A fork of the simple WireGuard VPN server GUI community maintained

Related tags

Network subspace
Overview

Subspace - A simple WireGuard VPN server GUI

All Contributors

Go Report Card Quality Gate Status Lines of Code Maintainability Rating Vulnerabilities

Slack

Join the slack community over at the gophers workspace. Our Channel is #subspace which can be used to ask general questions in regards to subspace where the community can assist where possible.

Screenshots

Screenshot 1 Screenshot 3
Screenshot 2 Screenshot 4

Features

  • WireGuard VPN Protocol
    • The most modern and fastest VPN protocol.
  • Single Sign-On (SSO) with SAML
    • Support for SAML providers like G Suite and Okta.
  • Add Devices
    • Connect from Mac OS X, Windows, Linux, Android, or iOS.
  • Remove Devices
    • Removes client key and disconnects client.
  • Auto-generated Configs
    • Each client gets a unique downloadable config file.
    • Generates a QR code for easy importing on iOS and Android.

Contributing

See the CONTRIBUTING page for additional info.

Setup

1. Get a server

Recommended Specs

  • Type: VPS or dedicated
  • Distribution: Ubuntu 16.04 (Xenial), 18.04 (Bionic) or 20.04 (Focal)
  • Memory: 512MB or greater

2. Add a DNS record

Create a DNS A record in your domain pointing to your server's IP address.

Example: subspace.example.com A 172.16.1.1

3. Enable Let's Encrypt

Subspace runs a TLS ("SSL") https server on port 443/tcp. It also runs a standard web server on port 80/tcp to redirect clients to the secure server. Port 80/tcp is required for Let's Encrypt verification.

Requirements

  • Your server must have a publicly resolvable DNS record.
  • Your server must be reachable over the internet on ports 80/tcp, 443/tcp and 51820/udp (Default WireGuard port, user changeable).

Usage

Example usage:

$ subspace --http-host subspace.example.com

Command Line Options

flag default description
http-host REQUIRED: The host to listen on and set cookies for
backlink / OPTIONAL: The page to set the home button too
datadir /data OPTIONAL: The directory to store data such as the wireguard configuration files
debug OPTIONAL: Place subspace into debug mode for verbose log output
http-addr :80 OPTIONAL: HTTP listen address
http-insecure OPTIONAL: enable session cookies for http and remove redirect to https
letsencrypt true OPTIONAL: Whether or not to use a letsencrypt certificate
theme green OPTIONAL: The theme to use, please refer to semantic-ui for accepted colors
version Display version of subspace and exit
help Display help and exit

Run as a Docker container

Install WireGuard on the host

The container expects WireGuard to be installed on the host. The official image is subspacecommunity/subspace.

add-apt-repository -y ppa:wireguard/wireguard
apt-get update
apt-get install -y wireguard

# Remove dnsmasq because it will run inside the container.
apt-get remove -y dnsmasq

# Disable systemd-resolved listener if it blocks port 53.
echo "DNSStubListener=no" >> /etc/systemd/resolved.conf
systemctl restart systemd-resolved

# Set Cloudfare DNS server.
echo nameserver 1.1.1.1 > /etc/resolv.conf
echo nameserver 1.0.0.1 >> /etc/resolv.conf

# Load modules.
modprobe wireguard
modprobe iptable_nat
modprobe ip6table_nat

# Enable modules when rebooting.
echo "wireguard" > /etc/modules-load.d/wireguard.conf
echo "iptable_nat" > /etc/modules-load.d/iptable_nat.conf
echo "ip6table_nat" > /etc/modules-load.d/ip6table_nat.conf

# Check if systemd-modules-load service is active.
systemctl status systemd-modules-load.service

# Enable IP forwarding.
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

Follow the official Docker install instructions: Get Docker CE for Ubuntu

Make sure to change the --env SUBSPACE_HTTP_HOST to your publicly accessible domain name.

# Your data directory should be bind-mounted as `/data` inside the container using the `--volume` flag.
$ mkdir /data

docker create \
    --name subspace \
    --restart always \
    --network host \
    --cap-add NET_ADMIN \
    --volume /data:/data \
    --env SUBSPACE_HTTP_HOST="subspace.example.com" \
	# Optional variable to change upstream DNS provider
    --env SUBSPACE_NAMESERVERS="1.1.1.1,8.8.8.8" \
	# Optional variable to change WireGuard Listenport
    --env SUBSPACE_LISTENPORT="51820" \
    # Optional variables to change IPv4/v6 prefixes
    --env SUBSPACE_IPV4_POOL="10.99.97.0/24" \
    --env SUBSPACE_IPV6_POOL="fd00::10:97:0/64" \
	# Optional variables to change IPv4/v6 Gateway
    --env SUBSPACE_IPV4_GW="10.99.97.1" \
    --env SUBSPACE_IPV6_GW="fd00::10:97:1" \
	# Optional variable to enable or disable IPv6 NAT
    --env SUBSPACE_IPV6_NAT_ENABLED=1 \
    subspacecommunity/subspace:latest

$ sudo docker start subspace

$ sudo docker logs subspace

<log output>

Docker-Compose Example

version: "3.3"
services:
  subspace:
   image: subspacecommunity/subspace:latest
   container_name: subspace
   volumes:
    - /opt/docker/subspace:/data
   restart: always
   environment:
    - SUBSPACE_HTTP_HOST=subspace.example.org
    - SUBSPACE_LETSENCRYPT=true
    - SUBSPACE_HTTP_INSECURE=false
    - SUBSPACE_HTTP_ADDR=":80"
    - SUBSPACE_NAMESERVERS=1.1.1.1,8.8.8.8
    - SUBSPACE_LISTENPORT=51820
    - SUBSPACE_IPV4_POOL=10.99.97.0/24
    - SUBSPACE_IPV6_POOL=fd00::10:97:0/64
    - SUBSPACE_IPV4_GW=10.99.97.1
    - SUBSPACE_IPV6_GW=fd00::10:97:1
    - SUBSPACE_IPV6_NAT_ENABLED=1
   cap_add:
    - NET_ADMIN
   network_mode: "host"

Updating the container image

Pull the latest image, remove the container, and re-create the container as explained above.

# Pull the latest image
$ sudo docker pull subspacecommunity/subspace

# Stop the container
$ sudo docker stop subspace

# Remove the container (data is stored on the mounted volume)
$ sudo docker rm subspace

# Re-create and start the container
$ sudo docker create ... (see above)

Contributors

Thanks goes to these wonderful people (emoji key):


Duncan Mac-Vicar P.

💻

Valentin Ouvrard

💻

Adrián González Barbosa

💻

Gavin

💻

Lucas Servén Marín

💻

Jack

💻

Sam SIU

💻

Elliot Westlake

💻

Clément Péron

📖

Selva

??

Frank

💻

Gian Lazzarini

📖

This project follows the all-contributors specification. Contributions of any kind welcome!

Comments
  • Upgrading crewjam/saml from v0.3.0 to v0.4.5

    Upgrading crewjam/saml from v0.3.0 to v0.4.5

    to: cc: @subspacecommunity/subspace-maintainers related to: resolves: https://github.com/subspacecommunity/subspace/issues/167

    Background

    There was a severe vulnerability in crewjam/saml v0.3.0 that allowed bypassing SAML SSO. Updating to v0.4.5 would solve the issue.

    The way SAML works in subspace is to basically split the handler procedure encoded in samlSP.RequreAccount. This function is supposed to make it easy to use SAML SSO, however it requires the use of pure net/http. As we use julienschmidt/httprouter. We have to handle it ourselves.

    The way this is done is basically split samlSP.RequreAccount in two. The first part is implemented in the two handlers ssoHandler and samlHandler. ssoHandler, in turn handles specifically the authentication flow. Therefore, we must reimplement it using samlSP.HandleStartAuthFlow. The code in it is almost the same as in samlSP.RequreAccount. The difference is that samlSP. ServeHTTP is reserved for samlHandler.

    The other modification was the refactoring of the procedure that extracts the subject name from the JWT Token. This changed quite drastically in 0.4.x. This version did away with the convenient function GetAuthorizationToken. Now we have to extract the session from the conext and use type assertion to cast it to JWTSessionClaims. Without it, we would be left with sessionWithAttributes.GetAttributes which in turn only returns the contents of attrs of the JWT Token. This cast restores the access to what was previously retrieved with token.StandardClaims. Now we access it with jwtSessionClaim directly, which is the complete decoded jwt token.

    DISCLAIMER: I am NOT a security expert and the first contact I ever had with golang was applying this fix. So I welcome everyone to treat this pull request as an invitation for debating, so that we can arrive at an optimal solution.

    Changes

    • Updated crewjam/saml from v0.3.0 -> v0.4.5
    • Applied necessary refactor to account for breaking changes.

    Testing

    • Build and start a fresh container
    • Log in with an admin account
    • Create a testing account on jumpcloud
    • Configure SSO as explained in the documentation
    • Log in with the created user in jumpcloud
    opened by gchamon 25
  • `wg`: not found

    `wg`: not found

    The wg binary cannot be found inside the docker container. Although the volume mount is specified in my docker run command. I also tried it via the example docker-compose variant, no luck.

    I double checked locally, wg is installed at /usr/bin/wg and its not a symlink somewhere.

    I'm at my whits end why in the entrypoint.sh:139, while running, it can't find the wg binary.

    Any idea whats going on here?

    • Ubuntu 18.04 Server x64
    • Docker 19.03.8
    bug 
    opened by ndom91 20
  • Allow arbitrary network range

    Allow arbitrary network range

    to: cc: @subspacecommunity/subspace-maintainers related to: resolves: #101, also resolves #63

    Background

    In current implementation, it is assumed that network masks are /24 for v4 and /112 for v6. And also, the num of devices is limited up to 250.

    In other words, you can set SUBSPACE_IPV4_POOL to 10.99.0.0/16, but subspace just use only 10.99.0.1~10.99.0.254.

    In this PR, this limitation is removed.

    Changes

    • Create calc-default-gateway command to calc the default gateway.
    • Generate IP addresses using net standard library.
    • maxProfiles constant is removed, because we will get an error if there is address to assign.

    Testing

    I set up my own subspace server and create some devices.

    enhancement Large 
    opened by ledyba-z 19
  • Docker Alpine - Fix Forward

    Docker Alpine - Fix Forward

    to: cc: @subspacecommunity/subspace-maintainers related to: resolves:

    Background

    Reason for the change

    Changes

    • Add wireguard-tools to remove the need to symlink in the binary
    • Add ip6tables
    • Add runit as init service.
    • Add Init Wrapper.
    • Revert IPv6 hacks to wrapper which are not needed.
    • Removed docs about linking the WG binary this is no longer needed.

    Testing

    • Tested on Debian / Ubuntu / CentOS & Basic k8s (With this change k8s support should not be too much work)
    enhancement Large 
    opened by gavinelder 15
  • Dnsmasq stopping abruptly

    Dnsmasq stopping abruptly

    Hello

    I am running subspace in a docker and dnsmasq is also running in the docker. It was uninstalled in the host machine as mentioned in the docs.

    I also added some internal domains to /etc/hosts. And the DNS resolution is working well when connected to the VPN.

    Everything works as expected but randomly the DNS resolution stops. On restarting the docker container everything works normally again.

    I got access to the docker shell using docker exec and inside the container, DNS is working fine. it is just that in the wireguard clients and the host, DNS resolution is stopping randomly.

    dnsmasq is running when checked with ps aux | grep dnsmasq on the host system.

    Expected behaviour

    DNS should resolve normally every time.

    Additional context I am facing this issue right now with 2 different machines which are on AWS.

    opened by kmskrishna 13
  • Allow extending dnsmasq by providing custom configuration.

    Allow extending dnsmasq by providing custom configuration.

    cc: @subspacecommunity/subspace-maintainers

    Background

    Reason for the change

    dnsmasq can be used for accomplish a wide variety of tasks. This change lets us mount dnsmasq configurations inside the subspace container to provide additional configuration to dnsmasq.

    For example you could override hostnames by creating the following config file and then mounting it inside subspace.

    /opt/docker/dnsmasq/01-static-dns.conf

    address=/a.example.com/172.16.0.10
    address=/b.example.com/172.16.0.11
    

    docker-compose.yml

       volumes:
       - /opt/docker/subspace:/data
       - /opt/docker/dnsmasq:/etc/dnsmasq.d
    

    Changes

    • Include /etc/dnsmasq.d in dnsmasq config at /etc/dnsmasq.conf

    Testing

    The container works as expected with additional dnsmasq configuration mounted and without.

    opened by ThisIsQasim 11
  • G Suite SAML APP : app_not_configured_for_user

    G Suite SAML APP : app_not_configured_for_user

    Hi,

    I have added the IDP Metadata XML generated with the correct ACS URL and Entity ID.

    But unfortunately when I try to signin with the google account i have the following error :

    Error: app_not_configured_for_user

    Service is not configured for this user.

    I have configured the SAML APPs: Name ID : Basic information / Primary Email Name ID Format: UNSPECIFIED

    The SAML APPs is "On for everyone" and the Subspace docker is behind an Nginx Reverse proxy

    Thanks for your help, Clement

    opened by clementperon 10
  • Feature/totp default admin

    Feature/totp default admin

    to: cc: @subspacecommunity/subspace-maintainers related to: #111 resolves: #104

    Background

    NEW: This fixes a typo in the last commited change, I'll copy all the contents from the original PR

    Wanted to secure the default user of subspace with TOTP. Now it is possible to turn on TOTP for the default user by visiting /settings and scanning the QR code with your phone (or putting the secret key into something else)

    Changes

    • Configure TOTP via /settings
    • Reset TOTP via /settings (only visible if TOTP is already configured)
    • Can only be done by an Admin (This means both SAML Signed in Admin and the default Admin)

    Pics

    Initial Setup of MFA Setup MFA

    Reset MFA (will then result in the above page) reset totp

    Sign in page for default admin account if TOTP has been saved Sign in with MFA Configured

    Testing

    NEW: Run from a clean file, but still needs deep testing.

    Ran this locally multiple times on my Droplet in Digital Ocean (i'm using rsync to sync changes to my box and then running docker-compose up --build -d whenever changes are made to go files. For changes related static files i simply specify --debug in the build step for go-bindata and mount web/ into the running container. go-bindata then reads these files live on each request :D)

    enhancement 
    opened by agonbar 9
  • dnsmasq fix

    dnsmasq fix

    to: @subspacecommunity/subspace-maintainers related to: resolves: https://github.com/subspacecommunity/subspace/issues/199

    Background

    Clients were reporting DNS timeouts every few hours with subspace, with the only resolution being to either restart the container or turn off DNS. Upon investigating, it seems subspace is using the wrong flag for dnsmasq, passing a debug flag instead of the approved production flag. This switches that. See: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

    Debug mode: don't fork to the background, don't write a pid file, don't change user id, generate a complete cache dump on receipt on SIGUSR1, log to stderr as well as syslog, don't fork new processes to handle TCP queries. Note that this option is for use in debugging only, to stop dnsmasq daemonising in production, use --keep-in-foreground.

    Changes

    • changes the flag from --no-daemon to -keep-in-foreground

    Testing

    root      4030  0.0  0.0    784     4 ?        Ss   11:49   0:00          \_ runsv dnsmasq
    nfsnobo+  4036  0.0  0.0   2188  1692 ?        S    11:49   0:00          |   \_ /usr/sbin/dnsmasq --keep-in-foreground
    $ docker-compose ps
      Name                Command               State   Ports
    ---------------------------------------------------------
    subspace   /usr/local/bin/entrypoint. ...   Up
    CONTAINER ID   IMAGE                                     COMMAND                  CREATED       STATUS          PORTS     NAMES
    ad67ccc1ba2c   subspacecommunity/subspace:amd64-v1.5.0   "/usr/local/bin/entr…"   4 weeks ago   Up 3 weeks             subspace
    

    Currently running a prolonged test with a few dozen users and so far everything looks good

    opened by maduggan 8
  • Invalid Metadata File (SSO with Keycloak)

    Invalid Metadata File (SSO with Keycloak)

    Hi, I'm trying to configure the SSO subspace using Keycloak as IDP. I have not been able to find information about how the Metadata format requested by the Subspace should be. After configuring the SAML client, Keycloak provides some Metadata formats to insert into the application, but putting them in the Subspace returns an "Error, please try again". I finally tried to build the Metadata myself and the redirection works well by clicking the SSO login button. However, when I save, Subspace returns an "Invalid, please try again" and an error message can also be seen in the application logs.

    Has anyone found themselves in a similar situation? What is the format of your Metadata file? Thank you so much

    The Metadata I'm using is the follow one (with changed urls and certificate):

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://MY_KEYCLOAK_URL:8443/auth/realms/master" validUntil="2022-04-18T10:12:14.000Z">
      <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>THE_CERTIFICATE</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://MY_KEYCLOAK_URL:8443/auth/realms/master/protocol/saml/clients/wireguard"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://MY_KEYCLOAK_URL:8443/auth/realms/master/protocol/saml/clients/wireguard"/>
      </md:IDPSSODescriptor>
    </md:EntityDescriptor>
    
    opened by marticanyelles 8
  • Add status page and change template from green to black

    Add status page and change template from green to black

    to: cc: @subspacecommunity/subspace-maintainers related to: https://github.com/subspacecommunity/subspace/issues/68 resolves: https://github.com/subspacecommunity/subspace/issues/68

    Background

    Adding the status page, and new template

    Changes

    • Added status page
    • Changed template from green to black

    Testing

    Testing has been done locally and with docker on debian, and docker (alpine?) by @jack1902. Applied mentioned changes in https://github.com/subspacecommunity/subspace/issues/68 by @jack1902.

    Not ready for merge yet. See https://github.com/subspacecommunity/subspace/pull/83#issuecomment-639686664

    enhancement Large 
    opened by BankaiNoJutsu 8
  • The container keeps restarting

    The container keeps restarting

    Thanks for your nice work, but I can't make it work in my CoreElec (aarch64) box.

    I used this composer file in Portainer:

    version: "3.3"
    services:
      subspace:
       image: subspacecommunity/subspace:latest
       container_name: subspace
       volumes:
        - /storage/dockers/subspace:/data
       ports:
        - 4545:80
       restart: always
       environment:
        - SUBSPACE_HTTP_HOST=subspace.mydomain.duckdns.org
        - SUBSPACE_HTTP_INSECURE=true
        - SUBSPACE_HTTP_ADDR=":80"
        - SUBSPACE_NAMESERVERS=1.1.1.1,8.8.8.8
        - SUBSPACE_LISTENPORT=51820
        - SUBSPACE_IPV6_NAT_ENABLED=0
        - SUBSPACE_DISABLE_DNS=1
       cap_add:
        - NET_ADMIN
       network_mode: "host"
    

    But the container keeps restarting with this error repeating in the logs:

    modprobe: can't change directory to '/lib/modules': No such file or directory
    modprobe: can't change directory to '/lib/modules': No such file or directory
    modprobe: can't change directory to '/lib/modules': No such file or directory
    ip6tables v1.8.3 (legacy): unknown option "--to"
    Try `ip6tables -h' or 'ip6tables --help' for more information.
    
     # ip6tables --version
    ip6tables v1.4.21
    

    I disabled ipv6 in my host with sysctl net.ipv6.conf.default.disable_ipv6=1 probably that's related? Can't I just disable ipv6 in subspace?

    opened by ramoncio 0
  • dnsmasq config gets generated on each restart

    dnsmasq config gets generated on each restart

    We have a volume in our docker-compose that would mount the dnsmasq.conf file for subspace but it's being replaced by the entrypoint script on each restart. This condition needs to be refined a little to ignore the dnsmasq.conf file if it already exists. https://github.com/subspacecommunity/subspace/blob/1a2d4f2b1801b1d120a0b99b72684b460fdd4b37/entrypoint.sh#L196-L209

    opened by erbesharat 0
  • Custom client nameservers

    Custom client nameservers

    to: @subspacecommunity/subspace-maintainers

    Background

    If SUBSPACE_DISABLE_DNS is set to true, but a client uses nameservers in his local subnet (e.g. his IP address is 10.0.0.2, netmask /24, home gateway and caching DNS server - 10.0.0.1), he won't be able to reach it. It can be solved partially by adding all private subnets to an exclusion list:

    SUBSPACE_ALLOWED_IPS="::/0, 1.0.0.0/8, 2.0.0.0/8, 3.0.0.0/8, 4.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4"
    

    but in some cases that local DNS server still will be unavailable (e.g. if kill-switch mode is enabled).

    Changes

    Now, if variable SUBSPACE_CLIENT_NAMESERVERS is set and contain a valid comma-separated list of DNS servers, this list will be included in a client config as is.

    Example:

    --env SUBSPACE_CLIENT_NAMESERVERS="8.8.8.8,1.1.1.1"
    
    opened by soar 1
  • Literally a complete rewrite, devouring whole thing with Nix and wg-bond

    Literally a complete rewrite, devouring whole thing with Nix and wg-bond

    to: cc: @subspacecommunity/subspace-maintainers related to: resolves:

    Background

    Reason for the change: It wasn't working as we wanted it to.

    Changes

    • Replace logic module with wg-bond, to support arbitrary network masks
    • Replace all the docker with lack of docker

    Testing

    We tested it extensively.

    opened by cab404 5
  • Custom ENV options not working correctly

    Custom ENV options not working correctly

    Describe the bug Creating a custom network configurating is not created as expected.

    To Reproduce Steps to reproduce the behavior: Use the following docker-compose.yml file

    version: "3.3"
    services:
      subspace:
       image: subspacecommunity/subspace:latest
       container_name: subspace
       volumes:
        - /volumes/wireguard/apps/subspace/data:/data
        - /volumes/wireguard/apps/subspace/dnsmasq:/etc/dnsmasq.d
       restart: always
       environment:
        - SUBSPACE_HTTP_HOST=ra01.example.io
        - SUBSPACE_LETSENCRYPT=false
        - SUBSPACE_HTTP_INSECURE=true
        - SUBSPACE_HTTP_ADDR=":80"
        - SUBSPACE_NAMESERVERS=1.1.1.1,1.0.0.1
        - SUBSPACE_LISTENPORT=51821
        - SUBSPACE_IPV4_POOL=10.27.253.0/24
        - SUBSPACE_IPV6_POOL=fd64:cf6f:9d42:c35d::/64
        - SUBSPACE_IPV4_GW=10.27.253.1
        - SUBSPACE_IPV6_GW=fd64:cf6f:9d42:c35d::1
        - SUBSPACE_IPV6_NAT_ENABLED=1
        - SUBSPACE_DISABLE_DNS=0
       cap_add:
        - NET_ADMIN
       network_mode: "host"
    

    You will find the configuration incorrect and contains some defaults and not what you have asked for. If you download the config from the UI and look at the file data you will see its incorrect (pasted below)

    [Interface]
    PrivateKey = iDL7hfrVhZAmIQutI********************=
    DNS = 10.27.253.1, fd64:cf6f:9d42:c35d::1
    Address = 10.99.97.2/24,fd00::10:97:2/64
    
    [Peer]
    PublicKey = VXpJIVlONZaItW**********************=
    
    Endpoint = ra01.example.io:51821
    AllowedIPs = 0.0.0.0/0, ::/0
    

    You will notice its taken the custom port from the docker-compose file as well as the DNS but the Address is totally incorrect and is the defaults.

    You will also notice that the iptables rules are set correctly on start up. Its only the wireguard configuration which is totally incorrect which then makes for a broken deployment.

    Creating subspace ... done
    Attaching to subspace
    subspace    | + '[' -z ra01.example.io ]
    subspace    | + '[' -z  ]
    subspace    | + export 'SUBSPACE_BACKLINK=/'
    subspace    | + '[' -z 10.27.253.0/24 ]
    subspace    | + '[' -z fd64:cf6f:9d42:c35d::/64 ]
    subspace    | + '[' -z  ]
    subspace    | + export 'SUBSPACE_NAMESERVER=1.1.1.1'
    subspace    | + '[' -z false ]
    subspace    | + '[' -z '":80"' ]
    subspace    | + '[' -z 51821 ]
    subspace    | + '[' -z true ]
    subspace    | + '[' -z  ]
    subspace    | + export 'SUBSPACE_THEME=green'
    subspace    | + export 'DEBIAN_FRONTEND=noninteractive'
    subspace    | + '[' -z 10.27.253.1 ]
    subspace    | + '[' -z fd64:cf6f:9d42:c35d::1 ]
    subspace    | + '[' -z 1 ]
    subspace    | + echo 'nameserver 1.1.1.1'
    subspace    | + '[' -z  ]
    subspace    | + /sbin/iptables -t nat --check POSTROUTING -s 10.27.253.0/24 -j MASQUERADE
    subspace    | + /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    subspace    | + /sbin/iptables --check FORWARD -s 10.27.253.0/24 -j ACCEPT
    subspace    | + '[[' 1 -gt 0 ]]
    subspace    | + /sbin/ip6tables -t nat --check POSTROUTING -s fd64:cf6f:9d42:c35d::/64 -j MASQUERADE
    subspace    | + /sbin/ip6tables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    subspace    | + /sbin/ip6tables --check FORWARD -s fd64:cf6f:9d42:c35d::/64 -j ACCEPT
    subspace    | + /sbin/iptables -t nat --check OUTPUT -s 10.27.253.0/24 -p udp --dport 53 -j DNAT --to 10.27.253.1:53
    subspace    | + /sbin/iptables -t nat --check OUTPUT -s 10.27.253.0/24 -p tcp --dport 53 -j DNAT --to 10.27.253.1:53
    subspace    | + /sbin/ip6tables --wait -t nat --check OUTPUT -s fd64:cf6f:9d42:c35d::/64 -p udp --dport 53 -j DNAT --to fd64:cf6f:9d42:c35d::1
    subspace    | + /sbin/ip6tables --wait -t nat --check OUTPUT -s fd64:cf6f:9d42:c35d::/64 -p tcp --dport 53 -j DNAT --to fd64:cf6f:9d42:c35d::1
    subspace    | + test -d /data/wireguard
    subspace    | + mkdir /data/wireguard
    subspace    | + cd /data/wireguard
    subspace    | + mkdir clients
    subspace    | + touch clients/null.conf
    subspace    | + mkdir peers
    subspace    | + touch peers/null.conf
    subspace    | + tee server.private
    subspace    | + wg genkey
    subspace    | + wg pubkey
    subspace    | + cat
    subspace    | + cat /data/wireguard/server.private
    subspace    | + cat /data/wireguard/peers/null.conf
    subspace    | + ip link show wg0
    subspace    | 9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    subspace    |     link/none
    subspace    | + ip link del wg0
    subspace    | + ip link add wg0 type wireguard
    subspace    | + echo 10.27.253.0/24
    subspace    | + cut -d / -f2
    subspace    | + export 'SUBSPACE_IPV4_CIDR=24'
    subspace    | + ip addr add 10.27.253.1/24 dev wg0
    subspace    | + echo fd64:cf6f:9d42:c35d::/64
    subspace    | + cut -d / -f2
    subspace    | + export 'SUBSPACE_IPV6_CIDR=64'
    subspace    | + ip addr add fd64:cf6f:9d42:c35d::1/64 dev wg0
    subspace    | + wg setconf wg0 /data/wireguard/server.conf
    subspace    | + ip link set wg0 up
    subspace    | + test -d /etc/service/dnsmasq
    subspace    | + cat
    subspace    | + mkdir -p /etc/service/dnsmasq
    subspace    | + cat
    subspace    | + chmod +x /etc/service/dnsmasq/run
    subspace    | + mkdir -p /etc/service/dnsmasq/log/main
    subspace    | + cat
    subspace    | + chmod +x /etc/service/dnsmasq/log/run
    subspace    | + test -d /etc/service/subspace
    subspace    | + mkdir /etc/service/subspace
    subspace    | + cat
    subspace    | + chmod +x /etc/service/subspace/run
    subspace    | + mkdir /etc/service/subspace/log
    subspace    | + mkdir /etc/service/subspace/log/main
    subspace    | + cat
    subspace    | + chmod +x /etc/service/subspace/log/run
    subspace    | + exec /sbin/my_init
    subspace    | Started runsvdir, PID is 61
    subspace    | wait for processes to start....
    subspace    | dnsmasq: started, version 2.80 cachesize 150
    subspace    | dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
    subspace    | dnsmasq: reading /etc/resolv.conf
    subspace    | dnsmasq: using nameserver 1.1.1.1#53
    subspace    | dnsmasq: read /etc/hosts - 5 addresses
    subspace    | run: dnsmasq: (pid 68) 4s; run: log: (pid 66) 4s
    subspace    | run: subspace: (pid 67) 4s; run: log: (pid 65) 4s
    

    Expected behavior I would expect that the config reflects whats actually being served and producing a working config. I have confirmed by looking at the server.conf which is generated that its incorrect and where the issue lies.

    [Interface]
    PrivateKey = 2JLKuO0rut5yZW*************************
    ListenPort = 51821
    
    [Peer]
    PublicKey = NqCmt3DCRTrf**************************
    AllowedIPs = 10.99.97.2/32,fd00::10:97:2/128
    

    The AllowedIP should be whats been specified in the docker-compose file.

    Additional context Easy to reproduce with the above config.

    opened by soakes 0
  • SAML error with Jumpcloud

    SAML error with Jumpcloud

    Hi all,

    After the installation was complete, we used SAML very well, but then suddenly got a Forbidden error for unknown reasons. Can anyone help me how to fix this error?

    Thank you and best regards,

    opened by mvn-daipham-dn 3
Releases(v1.5.0)
  • v1.5.0(Jun 12, 2021)

    Changes

    • Documented environment variables (#191) @syphernl
    • docs: add ThisIsQasim as a contributor (#190) @allcontributors
    • Allow extending dnsmasq by providing custom configuration. (#162) @ThisIsQasim

    🚀 Features

    • Feature/totp default admin (#126) @agonbar

    Upgrading

    To upgrade, swap your docker-tags

    - subspacecommunity/subspace:1.4.1
    + subspacecommunity/subspace:1.5.0
    
    Source code(tar.gz)
    Source code(zip)
  • v1.4.1(Jun 3, 2021)

    Changes

    • docs: add audibleblink as a contributor (#186) @allcontributors
    • makefile handles bindata dependency (#166) @audibleblink
    • Upgrading crewjam/saml from v0.3.0 to v0.4.5 (#169) @gchamon
    • docs: add gchamon as a contributor (#185) @allcontributors
    • added option to disable dns in wireguard conf (#168) @gchamon

    🐛 Bug Fixes

    • Redirect to /user/edit path only needed if we are admin. (#135) @jpbostic

    💀 Security patches

    • fixes https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCREWJAMSAML-1050998. Thanks @asabirov and @metalcated for pointing it out

    Upgrading

    To upgrade, swap your docker-tags

    - subspacecommunity/subspace:1.4.0
    + subspacecommunity/subspace:1.4.1
    
    Source code(tar.gz)
    Source code(zip)
  • v1.4.0(Jun 1, 2021)

    Changes

    • feature: Add release-drafter to project (#172) @jack1902
    • docs: add Coffeeri as a contributor (#183) @allcontributors
    • docs: add Freekers as a contributor (#182) @allcontributors
    • docs: add dovreshef as a contributor (#181) @allcontributors
    • docs: add miki725 as a contributor (#180) @allcontributors
    • docs: add d3473r as a contributor (#179) @allcontributors
    • docs: add vojta7 as a contributor (#178) @allcontributors
    • docs: add SGudbrandsson as a contributor (#177) @allcontributors
    • docs: add sinanmohd as a contributor (#176) @allcontributors
    • docs: add nhamlh as a contributor (#175) @allcontributors
    • [Fix #127] Data dir permission is too wide (#128) @ssiuhk
    • Mention SUBSPACE_ENDPOINT_HOST in the Readme (#155) @d3473r
    • Added support for disabling ipv6 (#138) @dovreshef
    • readme (#161) @sinanmohd
    • fixing small typo in readme (#159) @miki725
    • Docker: bump to golang 1.16-alpine for build and alpine 3.13.4 for run (#163) @clementperon
    • Fix git ignores entire cmd/subspace folder (#170) @nhamlh
    • docs: add gianlazz as a contributor (#154) @allcontributors
    • docs: add syphernl as a contributor (#153) @allcontributors
    • docs: add clementperon as a contributor (#152) @allcontributors
    • docs: add selvakn as a contributor (#151) @allcontributors
    • docs: add clementperon as a contributor (#150) @allcontributors
    • FIx typo in resolved.conf file name (#149) @selvakn
    • Add support for providing multiple dns servers (#140) @syphernl
    • README.md: Only disable resolved listener (#142) @clementperon
    • Mark Ubuntu 20.04 Focal as recommended (#147) @clementperon
    • Update README.md (#137) @gianlazz

    Upgrading

    To upgrade, swap your docker-tags

    - subspacecommunity/subspace:1.3.2
    + subspacecommunity/subspace:1.4.0
    

    believed dead, but he was actually hiding in a transporter buffer.

    Source code(tar.gz)
    Source code(zip)
  • v1.3.2(Jul 17, 2020)

    subspace

    Description

    Official release of v1.3.2

    #123 #124 #125 - Adds support for automatically creating the correct tags on dockerhub based on github releases. Latest will always point to the latest release. This will remove a manual step 🥳

    If anyone experiences any issues then please reach out on the gophers slack workspace on the #subspace channel or raise issues on github.

    Source code(tar.gz)
    Source code(zip)
  • v1.3.1(Jul 17, 2020)

    subspace

    Description

    Official release of v1.3.1

    #122 reverting changes made to add TOTP Support to fix master, will look at this when i have time to fix it properly. Apologies for this

    If anyone experiences any issues then please reach out on the gophers slack workspace on the #subspace channel or raise issues on github.

    Source code(tar.gz)
    Source code(zip)
  • v1.3.0(Jul 15, 2020)

    subspace

    Description

    Official release of v1.3.0

    #111 Adds TOTP support for the default user

    Pics

    Initial Setup of MFA Setup MFA

    Reset MFA (will then result in the above page) reset totp

    Sign in page for default admin account if TOTP has been saved Sign in with MFA Configured

    If anyone experiences any issues then please reach out on the gophers slack workspace on the #subspace channel or raise issues on github.

    Source code(tar.gz)
    Source code(zip)
  • v1.2.0(Jul 15, 2020)

  • v1.1.1(Jun 26, 2020)

  • v1.1.0(Jun 25, 2020)

    subspace

    Description

    Official release of v1.1.0

    #100 Added theme selection!

    It is now possible to override the default colour in use by passing --theme="COLOUR" from any of the colours listed on semantic-ui

    For easy reference the available colours are:

    • red
    • orange
    • yellow
    • olive
    • green (The default)
    • teal
    • blue
    • violet
    • purple
    • pink
    • brown
    • grey
    • black

    And some previews of these: grey_subspace red_subspace teal_subspace yellow_subspace

    If anyone experiences any issues then please reach out on the gophers slack workspace on the #subspace channel or raise issues on github.

    Source code(tar.gz)
    Source code(zip)
  • v1.0.2(Jun 25, 2020)

    subspace

    Description

    Official release of v1.0.2

    #99 Fixes issues with environment variables being ignored when the service was being run within a container

    If anyone experiences any issues then please reach out on the gophers slack workspace on the #subspace channel or raise issues on github.

    Source code(tar.gz)
    Source code(zip)
  • v1.0.1(Jun 18, 2020)

  • v1.0.0(Jun 11, 2020)

    subspace

    Description

    Official release of v1.0.0

    Now that #75 has been merged, we should implement Semantic Versioning in order to have stable versions.

    Whilst we should avoid breaking master, there is always the possibility that it will happen. Users of the project should use pinned versions when they want stability and only move to new versions when they want to pull in new features.

    These versions should be reflect on dockerhub too over at https://hub.docker.com/r/subspacecommunity/subspace/

    If anyone experiences any issues then please reach out on the gophers slack workspace on the #subspace channel or raise issues on github.

    Source code(tar.gz)
    Source code(zip)
Owner
null
🐉 Simple WireGuard proxy with minimal overhead for WireGuard traffic.

swgp-go ?? Simple WireGuard proxy with minimal overhead for WireGuard traffic. Proxy Modes 1. Zero overhead Simply AES encrypt the first 16 bytes of a

null 65 Nov 21, 2022
turn a directory into a GUI, slash example of VNC-based GUI

dirgui @rsnous on Jan 11, 2021: "idea: filesystem<->GUI adapter, where a directory turns into a form, executable files inside that directory turn into

Tom Lieber 32 May 3, 2022
⛵ EdgeVPN: the immutable, decentralized, statically built VPN. NO central server!

⛵ EdgeVPN Fully Decentralized. Immutable. Portable. Easy to use Statically compiled VPN Usage Generate a config: ./edgevpn -g > config.yaml Run it on

Ettore Di Giacinto 207 Nov 27, 2022
Terraform Provider for Pritunl VPN Server

Terraform Provider for Pritunl VPN Server Website: https://www.terraform.io Pritunl VPN Server: https://pritunl.com/ Provider: disc/pritunl Requiremen

Alexandr Hacicheant 26 Nov 18, 2022
A memory-safe SSH server, focused on listening only on VPN networks such as Tailscale

Features Is tested to work with SCP Integrates well with systemd Quickstart Download binary for your architecture. We only support Linux. If you don't

function61.com 2 Jun 10, 2022
A HTTP proxy server tunnelling through wireguard

wg-http-proxy This project hacks together the excellent https://github.com/elazarl/goproxy and https://git.zx2c4.com/wireguard-go into an HTTP proxy s

Sebastian Himberger 21 Nov 22, 2022
Native ZooKeeper client for Go. This project is no longer maintained. Please use https://github.com/go-zookeeper/zk instead.

Native Go Zookeeper Client Library License 3-clause BSD. See LICENSE file. This Repository is No Longer Maintained Please use https://github.com/go-zo

Samuel Stauffer 1.6k Nov 11, 2022
KeeneticRouteToVpn is simple app updating Keenetic Router rules for some hosts to go through VPN interface.

KeeneticRouteToVpn KeeneticRouteToVpn is simple app updating Keenetic Router rules for some hosts to go through VPN interface. It has defaults values

Vasilii Blazhnov 8 Oct 8, 2022
Simple Web based configuration generator for WireGuard. Demo:

Wg Gen Web Simple Web based configuration generator for WireGuard. Why another one ? All WireGuard UI implementations are trying to manage the service

vx3r 1.1k Nov 20, 2022
Decentralized VPN in golang

LCVPN - Light decentralized VPN in golang Originally this repo was just an answer on a question "how much time it'll take to write my own simple VPN i

Anton Skorochod 499 Nov 26, 2022
SonicWall VPN-SSL Exploit* using Golang

goshock SonicWall VPN-SSL Exploit* using Golang ( * and other targets vulnerable to shellshock ).

Gustavo Roberto Rodrigues Gonçalves 17 Jul 6, 2022
Smart VPN client

Smart VPN client Performs all the standard functions of a VPN client, i.e. manages a connection to a VPN headend. The "smart" functionality includes:

Michael Kashin 21 Sep 2, 2022
Decentralized VPN

Decentralized VPN The RadVPN doesn't need any central point as it connects to other nodes directly (full mesh) it has built-in router that helps packe

Mehrdad Arshad Rad 1.1k Nov 22, 2022
Standalone client for proxies of Opera VPN

opera-proxy Standalone Opera VPN client. Younger brother of hola-proxy. Just run it and it'll start a plain HTTP proxy server forwarding traffic throu

null 355 Nov 27, 2022
SplitVPN - Split Internet and VPN routing

SplitVPN - Split Internet and VPN routing

null 7 Jul 15, 2022
A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.

Hyprspace A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks. demo.mp4 Table of Contents A Bit of Backstory Use Cases A Digital N

Hyprspace 346 Nov 13, 2022
CLI to drive SAML based auth for Global Protect VPN

GlobalProtect VPN Helper This tool is a CLI friendly tool used to perform POST based SAML authentication for GlobalProtect VPN. It displays a browser

Clement JACOB 9 Aug 28, 2022
A VPN Proxy Helper

VPN Proxy Helper Sometimes, VPN clients do not change the routing table of the computer but it still exists the VPN interface. Sometimes, you don't wa

null 3 Aug 19, 2022
IP2Proxy Go package allows users to query an IP address to determine if it was being used as open proxy, web proxy, VPN anonymizer and TOR exits.

IP2Proxy Go Package This package allows user to query an IP address if it was being used as VPN anonymizer, open proxies, web proxies, Tor exits, data

IP2Location 11 Sep 15, 2022