Wgnetwork
WGNetwork. Managing a Private Secured Network
Tool for creating, configuring and managing Wireguard network and NFTables traffic filtering system using web-interface.
- Wireguard — modern, fast and secure communication protocol.
- NFTables — Linux kernel subsystem providing filtering network connections.
Access to the web management interface is provided within the created network. Access control of the device (wireguard peer) and the user with the role of "manager" associated with this device (time-based one-time password authentication).
Control interfaces
Create, modify, delete users, their devices, manage the list of ip-addresses allowed to access the server via ssh.
Web
Access protocol: http over tcp/ip, connection encryption is provided by the Wireguard protocol.
Available by default at http://172.16.0.1, can be changed during installation.
Screenshots of web-interface pages
Authentication
Manage the list of ip-addresses allowed for remote access to the server via ssh
List of users
Creating a user
User information
List of devices
Creating a device
Device information
Cli-Tool
Access protocol: http over unix-socket
After installation in the system, the wgn_managercli command is available in the server console.
Arguments and parameters
Display the parameters of the wireguard server
~$ wgn_managercli wgcfg
-unix-socket
path (default "/tmp/wgmanager.sock")
Adding a new user (if you pass the parameter is_manager=true, the user will be created with the role of manager and a qr-code will be displayed to quickly import the totp key into the mobile device)
~$ wgn_managercli user-create
-is_manager
is manager flag (default "false")
-name
name
-unix-socket
unix-socket (default "/tmp/wgmanager.sock")
Editing user by uuid
~$ wgn_managercli user-edit
-is_manager
is manager flag
-name string
name
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-uuid string
user uuid
Deleting user and all associated devices by uuid
~$ wgn_managercli user-remove
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-uuid string
user uuid
Getting user information by uuid
~$ wgn_managercli user
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-uuid string
user uuid
Display complete list of users
~$ wgn_managercli users
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Adding a new user device (if you do not pass the wg_pubkey parameter, the keys will be generated and a qr-code will be displayed to quickly import the wireguard-configuration into the mobile device)
~$ wgn_managercli device-create
-label string
label
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-user_uuid string
user uuid
-wan_forward
allow ip forwarding (default "false")
-wg_pubkey string
wireguard public key (optional)
Editing device by ip
~$ wgn_managercli device-edit
-ip string
device ip
-label string
label
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-wan_forward
wan_forward
-wg_pubkey string
wireguard public key
Deleting device by ip
~$ wgn_managercli device-remove
-ip string
device ip
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Getting device information by ip
~$ wgn_managercli device
-ip string
device ip
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Display complete list of devices
~$ wgn_managercli devices
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Adding an ip-address to the list of permissions for remote access to the server via ssh
~$ wgn_managercli trust-ipset-add
-ip string
device ip
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Removing an ip-address from the list of permissions for remote access to the server via ssh
~$ wgn_managercli trust-ipset-remove
-ip string
device ip
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Display full list of ip-addresses allowed for remote access to the server via ssh
~$ wgn_managercli trust-ipset
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Database initialization with the list of ip-addresses allowed for remote access to the server via ssh. (used in the server installation process before the first start of the service)
~$ wgn_bootstrap-trust-ipset
-dbpath string
dbpath
-trustip value
device ip
Getting started
Requirements:
- Wireguard
- NFTables
the service can be run in a docker container or installed to run on the system.
Run in Docker
download tool to initialize the service database
~$ curl -L -o ./wgn_bootstrap-trust-ipset "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-bootstrap-trust-ipset_linux_amd64" ~$ chmod +x ./wgn_bootstrap-trust-ipsetinitialize the database with your ip-address, which will be added to the list of allowed remote access via ssh protocol when you start the service
~$ mkdir /usr/local/boltdb/ ~$ TRUSTIP=`last -1w | grep $USER | awk '{ print $3 }'` ~$ ./wgn_bootstrap-trust-ipset -dbpath="/usr/local/boltdb/wgnetwork.db" -trustip="$TRUSTIP"turn on ip_forward
~$ sed -i -e '/^#net.ipv4.ip_forward/s/^.*$/net.ipv4.ip_forward=1/' /etc/sysctl.conf ~$ sysctl -pstart the service container
~$ SESSION_SECRET=`cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-20} | head -n 1` ~$ docker run \ -e LOG_LEVEL="info" \ -e DB_PATH="/wgnetwork.db" \ -e WG_BINARY="/usr/bin/wg" \ -e WG_PORT="51820" \ -e WG_CIDR="172.16.0.1/24" \ -e FE_HTTP_PORT="80" \ -e API_HTTP_PORT="8080" \ -e OTP_ISSUER="wgnetwork" \ -e SESSION_SECRET="$SESSION_SECRET" \ -e SESSION_TTL="5m" \ -e NFT_ENABLED="true" \ -e NFT_DEFAULT_POLICY="drop" \ -e NFT_TRUST_PORTS="22" \ --network host \ --cap-add NET_ADMIN \ --volume /usr/bin/wg:/usr/bin/wg \ --volume /usr/local/boltdb/wgnetwork.db:/wgnetwork.db \ --restart always \ --name wgnetwork \ -d zyablitsev/wgnetworkcreate the first user with the role of "manager" and register the device
IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"
~$ docker exec wgnetwork \
/wgn_managercli user-create -name="admin" -is_manager="true"
scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.
~$ docker exec wgnetwork \
/wgn_managercli device-create --label="mobile" --user_uuid="INSERT_VALUE"
the configuration for your device will be generated, add it to your Wireguard client.
Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1
Installing manually into the system
install required system packages
~$ apt-get update -y ~$ apt-get upgrade -y ~$ apt-get install -y ca-certificates curl nftables wireguardturn on ip_forward
~$ sed -i -e '/^#net.ipv4.ip_forward/s/^.*$/net.ipv4.ip_forward=1/' /etc/sysctl.conf ~$ sysctl -padd system user wgnetwork
~$ useradd --system \ -M \ --user-group \ --shell /sbin/nologin \ wgnetworkdownload binaries ```bash ~$ curl -L -o /usr/local/bin/wgn_bootstrap-trust-ipset "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-bootstrap-trust-ipset_linux_amd64" ~$ chmod +x /usr/local/bin/wgn_bootstrap-trust-ipset ~$ chown wgnetwork:wgnetwork /usr/local/bin/wgn_bootstrap-trust-ipset
~$ curl -L -o /usr/local/bin/wgn_managercli "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-managercli_linux_amd64" ~$ chmod +x /usr/local/bin/wgn_managercli ~$ chown wgnetwork:wgnetwork /usr/local/bin/wgn_managercli
~$ curl -L -o /usr/local/bin/wgnetwork "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgnetwork_linux_amd64" ~$ chmod +x /usr/local/bin/wgnetwork ~$ chown wgnetwork:wgnetwork /usr/local/bin/wgnetwork ~$ setcap cap_net_admin,cap_net_bind_service+eip /usr/local/bin/wgnetwork
5. create service environment variables configuration
```bash
~$ WG_BINARY=`which wg`
~$ SESSION_SECRET=`cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-20} | head -n 1`
~$ cat <<EOF > /etc/default/wgnetwork
LOG_LEVEL="info"
DB_PATH="/usr/local/boltdb/wgnetwork.db"
WG_BINARY="$WG_BINARY"
WG_PORT="51820"
WG_CIDR="172.16.0.1/24"
FE_HTTP_PORT="80"
API_HTTP_PORT="8080"
API_UNIX_SOCKET="/tmp/wgmanager.sock"
OTP_ISSUER="wgnetwork"
SESSION_SECRET="$SESSION_SECRET"
SESSION_TTL="5m"
NFT_ENABLED="true"
NFT_DEFAULT_POLICY="drop"
NFT_TRUST_PORTS="22"
EOF
~$ chown root:root /etc/default/wgnetwork
~$ chmod 0644 /etc/default/wgnetwork
- create a systemd service configuration description
```bash
~$ cat <
/lib/systemd/system/wgnetwork.service [Unit] Description=WGNetworkService Wants=network-online.target After=network-online.target AssertFileIsExecutable=/usr/local/bin/wgnetwork
[Service] WorkingDirectory=/usr/local/
User=wgnetwork Group=wgnetwork
EnvironmentFile=/etc/default/wgnetwork
ExecStart=/usr/local/bin/wgnetwork
Let systemd restart this service always
Restart=always
Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity SendSIGKILL=no
[Install] WantedBy=multi-user.target EOF
~$ chown root:root /lib/systemd/system/wgnetwork.service ~$ chmod 0644 /lib/systemd/system/wgnetwork.service
7. initialize the database with your ip-address, which will be added to the list of allowed remote access via ssh protocol when you start the service
```bash
~$ mkdir /usr/local/boltdb/
~$ TRUSTIP=`last -1w | grep $USER | awk '{ print $3 }'`
~$ wgn_bootstrap-trust-ipset -dbpath="/usr/local/boltdb/wgnetwork.db" -trustip="$TRUSTIP"
~$ chown wgnetwork:wgnetwork /usr/local/boltdb
~$ chmod 0700 /usr/local/boltdb
~$ chown wgnetwork:wgnetwork /usr/local/boltdb/wgnetwork.db
~$ chmod 0600 /usr/local/boltdb/wgnetwork.db
run service
~$ systemctl enable nftables.service ~$ systemctl enable wgnetwork ~$ systemctl start nftables.service ~$ systemctl start wgnetworkcreate the first user with the role of "manager" and register the device
IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"
~$ wgn_managercli user-create -name="admin" -is_manager="true"
scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.
~$ wgn_managercli device-create --label="mobile" --user_uuid="INSERT_VALUE"
the configuration for your device will be generated, add it to your Wireguard client.
Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1
Using script for automating installation
Limitations: Debian 11 (bullseye)
open terminal and run:
~$ apt-get install -y ca-certificates curl ~$ bash <(curl -s "https://raw.githubusercontent.com/zyablitsev/wgnetwork/main/stuff/install.sh")create the first user with the role of "manager" and register the device
IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"
~$ wgn_managercli user-create -name="admin" -is_manager="true"
scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.
~$ wgn_managercli device-create -label="laptop" -user_uuid="INSERT_VALUE" -wan_forward="false"
the configuration for your device will be generated, add it to your Wireguard client.
Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1
Build from sources
Requirements:
- go 1.19+
- node 16.14+
clone repository
~$ git clone git@github.com:zyablitsev/wgnetwork.gitget dependencies
~$ make install-dependencies-ferun build
~$ BIN_DIR=./bin/ make buildbuild docker-image
~$ make docker-build
Testing
~$ make test
