A Wireguard VPN Server Manager and API to add and remove clients

Overview

Wireguard Manager And API

A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a client after inactivity to increase their privacy by removing their IP address from memory.

This GoLang application runs an API which can be made https ready using a LetsEncrypt certificate. The program creates directories in the directory /opt/wgManagerAPI (This needs to be created manually before hand). In the /opt/wgManagerAPI directory we have a few more sub-directories such as /logs which contain logs of the application and /wg which contains our SQLite database.

The SQLite database contains tables which store information such as generated and available IPs, client configuration (public key and preshared key) as well as the Wireguard server own private key, public key, IP Addresses and ListenPort.

How to use

.env File

A .env file needs to be placed in the directory /opt/wgManagerAPI/.env containing the following:

MAX_IP=350
SERVER_SECURITY=enabled
FULLCHAIN_CERT=
PK_CERT=
AUTH=ABCDEFG
IP_ADDRESS=
DNS=1.1.1.1
ALLOWED_IP=0.0.0.0/0, ::/0

WG_IPV4=10.6.0.1
WG_IPV6=fe22:22:22::1
PORT=8443
AUTOCHECK=enabled
Variable Purpose
MAX_IP The number of IPs that will be generated in the SQLite database as well as the maximum number of clients that the server can host
SERVER_SECURITY Enables HTTPS on the server. A FULLCHAIN_CERT and PK_CERT must be specified. Set to disabled to use a HTTP connection and anything else to enable HTTPS.
FULLCHAIN_CERT The path to your LetsEncrypt fullchain.pem certificate. For example: /etc/letsencrypt/live/domain.com/fullchain.pem
PK_CERT The path to your LetsEncrypt privkey.pem certificate. For example: /etc/letsencrypt/live/domain.com/privkey.pem
AUTH The Authorisation key that is needed in an API request Authentication header. Setting this to a - will disable API authentication
IP_ADDRESS The public IP address of your server.
DNS The DNS address that you want wireguard clients to connect to. Can also be a local address if you are running a Pihole instance or local DNS.
ALLOWED_IP By default it allows all IPv4 and IPv6 addresses through. Change to allow split tunneling.
WG_IPV4 The local IPv4 address which will be assigned to the Wireguard instance. IMPORTANT: the application creates a subnet of /16, please make sure you have space for this. By default it is set to 10.6.0.1 (p.s. this was tested with a Pihole instance running locally on the same address).
WG_IPV6 The local IPv6 address which will be assigned to the Wireguard instance. IMPORTANT 1.1: the application creates a subnet of /64, please make sure you have space for this. By default it is set to fe22:22:22::1 IMPORTANT 1.2: At the current stage the docker container is not able to access IPv6, only IPv4. If you would like to disable/not use IPv6, set this to -.
PORT The port that is used to run the API server (this is not the Wireguard server port).
AUTOCHECK Enable the autochecker (automatically deletes and re-adds client keys after inactivity to increase privacy of user) by setting this to enabled. Disable by setting to -.

Deployment

Docker

A docker container is automatically built on a new release. For this repository, the container registry has tags relevant to the docker image. The main tag refers to a stable release and latest refers to a newly built image. This may be unreleased or buggy software so use the latest tag with caution.

Our docker image is built with Debian buster and CoreDNS is used to allow the internal docker container DNS to communicate with the host DNS.

IMPORTANT: Currently with the Docker setup IPv6 addresses cannot passthrough, only IPv4 addresses.

Docker Compose

version: "3"

services:
    wireguard-manager-and-api:
      image:  registry.gitlab.com/mawthuq-software/wireguard-manager-and-api:main
      volumes:
      - /etc/letsencrypt:/etc/letsencrypt
      - /opt/wgManagerAPI:/opt/wgManagerAPI
      - /lib/modules:/lib/modules
      ports:
      - "8443:8443"
      - "51820:51820/udp"
      cap_add:
        - NET_ADMIN
        - SYS_MODULE
      sysctls:
        - net.ipv4.conf.all.src_valid_mark=1
        - net.ipv6.conf.all.disable_ipv6=0

The docker-compose file is the easiest way to get software up and running. Do not forget to add your .env file to /opt/wgManagerAPI/.env

Building from source

Building from source allows you to create an executable file which can be created into a Systemd service or equivalent. Running the executable must be run with sudo (recommended) or root (not recommended).

Do not forget to add your .env file to /opt/wgManagerAPI/.env

  1. Install Go 1.14+ on to your machine
  2. git clone this repository
  3. cd wireguard-manager-and-api to open the repo
  4. go get to get packages
  5. go build -o wgManagerAPI main.go to build an output a executable file
  6. sudo ./wgManagerAPI to run the application.

Communicating with the API

Adding keys

URL: POST request to http(s)://domain.com:PORT/manager/keys

Header: Content-Type: application/json

Header (If authentication is enabled): authorization:(AUTH key from .env)

Body:

{
  "publicKey": "(Wireguard client public key)",
  "presharedKey": "(Wireguard client preshared key)"
}

Response:

{
  "allowedIPs": "0.0.0.0/0, ::/0",
  "dns": "10.6.0.1",
  "ipAddress": "(public IP of server)",
  "ipv4Address": "(internal IPv4 Address assigned to client) 10.6.0.10/32", 
  "ipv6Address": "(internal IPv6 Address assigned to client) fe22:22:22::10/128",
  "keyID": "(KeyID in database) 1",
  "listenPort": "(wireguard default listenport) 51820",
  "publicKey": "(Public key of wireguard server) ghyewr34A0wzT1b7ZdJgPjWwS3F/9PgRzlNWcX/QlA0=",
  "response": "Added key successfully"
}

Parsing response into client config:

[Interface]
PrivateKey = (Wireguard client private key)
Address = (internal IPv4 Address assigned to client), (internal IPv6 Address assigned to client)
DNS = 10.6.0.1

[Peer]
PublicKey = (Public key of wireguard server)
PresharedKey = (Wireguard client preshared key)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = (public IP of server):51820

Removing keys

URL: DELETE request to http(s)://domain.com:PORT/manager/keys

Header: Content-Type: application/json

Header (If authentication is enabled): authorization:(AUTH key from .env)

Body:

{
  "keyID": "(Database keyID)"
}

Response:

{
  "response": "Key deleted"
}

Debugging

Logs

If the Wireguard Manager and API application fails to start you should always look at your logs and the errors to see the problems look at /opt/wgManagerAPI/logs/ folder and open the latest log using nano or any other text editor.

FAQ

Haha nothing here

Issues
  • No internet connection after connecting to the WireGuard tunnel

    No internet connection after connecting to the WireGuard tunnel

    Hi,

    I've set up wireguard-manager-and-api via Docker and created keys like this on a different machine:

    [email protected] ~ # wg genkey | tee private.key | wg pubkey > public.key [email protected] ~ # cat private.key iBjbKpaS5MKLE0umMciE7kQD0u3fBm5LD8L2rRe02VY= [email protected] ~ # cat public.key 8KbN4MeEflQS1nX3J6Ts1Piq19ohjNHnQcjXs94yF0g= [email protected] ~ # wg genpsk QanbVcZd2gWMyiHZU3pTO8V5vmQplLCaenvYM8cBdqM=

    Then I called the API like this:

    [email protected] ~ # curl --request POST --url http://1.2.3.4:8443/manager/key --header 'Content-Type: application/json' --data '{ "publicKey": "8KbN4MeEflQS1nX3J6Ts1Piq19ohjNHnQcjXs94yF0g=", "presharedKey": "QanbVcZd2gWMyiHZU3pTO8V5vmQplLCaenvYM8cBdqM=", "bwLimit": 1000, "subExpiry": "2022-Mar-31 12:39:05 PM", "ipIndex": 0 }' {"allowedIPs":"0.0.0.0/0, ::0","dns":"1.1.1.1","ipAddress":"1.2.3.4","ipv4Address":"10.8.0.10/32","ipv6Address":"fe22:22:22::10/128","keyID":"1","listenPort":"443","publicKey":"T2Rs6GA5d9Wcxa5TysQahaF6O/GRWvliUNv7BvxVsx0=","response":"Added key successfully"}[email protected] ~ #

    and created a wireguard.conf like this:

    [Interface] PrivateKey = iBjbKpaS5MKLE0umMciE7kQD0u3fBm5LD8L2rRe02VY= Address = 10.8.0.10/32 DNS = 1.1.1.1

    [Peer] PublicKey = T2Rs6GA5d9Wcxa5TysQahaF6O/GRWvliUNv7BvxVsx0= PresharedKey = QanbVcZd2gWMyiHZU3pTO8V5vmQplLCaenvYM8cBdqM= Endpoint = 1.2.3.4:443 AllowedIPs = 0.0.0.0/0,::/0

    On the client I can activate the connection and the status is "active" (green) afterwards and I can see in the WireGuard client that I send data to the tunnel. On the server I docker exec -t -i container_name /bin/bash and look at the WireGuard status:

    [email protected]:/usr/src/wireguard-manager-and-api$ sudo wg show interface: wg0 public key: T2Rs6GA5d9Wcxa5TysQahaF6O/GRWvliUNv7BvxVsx0= private key: (hidden) listening port: 443

    peer: 8KbN4MeEflQS1nX3J6Ts1Piq19ohjNHnQcjXs94yF0g= preshared key: (hidden) allowed ips: 10.8.0.10/32, fe22:22:22::10/128

    So no handshakes visible and the peer line is yellow. On the client I can't connect to the Internet. How can I debug this further? Do I have to do sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE for the docker interface or for the host eth0 interface? Do I have to set net.ipv4.ip_forward=1 in the sysctl.conf on the host? Is my wireguard.conf correct for the keys generated?

    opened by freerko 3
  • [BUG] Disabling IPv6 doesn't work

    [BUG] Disabling IPv6 doesn't work

    Hi,

    I try to set up wireguard-manager-and-api via Docker. Since IPv6 is not yet supported via Docker, I've tried to set INSTANCE.IP.LOCAL.IPV6.ADDRESS to "-" and INSTANCE.IP.LOCAL.IPV6.ENABLED to "false" as advised in the documentation. When starting the container without a database, it tries to populate the database with many entries where each ips.ipv6_address is set to "-" which failes because of the UNIQUE contraint, resulting in only the first IPv4 address written to the database correctly:

    [email protected]:~# docker-compose up Starting root_wireguard-manager-and-api_1 ... done Attaching to root_wireguard-manager-and-api_1 wireguard-manager-and-api_1 | WG MANAGER AND API STARTING UP wireguard-manager-and-api_1 | Env file loading - 1/6 wireguard-manager-and-api_1 | Logger starting up - 2/6 wireguard-manager-and-api_1 | Starting database - 3/6 wireguard-manager-and-api_1 | wireguard-manager-and-api_1 | 2022/03/30 19:31:00 /usr/src/wireguard-manager-and-api/src/db/db.go:95 record not found wireguard-manager-and-api_1 | [0.115ms] [rows:0] SELECT * FROM ips WHERE ipv4_address = "10.8..0.108" ORDER BY ips.ipv4_address LIMIT 1 wireguard-manager-and-api_1 | wireguard-manager-and-api_1 | 2022/03/30 19:31:00 /usr/src/wireguard-manager-and-api/src/db/db.go:108 UNIQUE constraint failed: ips.ipv6_address wireguard-manager-and-api_1 | [0.120ms] [rows:0] INSERT INTO ips (ipv4_address,ipv6_address,in_use,wg_interface) VALUES ("10.8.0.4","-","false","wg0") wireguard-manager-and-api_1 | wireguard-manager-and-api_1 | 2022/03/30 19:31:00 /usr/src/wireguard-manager-and-api/src/db/db.go:108 UNIQUE constraint failed: ips.ipv6_address wireguard-manager-and-api_1 | [0.087ms] [rows:0] INSERT INTO ips (ipv4_address,ipv6_address,in_use,wg_interface) VALUES ("10.8.0.5","-","false","wg0") ...

    The same happens when I keep INSTANCE.IP.LOCAL.IPV6.ENABLED as "false" but set INSTANCE.IP.LOCAL.IPV6.ADDRESS to "fe22:22:22::3". It populates the database as intended when I set INSTANCE.IP.LOCAL.IPV6.ENABLED to "true".

    bug 
    opened by freerko 2
  • Adding keys doesn't work, maybe issue with ipIndex?

    Adding keys doesn't work, maybe issue with ipIndex?

    Hi,

    thanks again for your project, I got the docker-compose running but am unable to add keys:

    [email protected] ~ # curl -X POST -H "Content-Type: application/json" -d '{"publicKey": "0AYPFxOJtFumrUGwERWxPOHN26FvCq1RGwE/loji7no=","presharedKey": "1DKCLcUVEwglPHDUqexY22VLKtq412TwAX/YnLxKg8c=","bwLimit": 0,"subExpiry": "2022-Mar-29 12:39:05 PM","ipIndex": "10.6.1.4"}' https://mydomain.com:8443/manager/keys returns: 404 page not found

    I don't understand what you refer to with "the integer index of the ip address you want to use" to put as "ipIndex". I tried the above example which didn't work and then changed it to "3" but had the same result. I looked into the database with sqlite3 /opt/wgManagerAPI/wg/wireguardPeers.db and select * from ips; and din't see any form of database index, just the plain IPs. I noticed that in your new GUI there is no such ipIndex form field when adding keys and I would prefer to have the selection of IPs completely automatically.

    Any idea why this is failing? A simple curl https://mydomain.com:8443/manager/key seems to work fine, it returns {"Response":"All key successfully parsed","Keys":[]}.

    opened by freerko 2
  • 404 Error while calling api vai postman

    404 Error while calling api vai postman

    trying to call Api vai postman, everything looks good but throwing of error 404 not Found.

    I am not using lets encrypt . can you make detailed guide to use this i am not experienced. with api .

    opened by priteshuae 2
  • [FEATURE] Client-side option when running the container

    [FEATURE] Client-side option when running the container

    Hello,

    Is your feature request related to a problem? Please describe. Connecting automatically wireguard client to the server using the API.

    Describe the solution you'd like A container running as "client" which can generate public/private key and PSK, requesting the server (API) and starting wireguard based on the response. This could be useful for auto-provisionning of wireguard clients. Use case : server templates which can connect to the wireguard server automatically on boot.

    Describe alternatives you've considered I've been trying to use this : https://github.com/perara/wg-manager It basically does the same thing and has a client option when running the container, but i've been unable to make it work.

    I'll probably make a simple dockerfile that works in bash, but wondering if you could add this or if this was planned.

    Thanks in advance,

    Regards,

    opened by RiwanBodereau 2
  • [FEATURE] Creating publicKey/presharedKey via this API?

    [FEATURE] Creating publicKey/presharedKey via this API?

    Hi,

    as far as I understood this project, it allows me to roll out existing publicKeys and presharedKeys to (potentially many) VPN nodes, correct? I am looking for a solution that takes care of the wg genkey and wg genpsk part of the user setup as well, so an API that I can call to create the keys and giving me the complete connection details in return. Would this be possible with your project? I especially like the Expiry feature!

    question wontfix 
    opened by freerko 1
  • [BUG] API server binds to IPv6

    [BUG] API server binds to IPv6

    Describe the bug The API server binds to an IPv6 address which prevents an IPv4 address from sending requests to the API server

    To Reproduce Steps to reproduce the behavior:

    1. Get an oracle ARM Ampere server
    2. Build from source
    3. Run command

    Expected behavior The server to bind to IPv4 for legacy support

    Screenshots image

    bug 
    opened by RaspberryTech01 1
  • Potential security vunerability

    Potential security vunerability

    opened by RaspberryTech01 0
  • [FEATURE] Add iptables rule in program

    [FEATURE] Add iptables rule in program

    Is your feature request related to a problem? Please describe. On a fresh system and running the program from source, the iptables rule that is required to allow data to client is not present. Users can connect to the VPN and send data but no data is received. To mitigate this the iptables rule is required. Describe the solution you'd like Implement sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE into the program. enp0s3 needs to be the correct interface such as eth0, eth1, enp1s3 etc.

    Describe alternatives you've considered Creating a .sh file which runs the command and then starts the program up.

    bug enhancement 
    opened by RaspberryTech01 1
Releases(v0.6-alpha)
  • v0.6-alpha(Apr 16, 2022)

  • v0.5.1-alpha(Feb 12, 2022)

  • v0.5-alpha(Dec 30, 2021)

    New Release:

    This update brings the following additions and improvements:

    • Getting of all subscriptions in the database.
    • Getting of all keys in the database. Preshared keys are redacted for privacy.
    • The port for the Wireguard server can be changed in the configuration file but only before starting up the application for the first time. This can be changed afterward by manually editing the value in the database.
    • Cleaned up the code so that a middleware for authentication is used rather than copy pasting the function into each route.
    Source code(tar.gz)
    Source code(zip)
    wgManagerAPI_AMD(19.42 MB)
  • v0.4-alpha(Nov 15, 2021)

    New Release:

    This update brings the following additions and improvements:

    • Cleaned up code, created a middleware for authorization rather than adding to each router file
    • Bandwidth had a bug when setting to unlimited it would get disabled by autocheck. This is fixed.
    • The port for the API server has now been fixed, the default port was hardcoded in preventing changing it.
    • We now use a config.json file to help visualisation of the variables.

    We are trying to get things production ready, there will be changes frequently just so everything can be perfect.

    Source code(tar.gz)
    Source code(zip)
    wgManagerAPI_AMD(19.40 MB)
  • v0.3-alpha(Oct 17, 2021)

    New Release

    This update brings the following additions:

    • Adding of subscriptions. Subscriptions are a way to set an expiry date and/or a bandwidth limit. Keys are disabled (not deleted) after the subscription expires or the bandwidth limit is reached.
    • Subscriptions are created upon key creation (hence the existing API call was updated.)
    • Editing of subscriptions. Subscriptions can be edited after creation to extend the subscription expiry, bandwidth limit and also to reset the current bandwidth usage.

    This release requires you to delete your existing sqlite database so that everything works appropriately.

    Source code(tar.gz)
    Source code(zip)
    wgManagerAPI_AMD(16.23 MB)
  • v0.2-alpha(Aug 28, 2021)

    New release:

    1. Added enabling and disabling of client keys Basically this means when a key is enabled it can be used and when disabled the client cannot connect to the VPN.

    2. Cleaned up code Separated code into different files to make file structure cleaner, easier to read and program.

    3. Added API paths to enable and disable client keys Implemented routes to allow enabling and disabling of keys.

    4. Made API server run on IPv4 Previously the server may have run on IPv6 if the server used uses IPv6 by default. This was changed to forcefully run the server on IPv4. (yes its kind of backward but almost all servers give an IPv4 as well as ISPs.)

    5. Built for different architectures Below the wgManagerAPI was built on an AMD server and wgManagerAPI-ARM on an ARM64 server.

    Source code(tar.gz)
    Source code(zip)
    wgManagerAPI(16.20 MB)
    wgManagerAPI-ARM(15.24 MB)
  • v0.1-alpha(Aug 6, 2021)

A fork of the simple WireGuard VPN server GUI community maintained

Subspace - A simple WireGuard VPN server GUI Subspace - A simple WireGuard VPN server GUI Slack Screenshots Features Contributing Setup 1. Get a serve

null 1.6k May 14, 2022
A flexible configuration manager for Wireguard networks

Drago A flexible configuration manager for WireGuard networks Drago is a flexible configuration manager for WireGuard networks which is designed to ma

Seashell 880 May 14, 2022
⛵ EdgeVPN: the immutable, decentralized, statically built VPN. NO central server!

⛵ EdgeVPN Fully Decentralized. Immutable. Portable. Easy to use Statically compiled VPN Usage Generate a config: ./edgevpn -g > config.yaml Run it on

Ettore Di Giacinto 89 May 4, 2022
Terraform Provider for Pritunl VPN Server

Terraform Provider for Pritunl VPN Server Website: https://www.terraform.io Pritunl VPN Server: https://pritunl.com/ Provider: disc/pritunl Requiremen

Alexandr Hacicheant 18 Mar 30, 2022
A memory-safe SSH server, focused on listening only on VPN networks such as Tailscale

Features Is tested to work with SCP Integrates well with systemd Quickstart Download binary for your architecture. We only support Linux. If you don't

function61.com 1 Feb 26, 2022
A HTTP proxy server tunnelling through wireguard

wg-http-proxy This project hacks together the excellent https://github.com/elazarl/goproxy and https://git.zx2c4.com/wireguard-go into an HTTP proxy s

Sebastian Himberger 6 Apr 21, 2022
SplitVPN - Split Internet and VPN routing

SplitVPN - Split Internet and VPN routing

null 6 Feb 2, 2022
IP2Proxy Go package allows users to query an IP address to determine if it was being used as open proxy, web proxy, VPN anonymizer and TOR exits.

IP2Proxy Go Package This package allows user to query an IP address if it was being used as VPN anonymizer, open proxies, web proxies, Tor exits, data

IP2Location 13 Apr 16, 2022
Decentralized VPN in golang

LCVPN - Light decentralized VPN in golang Originally this repo was just an answer on a question "how much time it'll take to write my own simple VPN i

Anton Skorochod 487 May 10, 2022
SonicWall VPN-SSL Exploit* using Golang

goshock SonicWall VPN-SSL Exploit* using Golang ( * and other targets vulnerable to shellshock ).

Gustavo Roberto Rodrigues Gonçalves 18 Nov 18, 2021
Smart VPN client

Smart VPN client Performs all the standard functions of a VPN client, i.e. manages a connection to a VPN headend. The "smart" functionality includes:

Michael Kashin 17 May 12, 2022
Decentralized VPN

Decentralized VPN The RadVPN doesn't need any central point as it connects to other nodes directly (full mesh) it has built-in router that helps packe

Mehrdad Arshad Rad 1.1k Apr 26, 2022
Standalone client for proxies of Opera VPN

opera-proxy Standalone Opera VPN client. Younger brother of hola-proxy. Just run it and it'll start a plain HTTP proxy server forwarding traffic throu

null 283 May 12, 2022
A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.

Hyprspace A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks. demo.mp4 Table of Contents A Bit of Backstory Use Cases A Digital N

Hyprspace 250 May 8, 2022
CLI to drive SAML based auth for Global Protect VPN

GlobalProtect VPN Helper This tool is a CLI friendly tool used to perform POST based SAML authentication for GlobalProtect VPN. It displays a browser

Clement JACOB 6 Jan 28, 2022
A VPN Proxy Helper

VPN Proxy Helper Sometimes, VPN clients do not change the routing table of the computer but it still exists the VPN interface. Sometimes, you don't wa

null 0 Dec 30, 2021
KeeneticRouteToVpn is simple app updating Keenetic Router rules for some hosts to go through VPN interface.

KeeneticRouteToVpn KeeneticRouteToVpn is simple app updating Keenetic Router rules for some hosts to go through VPN interface. It has defaults values

Vasilii Blazhnov 6 May 5, 2022
The easiest, most secure way to use WireGuard and 2FA.

This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.

Tailscale 7.4k May 7, 2022
Kiwi-balancer - A balancer is a gateway between the clients and the server

Task description Imagine a standard client-server relationship, only in our case

Jozef Lami 0 Feb 11, 2022