lza_menace
/
wg-access-server
mirror of https://github.com/Place1/wg-access-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/npm_and_yarn/website/json5-1.0.2
dependabot/npm_and_yarn/website/async-2.6.4
dependabot/npm_and_yarn/website/url-parse-1.5.10
dependabot/npm_and_yarn/website/minimist-1.2.6
dependabot/npm_and_yarn/website/follow-redirects-1.14.8
dependabot/npm_and_yarn/website/tmpl-1.0.5
dependabot/npm_and_yarn/website/path-parse-1.0.7
dependabot/npm_and_yarn/website/lodash-4.17.21
dependabot/npm_and_yarn/website/ssri-6.0.2
dependabot/npm_and_yarn/website/y18n-4.0.1
master
gh-pages
remove-file-storage-backend
postgresql-ha
login-page-style-update
50-fix-oidc-email-domain-validation
48-fix-client-status-indicator
44-fix-routing-rules
config-options-for-ports
client-network-config
show-owner-name-in-ui
administration
big-refactor
embedded-dns
dns-support
add-license-1
auth
v0.4.6
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.3.0-rc2
v0.3.0-rc1
0.2.5
0.2.5-rc3
0.2.5-rc2
0.2.5-rc1
0.2.4
0.2.4-rc1
0.2.3
0.2.2
0.2.1
0.2.0
0.2.0-rc8
0.2.0-rc7
0.2.0-rc6
0.2.0-rc5
0.2.0-rc4
0.2.0-rc3
0.1.1
0.1.0
v0.1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '304a6526cc'
${ noResults }
wg-access-server/docs/configuration.md

4.8 KiB
Raw Blame History

Configuration

Environment Variables

Variable Description
CONFIG Set the config file path
WIREGUARD_PRIVATE_KEY Set the wireguard private key
STORAGE_DIRECTORY Set the directory where device config will be persisted
ADMIN_USERNAME Set the username (subject) for the admin account
ADMIN_PASSWORD Set the admin account's password. The admin account will be a basic-auth user. Leave blank if your admin username authenticates via a configured authentication backend.
UPSTREAM_DNS Set the upstream DNS server to proxy client DNS requests to. If empty, resolv.conf will be respected.
LOG_LEVEL Set the server's log level (debug, info, error, critical)
DISABLE_METADATA If true, the server will not record device level metadata such as the last handshake time, tx/rx data size

CLI Flags

All environment variables can be configured via a CLI flag as well.

For example you can configure STORAGE_DIRECTORY by passing --storage-directory="<value>".

Config File (config.yaml)

Here's an annotated config file example:

loglevel: debug
storage:
  # Directory that VPN devices (WireGuard peers)
  # should be saved under.
  # If this value is empty then an InMemory storage
  # backend will be used (not recommended).
  # Defaults to "/data" inside the docker container
  directory: /data
wireguard:
  # The network interface name for wireguard
  # Optional
  interfaceName: wg0
  # The WireGuard PrivateKey
  # You can generate this value using "$ wg genkey"
  # If this value is empty then the server will use an in-memory
  # generated key
  privateKey: ""
  # ExternalAddress is the address that clients
  # use to connect to the wireguard interface
  # By default, this will be empty and the web ui
  # will use the current page's origin i.e. window.location.origin
  # Optional
  externalHost: ""
  # The WireGuard ListenPort
  # Optional
  port: 51820
} `yaml:"wireguard"`
vpn:
  # CIDR configures a network address space
  # that client (WireGuard peers) will be allocated
  # an IP address from.
  # Optional
  cidr: "10.44.0.0/24"
  # GatewayInterface will be used in iptable forwarding
  # rules that send VPN traffic from clients to this interface
  # Most use-cases will want this interface to have access
  # to the outside internet
  # If not configured then the server will select the default
  # network interface e.g. eth0
  # Optional
  gatewayInterface: ""
  // Rules allows you to configure what level
  // of network isolation should be enfoced.
  rules:
    # AllowVPNLAN enables routing between VPN clients
    # i.e. allows the VPN to work like a LAN.
    # true by default
    # Optional
    allowVPNLAN: true
    # AllowServerLAN enables routing to private IPv4
    # address ranges. Enabling this will allow VPN clients
    # to access networks on the server's LAN.
    # true by default
    # Optional
    allowServerLAN: true
    # AllowInternet enables routing of all traffic
    # to the public internet.
    # true by default
    # Optional
    allowInternet: true
    # AllowedNetworks allows you to whitelist a partcular
    # network CIDR. This is useful if you want to block
    # access to the Server's LAN but allow access to a few
    # specific IPs or a small range.
    # e.g. "192.0.2.0/24" or "192.0.2.10/32".
    # no networks are whitelisted by default (empty array)
    # Optional
    allowedNetworks: []
dns:
  # upstream DNS servers.
  # that the server-side DNS proxy will forward requests to.
  # By default /etc/resolv.conf will be used to find upstream
  # DNS servers.
  # Optional
  upstream:
    - "1.1.1.1"
# Auth configures optional authentication backends
# to controll access to the web ui.
# Devices will be managed on a per-user basis if any
# auth backends are configured.
# If no authentication backends are configured then
# the server will not require any authentication.
# It's recommended to make use of basic authentication
# or use an upstream HTTP proxy that enforces authentication
# Optional
auth:
  # HTTP Basic Authentication
  basic:
    # Users is a list of htpasswd encoded username:password pairs
    # supports BCrypt, Sha, Ssha, Md5
    # You can create a user using "htpasswd -nB <username>"
    users: []
  oidc:
    name: ""
    issuer: ""
    clientID: ""
    clientSecret: ""
    scopes: ""
    redirectURL: ""
    # Optionally restrict login to users with an allowed email domain
    # if empty or omitted, any email domain will be allowed.
    emailDomains:
      - example.com
  gitlab:
    name: ""
    baseURL: ""
    clientID: ""
    clientSecret: ""
    redirectURL: ""
    # Optionally restrict login to users with an allowed email domain
    # if empty or omitted, any email domain will be allowed.
    emailDomains:
      - example.com