #     - WIREGUARD_UI_NAT=true
     #     - WIREGUARD_UI_NAT_DEVICE=eno1
        restart: always
    
    
    1. run docker-compose up wireguard-ui

    Expected behavior wg-ui to be running

    Actual behavior The following error: standard_init_linux.go:219: exec user process caused: no such file or directory

    bug 
    opened by lxz81 17
  • ARM Support

    ARM Support

    Is your feature request related to a problem? Please describe. I cannot start this UI within a ARM docker environment.

    Describe the solution you'd like Make a docker image that will run on ARM cpus, such as Raspberry PI.

    Additional context Currently fails with: standard_init_linux.go:211: exec user process caused "exec format error" I assume, and I could be wrong, that it is as simple as recompiling.

    enhancement 
    opened by cameroncros 14
  • Add documentation for authentication

    Add documentation for authentication

    Is your feature request related to a problem? Please describe. I can't figure out how the authentication setup for the web interface works.

    Describe the solution you'd like A little explanation/documentation about how the authentication mechanism works.

    enhancement documentation 
    opened by Thomvh 10
  • Starting wg-ui fails on Raspberry Pi

    Starting wg-ui fails on Raspberry Pi

    Describe the bug First of all, I am aware that with the release of version 1.1. ARM builds are also supported. However, running the supplied example command in the README on my raspberry Pi still results in docker failing to start the container.

    [email protected]:~/test $ sudo docker run --rm -it --privileged --entrypoint "/wireguard-ui" -v /tmp/wireguard-ui:/data -p 8080:8080 -p 5555:5555 embarkstudios/wireguard-ui:latest --data-dir=/data --log-level=debug
    standard_init_linux.go:211: exec user process caused "no such file or directory"
    
    

    To Reproduce Run the above command

    Expected behavior Container deploying

    Device:

    • Raspberry Pi 3 Model B+
    bug 
    opened by Brainscrewer 8
  • Unable to run container on Unraid

    Unable to run container on Unraid

    I'm trying to run the container on my Unraid 6.7.2 server but am receiving the following error. Please let me know what else I can provide. I appreciate the help!

    [email protected]:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Wireguard-UI' --net='bridge' --privileged=true -e TZ="America/New_York" -e HOST_OS="Unraid" -p '18080:8080/tcp' -p '5555:5555/tcp' -v '/mnt/cache/appdata/wireguard-ui':'/data':'rw' 'embarkstudios/wireguard-ui' --data-dir=/data --log-level=debug
    37ff59c0d2a1a224db44c4f56ec3b2c6f7c244380c4579deedce7199840169dc
    /usr/bin/docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "exec: "/bin/sh": stat /bin/sh: no such file or directory": unknown.
    
    The command failed.
    
    opened by hoveeman 6
  • make build fails with `make: go-bindata-assetfs: Command not found`

    make build fails with `make: go-bindata-assetfs: Command not found`

    Describe the bug Install fails after the make build step with the following error message:

    ...
    Child mini-css-extract-plugin node_modules/css-loader/dist/cjs.js!node_modules/sass-loader/dist/cjs.js??ref--5-2!src/style.scss:
        Entrypoint mini-css-extract-plugin = *
        [0] ./node_modules/css-loader/dist/cjs.js!./node_modules/sass-loader/dist/cjs.js??ref--5-2!./src/style.scss 3.72 KiB {0} [built]
            + 1 hidden module
    go get github.com/go-bindata/go-bindata/...
    go get github.com/elazarl/go-bindata-assetfs/...
    go-bindata-assetfs -prefix ui/dist ui/dist
    make: go-bindata-assetfs: Command not found
    make: *** [assets] Error 127
    

    To Reproduce Steps to reproduce the behavior:

    1. run make build or make build-amd64

    Expected behavior I expected the build process to complete successfully, and then to resume the README guide past the make build step.

    Screenshots n/a

    Device:

    • OS: CentOS 7
    • Node.js v14.15.4
    • go 1.15.7
    • wg-ui 1.1.0
    bug 
    opened by tromlet 6
  • error make ui

    error make ui

    Hi , I have this error during make go binary [email protected]:~/wg-ui# make go-binary go-bindata-assetfs -prefix ui/dist ui/dist go build .

    github.com/google/nftables/expr

    ../go/pkg/mod/github.com/google/[email protected]/expr/dynset.go:46:132: e.Timeout.Milliseconds undefined (type time.Duration has no field or method Milliseconds) Makefile:6: recipe for target 'go-binary' failed make: *** [go-binary] Error 2

    bug 
    opened by jly26 6
  • Add flag for keepalive

    Add flag for keepalive

    Is your feature request related to a problem? Please describe. As far as I can tell there is no flag that let me define a keepalive

    Describe the solution you'd like Add a flag, --keepalive for example that let me define my desired keepalive in seconds

    enhancement 
    opened by Bouni 5
  • FATA[0000]

    FATA[0000]

    hi,

    when i build the docker, all it's ok docker build . -t xxx/wireguard-ui

    but when i run the docker, it's failled. docker run --rm -it --privileged --entrypoint "/wireguard-ui" -v /tmp/wireguard-ui:/data -p 8080:8080 -p 5555:5555 xxx/wireguard-ui --data-dir=/data --log-level=debug

    FATA[0000] operation not supported

    when i run the original command, it's failled so

    Romain

    bug 
    opened by Kawabountou 5
  • Bump follow-redirects from 1.13.0 to 1.14.7 in /ui

    Bump follow-redirects from 1.13.0 to 1.14.7 in /ui

    Bumps follow-redirects from 1.13.0 to 1.14.7.

    Commits
    • 2ede36d Release version 1.14.7 of the npm package.
    • 8b347cb Drop Cookie header across domains.
    • 6f5029a Release version 1.14.6 of the npm package.
    • af706be Ignore null headers.
    • d01ab7a Release version 1.14.5 of the npm package.
    • 40052ea Make compatible with Node 17.
    • 86f7572 Fix: clear internal timer on request abort to avoid leakage
    • 2e1eaf0 Keep Authorization header on subdomain redirects.
    • 2ad9e82 Carry over Host header on relative redirects (#172)
    • 77e2a58 Release version 1.14.4 of the npm package.
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • I need some help!

    I need some help!

    I need someone to tell me what is "--auth-user-header" params , and how to using! I can`t understand it! 🥰🥰🥰

    opened by JohyC 0
  • using systemctl manage wg-ui !

    using systemctl manage wg-ui !

    I want to use systemctl to manage wg-ui, but I cannot close wg-ui correctly when I use the following configuration. I need some help!

    [Unit]
    Description=https://github.com/ngoduykhanh/wireguard-ui
    After=network.target
    
    [Service]
    Type=simple
    WorkingDirectory=/usr/local/bin/wg
    ExecStart=/usr/local/bin/wg/wg-ui --log-level=debug --listen-address=":51821" --nat --client-ip-range="172.16.0.0/24" --nat-device="eth0" --data-dir="/etc/wireguard" --wg-keepalive="25"
    Restart=on-abnormal
    RestartSec=5s
    
    [Install]
    WantedBy=multi-user.target
    
    opened by JohyC 0
  • could not find slirp4netns

    could not find slirp4netns

    Describe the bug Running image via podman on Raspberry Pi 4:

    ERRO[0000] could not find slirp4netns, the network namespace won't be configured: exec: "slirp4netns": executable file not found in $PATH
    Error: OCI runtime error: unknown cap: `CAP_BPF`
    

    To Reproduce

    podman run --rm -it --privileged --entrypoint "/wireguard-ui" -v /tmp/wireguard-ui:/data -p 8080:8080 -p 5555:5555 embarkstudios/wireguard-ui:latest --data-dir=/data --log-level=debug
    

    Expected behavior Expected image to run as expected

    Device:

    • OS:
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Raspbian
    Description:	Raspbian GNU/Linux 10 (buster)
    Release:	10
    Codename:	buster
    
    • Version: :latest

    Additional context Add any other context about the problem here.

    bug 
    opened by dalanmiller 0
  • Administration account

    Administration account

    It would be great to have an administration account to remove obsolete client...

    enhancement 
    opened by aureb 1
  • Public accessible and usable Wireguard-UIs

    Public accessible and usable Wireguard-UIs

    Open Problem / Issue. I was looking for a Wireguard UI which I could use to setup a VPN myself and encountered this cool repo. I really appreciate this product. But I didn't understand your authentication method. When I setup your system (I used your Docker container) It exposes the Ports to the Public and there is no authentication or Passwort at all. Or is your project supposed to run in a secure network?

    Solution It would be great if you could add some authentication to the WebUI so not everybody on the internet can use it. (Login or something)

    alternatives Maybe you could also change your setup descriptions. So that the ports don't get exposed and give a piece of quick information to the users so that they are aware, that the UI is publicly accessible.

    Additional context I write this Issue because I'm practically conserned. I think a lot of people who are using the system are not aware of this issue. I actually was able to find 9 systems on the Internet with shodan (excluded my own Honeypot). You can simply search for the Session Cookie which is always wguser=anonymous.

    Here a link with a preconfigured search: shodan

    Also here a typically firewall-scan result:

    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Length: 927
    Content-Type: text/html; charset=utf-8
    Last-Modified: Mon, 01 Feb 2021 09:46:20 GMT
    Set-Cookie: wguser=anonymous; Path=/
    Date: Mon, 29 Mar 2021 18:00:48 GMT
    
    enhancement 
    opened by Mariuxdeangelo 0
  • Run WireGuard UI outside of /

    Run WireGuard UI outside of /

    I'm trying to create an add-on Home Assistant with WireGuard UI. Home Assistant has something they call Ingress which allow users to access the add-on web interface via the Home Assistant UI (through a proxy).

    The problem is that almost every link/resource in WireGuard UI is absolut and bound to / and Home Assistant mounts the application to /hassio/ingress/local_wg-ui (not sure if it's always predictable). I'm not familiar with Svetle or the routing engine you are using in the go code but wondering if it would be possible to run WireGuard UI on another path then / or even better with relative links/resources.

    Guess that it could be useful in other cases outside of Home Assistant as-well like example.com/vpn

    enhancement 
    opened by theseal 7
  • Show connection stats in the UI

    Show connection stats in the UI

    It would be nice to see which peers are connected and see their stats

    In my opinion the output of wg would be nice to see for each client.

    enhancement 
    opened by Bouni 0
  • Possibility to hide or remove a

    Possibility to hide or remove a "newClient" button

    Is your feature request related to a problem? Please describe. Hello team. I have a task to deploy a tiny and cute frontend, which will distribute wg configs for users of our organization. I decided to use your package, because it is 100% suitable. We use dedicated server as a wg endpoint (VyOS cluster on vrrp), so I don't need to create peers from UI. I am populating config.json by ansible task and launch wg-ui as docker image with pre-configured json. Users are authenticating with oauth2-proxy, which I'm launching from docker as well. The system is working perfectly. The last task that I have is to remove "newClient" button from page.

    I am not experienced in building applications or golang programming. I was able to edit Clients.svelte file and launch frontend, but making docker-image from this seems too hard for me.

    Wireguard soon will be available not only on servers but on embedded devices, routers, appliances etc as well. I think, using your package just as an UI server for distributing configs (without managing wg) will be demanded by lots of people.

    Describe the solution you'd like Add a new flag "remove-newclient-button" to config, which will just remove the "newClient" button from page.

    Describe alternatives you've considered Add a flag "lock-config" which will remove the "newClient" button and remove "edit configuration" button to remove all possibilities for users to edit anything.

    enhancement good first issue Hacktoberfest 
    opened by dmitrydvornichenko 4
  • ipv6 support

    ipv6 support

    Is your feature request related to a problem? Please describe. Could you please add IPv6 support?

    enhancement 
    opened by engel75 5
Releases(v1.3.0)
Owner
Embark
The future belongs to the curious
Embark
An userspace SORACOM Arc client powered by wireguard-go

soratun An easy-to-use, userspace SORACOM Arc client powered by wireguard-go. For deploying and scaling Linux servers/Raspberry Pi devices working wit

Soracom, Inc. 5 Nov 17, 2021
Check DNS and optionally Consul and serve the status from a Web page

dns-checker Table of contents Preamble Compiling the program Keepalived and LVS Available options Setting up systemd Preamble This application checks

Massimiliano Adamo 0 Nov 7, 2021
Serve endpoint metadata for client side load balancing

Servok Servok is a service that provides endpoint metadata for client side load balancing. See CONTRIBUTING.md for instructions on how to contribute a

authzed 3 Dec 9, 2021
A fork of the simple WireGuard VPN server GUI community maintained

Subspace - A simple WireGuard VPN server GUI Subspace - A simple WireGuard VPN server GUI Slack Screenshots Features Contributing Setup 1. Get a serve

null 1.5k Jan 22, 2022
A flexible configuration manager for Wireguard networks

Drago A flexible configuration manager for WireGuard networks Drago is a flexible configuration manager for WireGuard networks which is designed to ma

Seashell 825 Jan 14, 2022
The easiest, most secure way to use WireGuard and 2FA.

This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.

Tailscale 6.4k Jan 20, 2022
Connect your devices into a single private WireGuard®-based mesh network.

Wiretrustee A WireGuard®-based mesh network that connects your devices into a single private network. Why using Wiretrustee? Connect multiple devices

null 1.8k Jan 14, 2022
A Wireguard VPN Server Manager and API to add and remove clients

Wireguard Manager And API A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a c

null 46 Dec 31, 2021
Layer2 version of wireguard with Floyd Warshall implement in go.

Etherguard 中文版README A Full Mesh Layer2 VPN based on wireguard-go OSPF can find best route based on it's cost. But sometimes the lentancy are differen

日下部 詩 17 Jan 9, 2022
Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface

wg-ovpn Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface Warning: really ugly and unstable code! Building Obtain latest so

Patrycja 5 Nov 18, 2021
Mount your podman container into WireGuard networks on spawn

wg-pod A tool to quickly join your podman container/pod into a WireGuard network. Explanation wg-pod wires up the tools ip,route,wg and podman. It cre

Maximilian Ehlers 10 Dec 20, 2021
Go Implementation of WireGuard

Go Implementation of WireGuard

WireGuard 1.1k Jan 17, 2022
A HTTP proxy server tunnelling through wireguard

wg-http-proxy This project hacks together the excellent https://github.com/elazarl/goproxy and https://git.zx2c4.com/wireguard-go into an HTTP proxy s

Sebastian Himberger 2 Jan 19, 2022
NAT puncher for Wireguard mesh networking.

natpunch-go This is a NAT hole punching tool designed for creating Wireguard mesh networks. It was inspired by Tailscale and informed by this example.

Malcolm Seyd 57 Jan 17, 2022
generate Wireguard keypairs with a given prefix string

wireguard-vanity-address Generate Wireguard keypairs with a given prefix string. The Wireguard VPN uses Curve25519 keypairs, and displays the Base64-e

yinheli 1 Dec 28, 2021
udppunch hole for wireguard

udppunch udp punch for wireguard, inspired by natpunch-go usage server side ./punch-server-linux-amd64 -port 19993 client side make sure wireguard is

yinheli 86 Jan 13, 2022
go HTTP client that makes it plain simple to configure TLS, basic auth, retries on specific errors, keep-alive connections, logging, timeouts etc.

goat Goat, is an HTTP client built on top of a standard Go http package, that is extremely easy to configure; no googling required. The idea is simila

VSPAZ 1 Nov 18, 2021
Serve vanity URLs to Go tools.

goovus serves vanity URLs to Go tools. What's In A Name? go Made for Go. o Open as in open source. vus vanity url server. go + o + vus gives goovus. Q

null 5 Sep 28, 2021
Simple, secure and modern Go HTTP server to serve static sites, single-page applications or a file with ease

srv srv is a simple, secure and modern HTTP server, written in Go, to serve static sites, single-page applications or a file with ease. You can use it

Kevin Pollet 51 Jan 18, 2022