lza_menace
/
wg-access-server
mirror of https://github.com/Place1/wg-access-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/npm_and_yarn/website/json5-1.0.2
dependabot/npm_and_yarn/website/async-2.6.4
dependabot/npm_and_yarn/website/url-parse-1.5.10
dependabot/npm_and_yarn/website/minimist-1.2.6
dependabot/npm_and_yarn/website/follow-redirects-1.14.8
dependabot/npm_and_yarn/website/tmpl-1.0.5
dependabot/npm_and_yarn/website/path-parse-1.0.7
dependabot/npm_and_yarn/website/lodash-4.17.21
dependabot/npm_and_yarn/website/ssri-6.0.2
dependabot/npm_and_yarn/website/y18n-4.0.1
master
gh-pages
remove-file-storage-backend
postgresql-ha
login-page-style-update
50-fix-oidc-email-domain-validation
48-fix-client-status-indicator
44-fix-routing-rules
config-options-for-ports
client-network-config
show-owner-name-in-ui
administration
big-refactor
embedded-dns
dns-support
add-license-1
auth
v0.4.6
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.3.0-rc2
v0.3.0-rc1
0.2.5
0.2.5-rc3
0.2.5-rc2
0.2.5-rc1
0.2.4
0.2.4-rc1
0.2.3
0.2.2
0.2.1
0.2.0
0.2.0-rc8
0.2.0-rc7
0.2.0-rc6
0.2.0-rc5
0.2.0-rc4
0.2.0-rc3
0.1.1
0.1.0
v0.1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '763675628e'
${ noResults }
wg-access-server/docs/configuration.md

5.1 KiB
Raw Blame History

Configuration

Environment Variables

Variable Description
CONFIG Set the config file path
WIREGUARD_PRIVATE_KEY Set the wireguard private key
STORAGE Set the directory where device config will be persisted
ADMIN_USERNAME Set the username (subject) for the admin account
ADMIN_PASSWORD Set the admin account's password. The admin account will be a basic-auth user. Leave blank if your admin username authenticates via a configured authentication backend.
UPSTREAM_DNS Set the upstream DNS server to proxy client DNS requests to. If empty, resolv.conf will be respected.
LOG_LEVEL Set the server's log level (debug, info, error, critical)
DISABLE_METADATA If true, the server will not record device level metadata such as the last handshake time, tx/rx data size

CLI Flags

All environment variables can be configured via a CLI flag as well.

For example you can configure STORAGE by passing --storage="<value>".

Config File (config.yaml)

Here's an annotated config file example:

# The application's log level.
# Can be debug, info, error
# Optional, defaults to info
loglevel: info
# Disable device metadata storage.
# Device metadata includes the last handshake time,
# total sent/received bytes count, their endpoint IP.
# This metadata is captured from wireguard itself.
# Disabling this flag will not stop wireguard from capturing
# this data.
# See stored data here: https://github.com/Place1/wg-access-server/blob/master/internal/storage/contracts.go#L14
# Optional, defaults to false.
disableMetadata: false
# The port that the web ui server (http) will listen on.
# Optional, defaults to 8000
port: 8000
# Directory that VPN devices (WireGuard peers)
# What type of storage do you want? inmemory (default), file:///some/directory, or postgres, mysql, sqlite3
storage: "memory://"
wireguard:
  # The network interface name for wireguard
  # Optional, defaults to wg0
  interfaceName: wg0
  # The WireGuard PrivateKey
  # You can generate this value using "$ wg genkey"
  # If this value is empty then the server will use an in-memory
  # generated key
  privateKey: ""
  # ExternalAddress is the address (without port) that clients use to connect to the wireguard interface
  # By default, this will be empty and the web ui
  # will use the current page's origin i.e. window.location.origin
  # Optional
  externalHost: ""
  # The WireGuard ListenPort
  # Optional, defaults to 51820
  port: 51820
vpn:
  # CIDR configures a network address space
  # that client (WireGuard peers) will be allocated
  # an IP address from.
  # Optional
  cidr: "10.44.0.0/24"
  # GatewayInterface will be used in iptable forwarding
  # rules that send VPN traffic from clients to this interface
  # Most use-cases will want this interface to have access
  # to the outside internet
  # If not configured then the server will select the default
  # network interface e.g. eth0
  # Optional
  gatewayInterface: ""
  # The "AllowedIPs" for VPN clients.
  # This value will be included in client config
  # files and in server-side iptable rules
  # to enforce network access.
  # Optional
  allowedIPs:
    - "0.0.0.0/0"
dns:
  # Enable a DNS proxy for VPN clients.
  # Optional, Defaults to true
  enabled: true
  # upstream DNS servers.
  # that the server-side DNS proxy will forward requests to.
  # By default /etc/resolv.conf will be used to find upstream
  # DNS servers.
  # Optional
  upstream:
    - "1.1.1.1"
# Auth configures optional authentication backends
# to controll access to the web ui.
# Devices will be managed on a per-user basis if any
# auth backends are configured.
# If no authentication backends are configured then
# the server will not require any authentication.
# It's recommended to make use of basic authentication
# or use an upstream HTTP proxy that enforces authentication
# Optional
auth:
  # HTTP Basic Authentication
  basic:
    # Users is a list of htpasswd encoded username:password pairs
    # supports BCrypt, Sha, Ssha, Md5
    # You can create a user using "htpasswd -nB <username>"
    users: []
  oidc:
    name: "" # anything you want
    issuer: "" # Should point to the oidc url without .well-known
    clientID: ""
    clientSecret: ""
    scopes: null  # list of scopes, defaults to ["openid"]
    redirectURL: "" # full url you want the oidc to redirect to, example: https://vpn-admin.example.com/finish-signin
    # See https://github.com/Knetic/govaluate/blob/9aa49832a739dcd78a5542ff189fb82c3e423116/MANUAL.md for how to write rules
    userClaimsRules:
      admin: "'WireguardAdmins' in group_membership"
    # Optionally restrict login to users with an allowed email domain
    # if empty or omitted, any email domain will be allowed.
    emailDomains:
      - example.com
  gitlab:
    name: ""
    baseURL: ""
    clientID: ""
    clientSecret: ""
    redirectURL: ""
    # Optionally restrict login to users with an allowed email domain
    # if empty or omitted, any email domain will be allowed.
    emailDomains:
      - example.com