Hi, I installed this service successfully and configured systemd to monitor /etc/wireguard to reload wireguard configuration as per your instructions in the Readme. But it seems that on every simple GET of the web ui, without changing any setting wg0.conf gets updated and therefore wireguard restarted. Is this the expected behavior? Isn't this a problem because of service interruption? Thanks for this nice gui!

would be nice to have k8s deployment examples:

yaml related: https://github.com/Place1/wg-access-server/blob/master/deploy/k8s/quickstart.yaml
helm related: https://github.com/Place1/wg-access-server/tree/master/deploy/helm/wg-access-server

in the readme, the example docker compose file
expose is for inner stuff I think, ports is how the browser gets inside

current:

version: '3.6'
services:
  wg-gen-web:
    image: vx3r/wg-gen-web:latest
    container_name: wg-gen-web
    restart: unless-stopped
    expose:
      - "8080/tcp"

I think it should be

version: '3.6'
services:
  wg-gen-web:
    image: vx3r/wg-gen-web:latest
    container_name: wg-gen-web
    restart: unless-stopped
    ports:
      - 8080:8080

Hey I have a wireguard installer with over 2500 clones and 300 stars and I think this would be an amazing side thing to add to that so instead of a CLI only users would be able to use a GUI too.

What do you think about it??

When downloading a configuration file, it is named wg0.conf.

Would it be possible to generate a filename relevant to the name of the connection? For instance

• home → home.conf
• a name with spaces → a-name-with-spaces.conf

This will allow to differentiate the various config files, abd avoid the wg0 (1).conf, wg0 (2).conf, ... on Windows (which are not understood by Wireguard on Windows)

Inserting empty: "PresharedKey=" to each peer causes wg to break:

[#] echo WireGuard PreUp
WireGuard PreUp
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Line unrecognized: `PresharedKey='
Configuration parsing error
[#] ip link delete dev wg0

When upgrading wg-gen-web from a previous version, the clients do not include a preshared key.

Is it possible to enable this somehow? Or any other simple authentication method?

Does this project implement Google SSO ,will it be added in the future ?

It would be nice to configure that the files are served in a subpath by the reverseproxy.
I want to use traefik as a reverse proxy (with authentication) and not define another host dns name for the ui.
Example:
http://a.b.com/wggen/...

First of all - thank you very much for this great interface to WireGuard. It makes the management of configurations so much easier.

It would be worthwhile I believe to have server.json pretty-printed, instead of the raw version today → it would make it way easier to edit if needed.

{
    "name": "Created with default values",
    "created": "2020-01-31T15:05:13.522502946Z",
    "updated": "2020-01-31T15:07:03.521605467Z",
    "address": "fd9f:6666::10:6:6:1/112, 10.6.6.1/24",
    "listenPort": 51820,
    "privateKey": "gM...=",
    "publicKey": "C4...=",
    "presharedKey": "9wzD/gZHeTD2Bkco2wYWXq21pZJHMSweuUbzFSFNv4I=",
    "endpoint": "wireguard.example.com:123",
    "persistentKeepalive": 16,
    "dns": "fd9f::10:0:0:2, 10.0.0.2"
}

Thanks again for sharing wg-gen-web.

I tried config vpn server with dns load balancing, but when I set peers to sub.ourdomain.net, wireguard never get handshake..

So different when by default set to IP Address..

Wireguard correctly translate our A Record, but never get handshakes...

Thank You!

I really like having the option of using an SMTP server to send out configurations.

But for my setup, I don't need one and therefore it is somewhat annoying to have the email field for a new client be mandatory.

Can the field be made optional?
Or maybe have some env variable that turns off SMTP and with that removes the field?

I really like the UI. I was wondering if there could be a feature that would show each client monthly incoming and outgoing bandwidth data usage.
we can see using wg show <interface> dump

Would it be possible to add somewhere down the web frontend an information about the version (or commit)?

Hi ,
I have configured Gitlab as openid connect idp provider, however all authenticated users of Gitlab can now access wg gen web application. I want to restrict access based on some authenticated gitlab users or based on members of authorized Gitlab group.

Can this be done based on docker environment variable while starting the container?

Hey, awesome project, I'm really interested in using it for my Wireguard setup.

Sadly I ran into a little issue that is troublesome for my configuration.

I don't want to use a PersistentKeepalive for most clients, as they are mobile devices that don't require it.
But 2 devices are stationary and host services that I want to have available in the VPN network, thus I need a PersistentKeepalive so that they automatically reconnect after a connection drop.

In short: I would like to have PersistentKeepalive be an option that can be set or overwritten per client instead of just globally.

It looks like the client IPs are generated when you add a client. Provide the option to specify this and / or change it.

Hi,
Thank for this project. Simple, efficient, easy to run on my nas in a docker compose stack.

Anyway, I have a small issue:
I can't give a DNS on server configuration. wg0.conf is updated, with a timestamp. But DNS field is still missing

++ Simulot

Hi using the settings for gmail and getting 500 internal server error

      - SMTP_HOST=smtp.gmail.com
      - SMTP_PORT=465
      - [email protected]
      - SMTP_PASSWORD="blahblahblah"
      - SMTP_FROM=WireGuard-BlahBlah <[email protected]>

Here are the settings from GMAIL
smtp.gmail.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 465
Port for TLS/STARTTLS: 587

Also tried 587 with no avail. I use the same account to send outgoing smtp emails using other servies so should be all active.

I understand you're working to implement Authelia, but is there any simple way now to protect the page with even a simple password?

Hello,
I like your idea and project, thanks for the good work.

A suggestion towards the CLIENTS UI, i think it would be more useful to have the CLIENTS TAB as a Tabular list rather than each CLIENT being shown in Card form with the QR codealongside.

This is because the CLIENT and SERVER Tabs would normally be administered by an administrator not by the actual Client user. This way realestate screenspace can be better utilized , also not being the actual user there is no direct need for the QR code upfront on screen, a link should suffice (or a mouseover event).

just a thought, sadly i'm not a programmer to help out.

as said before good work ;)

Best Regards,
Aniston

Would be nice if you can share your setup with a revers proxy in form of a docker-compose.yml ready to go for popular revers proxy web apps like.

• nginx (i will add mine)
• traefik
• caddy
• apache maybe

Thank you

Would be great if we could set a default set of Allowed IPs for when we generate a new client config. In my case I have a few subnets that the users need access to and I am not routing for the entire web. Right now I need to add these subnets for each client manually. If we set this as a global pref it would streamline things considerably.

Great work!

Hi,

Great project - really like the flexibility of the UI which I haven't seen in any other gui's for wireguard yet. Super easy and the e-mail function works great!

I did discover something that may be due to how I setup my docker container, where the wg0.conf isn't updated but instead a wg0 file is being generated alongside.

In other words it seems like I need to the following to get new clients up and running:

mv wg0 wg0.conf
wg-quick down wg0; wg-quick up wg0

My questions is really if this is expected or if I should have done something else with the setup?

Thank you

might be good to allow a default server setting on whether we used pre-shared keys and then also a setting on an individual client basis.

Heimdall allows to group containers on a single web page for easy access.

It would be great to have the ability to also add wg-gen-web (and possibly show the number of configured clients, for instance)

Is it possible for dashboard using pagination + search? so admin can easily search vpn configuration.

Because for now, to load 500+ users configuration, it takes around 8-10s.. After scrolling, it will glitch and takes another 5s or more...

Thank you!

It would be great if there was some more logging generated by the application.

Right now it is just the HTTP conversation that gets logged bus several what I belive to be key events are not:

• start of the program (with some info about the version etc.)
• client addition
• emails sent (an error is logged)
• changes in configuration

Before I just request on #38
I'm very helpful with that changes, and now... Is it possible to do "enable/disable client" on the list view?

For now, the only way to do "disable" on list view, are send request through proxy with the clientID.

Can I request feature "Enable/Disable Client through list view" ?

Thank you very much @vx3r !

Would be nice to have an added textarea for additional server config options. Or expose PostUp and PostDown as optional fields for the server configuration.

Hi , could u explain more in details on your pack installation

His. Love this project!
But have a small request. Is it possible to have a checkbox or something similar to force the Default Allowed IPs for client to be applied to already existing peers?

Today the peers Allowed IPs is based the list of ips that exists during it's creation time. Would be nice to just add in the server part and all peers to be updated with this new setting.

The example for the SMTP configuration is

  - SMTP_HOST=smtp.gmail.com
  - SMTP_PORT=587
  - [email protected]
  - SMTP_PASSWORD="*************"
  - SMTP_FROM="Wg Gen Web <[email protected]>"

With this setup (and of course actual, correct data) I get the following error

time="2020-02-21T10:41:56Z" level=error msg="failed to send email to client" err="gomail: could not send email 1: gomail: invalid address \"\\\"Wg Gen Web <[email protected]>>\\\"\": mail: no angle-addr"

Changing SMTP_FROM to

- SMTP_FROM=Wg Gen Web <[email protected]>

(→ no quotes) fixes the problem and emails are sent out correctly.

Hi @vx3r

nice work and project. Want to try with help regrading authelia usage, it's currently playing nice with Traefik v2.0 and doesn't required any robust work to setup
You can use https://github.com/authelia/authelia/blob/master/docs/deployment/supported-proxies/traefik2.x.md for reference. I've successful setup on my server based on that documentation and the user management can be done by authelia config files.

Hope that helps

I am not sure this is fixable, and whether it should be but FYI the mobile version of the site is somehow impacted by some fixed-size artefacts:

This is not a show stopper as all the information is there (though, maybe there are issues with editing the IP ranges as the cross is eaten by the badge) - I am raising the point just in case there would be some more mobile dev.

The web version is truly fantastic, thanks for that.

Would be nice to have support for database ( mysql, postgresql, sqlite ) for running multiple instances with same configuration.

in browser console:

Error: "ApiService: TypeError: e is undefined"
    get api.service.js:14
App.vue:69
server report oauth2 is disabled, fake exchange auth.js:50:18
Updating authStatus from  to disabled App.vue:91
Updating authStatus from disabled to success App.vue:91

Please add TLS support for SMTP, as most services mandate TLS connection.

d.TLSConfig = &tls.Config{InsecureSkipVerify: true}
(or use env for setup)

Thanks,

Latest docker release - Version: f90124a
I can not create a user in UI, Submit button is not pressed

downgraded to Version: 867d79e - fix problem
several servers are affected

how to reproduce from the UI

In the "Server interface addresses field type:
fd42:42:42::1/64
<enter>
10.8.0.1/24
<enter>
click "update server configuration"

a stack trace starting with fatal error: runtime: out of memory is dumped

with only a single ipv4 CIDR there is no problem

I am not sure how exactly wireguard-tools package works, but seems that it will allow to interact with with wg, so there is no need to run some inotify script for hotrealoading configuration ( Look at this similar project https://github.com/Place1/wg-access-server )

I belive that it will allow You to expose stats from wg #52

Docker Log doesn't show anything helpful that I could see.

[GIN] 2020/08/26 - 21:31:30 | 401 |      58.876µs |    70.66.37.212 | GET      "/api/v1.0/client/7dd1c67a-daf6-4843-beda-fa19b5a1af28/email"
[GIN] 2020/08/26 - 21:31:30 | 200 |       104.6µs |    70.66.37.212 | GET      "/"
[GIN] 2020/08/26 - 21:31:30 | 200 |     596.848µs |    70.66.37.212 | GET      "/js/chunk-vendors.85a05be0.js"
[GIN] 2020/08/26 - 21:31:30 | 200 |     148.216µs |    70.66.37.212 | GET      "/js/app.68f6b65a.js"
[GIN] 2020/08/26 - 21:31:31 | 200 |     162.375µs |    70.66.37.212 | GET      "/css/Clients.b58a7d31.css"
[GIN] 2020/08/26 - 21:31:31 | 200 |      46.867µs |    70.66.37.212 | GET      "/api/v1.0/auth/oauth2_url"
[GIN] 2020/08/26 - 21:31:31 | 200 |     209.766µs |    70.66.37.212 | GET      "/js/Clients.34dc9b04.js"
[GIN] 2020/08/26 - 21:31:31 | 200 |      87.589µs |    70.66.37.212 | POST     "/api/v1.0/auth/oauth2_exchange"
[GIN] 2020/08/26 - 21:31:31 | 200 |     190.419µs |    70.66.37.212 | GET      "/js/Clients~Server.d72886b6.js"
[GIN] 2020/08/26 - 21:31:31 | 200 |     205.766µs |    70.66.37.212 | GET      "/js/Server.1d2011ab.js"
[GIN] 2020/08/26 - 21:31:31 | 200 |     228.314µs |    70.66.37.212 | GET      "/css/Clients~Server.4dad6da0.css"
[GIN] 2020/08/26 - 21:31:31 | 200 |      86.037µs |    70.66.37.212 | GET      "/api/v1.0/auth/user"
[GIN] 2020/08/26 - 21:31:31 | 200 |      57.274µs |    70.66.37.212 | GET      "/api/v1.0/server/version"
[GIN] 2020/08/26 - 21:31:31 | 200 |     198.925µs |    70.66.37.212 | GET      "/api/v1.0/server"
[GIN] 2020/08/26 - 21:31:31 | 200 |     235.897µs |    70.66.37.212 | GET      "/api/v1.0/client"
[GIN] 2020/08/26 - 21:31:31 | 200 |      98.538µs |    70.66.37.212 | GET      "/favicon.png"
[GIN] 2020/08/26 - 21:31:31 | 200 |      87.517µs |    70.66.37.212 | GET      "/api/v1.0/server/config"
[GIN] 2020/08/26 - 21:31:31 | 200 |      420.37µs |    70.66.37.212 | GET      "/api/v1.0/client/bb5c5b45-3ee4-4de5-9950-7ed2130bd967/config?qrcode=false"
[GIN] 2020/08/26 - 21:31:31 | 200 |     382.183µs |    70.66.37.212 | GET      "/api/v1.0/client/7dd1c67a-daf6-4843-beda-fa19b5a1af28/config?qrcode=false"
[GIN] 2020/08/26 - 21:31:31 | 200 |   12.729587ms |    70.66.37.212 | GET      "/api/v1.0/client/bb5c5b45-3ee4-4de5-9950-7ed2130bd967/config?qrcode=true"
[GIN] 2020/08/26 - 21:31:31 | 200 |   14.782369ms |    70.66.37.212 | GET      "/api/v1.0/client/7dd1c67a-daf6-4843-beda-fa19b5a1af28/config?qrcode=true"

Would be nice to have prometheus metrics endpoint for connected users for example.
Stats from wg can be obtained via https://github.com/MindFlavor/prometheus_wireguard_exporter

Hallo,
am im right that this not can run on a Pi3+ (Buster) or am i missing something??

Best Tim

Firstly, thanks for creating such a neat UI to manage WireGuard configs - this makes like so much easier!

I noticed that the generated client configs all use the same pre shared key. Given that the pre shared key is configured in each [Peer] section, would it be at all possible to have a separate pre shared key for each client? Essentially moving the pre shared key into each clients JSON file instead of storing a single one in the server's json file? It needn't be exposed in the UI.

This project is really nice. This and other similar workflows pose a security concern that I'd like to be discussed here if possible: the generated configuration exhibited with a QR code or contained in a file to be moved to the peer contains everything is needed in order to be recognized as a valid peer.

Robust best practices would require that secrets be distributed following min two separate paths, and (even better) Wireguard was designed in a way that enables a peer to generate its own keys pair and send back to the server only the public part.

I understand this is a bit mor complicated as a process but I'm asking myself if I'm the only one concerned about this.

Any tips from us, when migrating from subspace to wg-gen-web?
I'm very interested...

For anyone who wants to use this "in production" it would be nice if you would provide actual release tags with the images published to hub.docker.com :)

Configuration is composed of four parts:

1. Server's Interface (the output of wg showconf wg0 - Address, ListenPort, keys )
2. pre/post interface configuration (e.g. iptables)
3. global clients peers conf suggested by server (DNS, MTU, Endpoint, PersistentKeepalive)
4. per client configuration (allowedIPs, Address, peer keys)

I suggest that these 4 parts should be better identified on the UI.
For example

1. first row left column box - "Server's Interface Configuration"
2. first row right column box - pre/post interface configuration (used by wg-quick)
3. middle row box - "client's global configuration" (DNS, MTU, Endpoint, PersistentKeepalive - also used by wg-quick)
4. bottom boxes - client's specific configurations (as it is now).