Hi. I finally got my setup working.
Thanks for the work btw.

I mistakenly entered my external domain wrong. When I changed it to the right one I noticed the client config was keeping the domain from creation.

Despite additional option like LOG_LEVEL=debug applied from compose there is no logs in:

1. compose up cmd
2. docker logs wg-portal
3. some file in running container (at least i couldn't find it)

But code already has logging (i saw inside the code).

So the issue is that documentation does not cover debugging a lots.

Hello first of all thank you for you solution. Great work

I am trying to spin up composer
compose.yml from example

version: '3.6' services: wg-portal: image: h44z/wg-portal:latest container_name: wg-portal restart: unless-stopped cap_add: - NET_ADMIN network_mode: "host" volumes: - ./wireguard:/etc/wireguard - ./data:/app/data environment: # WireGuard Settings - WG_DEVICES=wg0 - WG_DEFAULT_DEVICE=wg0 - WG_CONFIG_PATH=/etc/wireguard # Core Settings - EXTERNAL_URL=https://vpn.company.com - WEBSITE_TITLE=WireGuard VPN - COMPANY_NAME=Your Company Name - [email protected] - ADMIN_PASS=supersecret # Mail Settings - MAIL_FROM=WireGuard VPN <[email protected]> - EMAIL_HOST=10.10.10.10 - EMAIL_PORT=25 # LDAP Settings - LDAP_ENABLED=false - LDAP_URL=ldap://srv-ad01.company.local:389 - LDAP_BASEDN=DC=COMPANY,DC=LOCAL - [email protected] - LDAP_PASSWORD=supersecretldappassword - LDAP_ADMIN_GROUP=CN=WireGuardAdmins,OU=Users,DC=COMPANY,DC=LOCAL

I got error

$ docker-compose up Creating wg-portal ... done Attaching to wg-portal wg-portal | INFO[2021-06-17 10:38:46] starting WireGuard Portal Server [latest-92d0953]... wg-portal | INFO[2021-06-17 10:38:46] real working directory: /app wg-portal | INFO[2021-06-17 10:38:46] current working directory: . wg-portal | WARN[2021-06-17 10:38:46] unable to load config.yml file: failed to open config file config.yml: open config.yml: no such file or directory, using default configuration... wg-portal | FATA[2021-06-17 10:38:46] setup failed: unable to setup peer manager: unable to initialize peer manager: failed to get peer list for device wg0: could not get WireGuard device: file does not exist

The same error I got when I am trying to spin up it on k8s cluster

Check if Docker-Hub still lets us build the images...

See: https://www.docker.com/blog/changes-to-docker-hub-autobuilds/

Whilst tinkering with wg-portal I have identified that the sole administrator of the instance can revoke their own permissions so that they can either remove their administrative privileges or revoke their ability to login.

This is true for local db setups, I have not tested against an ldap configuration.

Hi,
I love your work. This portal is excellent.

Can you, please, give a instructions how to setup email account from gmail?

Thank you.

Hello,
Still on my deep testing ;-)

May we add an option to use SSL in addition to STARTTLS for e-mail ? Yes, we better use full-TLS than STARTTLS to get an encrypted dialog from the start.

In internal/common/email.go :
Use the TLS variable with :

• false=none : cleartext connection (e.Send)
• true=starttls : STARTTLS connection (e.SendWithStartTLS)
• ssl : e.SendWithTLS (new option). As per https://pkg.go.dev/github.com/jordan-wright/email

This will retain compatibility with already-configured instances. In documentation, switch to "none/starttls/ssl" pragma to be able to disable the true/false option later as it's an incompatible change.

Thanks !

Hi all.
Has anyone to combine in docker nginx and wg-portal to work on https? I ran into the fact that due to network_mode: "host" the nginx in the container cannot get to the portal via the internal network. And if I do upstream through the white IP of the host, the port with http must remain open to the Internet and this is undesirable in my case.
Thanks in advance for the answers

Hi,
I'm new to Wireguard and trying to get wg-portal running. The connection to my ldap works fine, however when I try to login I get the message "Warning: WireGuard Interface wg0 is not fully configured! Configurations may be incomplete and non functional!"

My wg0 is up using this wg0.conf
[Interface]
Address = 10.52.3.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = private_key_here

Can you tell me what I'm missing?
Thanks in advance!

the confusion is that the form to create new clients "enter valid ldap user email" accepts both ldap users and non ldap users, in the peer list, the two types of users are not distinguishable

I see two ways to solve it:

• one solution would be to not accept emails that are not from the ldap sync filter (or when ldap is enabled)
• another solution would be to make it easy to distinguish between users added from ldap and the others added to the database

this is important to track what users are going to be correctly disabled when are not part of the ldap sync filter (because they lost the specific membership, or they are not in the ldap database anymore - yay, this works and is amazing), from the other users added manually and that needs to be removed manually

Thanks for the great project !!!

I am able to connect to only first peer, as soon as i add second or third peer, first peer gets disconnected(cant ping wg server ip).
Am i missing something or is this a bug?

I had problems signing in with multiple different users that each had an uppercase character.
I discovered that I did not have problems when the characters were all lower case.
The following links may be related.

Travis does not offer a free plan, so use Circle CI to build release assets.

Is it possible to allow strings in client DNS conf. That is important because it allows to use DNS search domain option.

DNS = 192.168.1.100, 192.168.1.101, 192.168.1.104
MTU = 1450

to use like
DNS = 192.168.1.100, 192.168.1.101, 192.168.1.104, mydomain.com
MTU = 1450

At least its working with windows wireguard client

Add a documentation section for all configuration values (yaml and environment) to README.

Currently all possibly options have to be searched in:

• Mail settings
• WireGuard settings
• LDAP settings
• Database settings
• Core settings

I have an issue when I import users with an existing wireguard configuration it does not load the private key in the configuration and when you try to export the configuration the private key is missing.

Thanks for this project, it's very nice!

Is it possible to manage multiple wgN.conf interfaces?

I am setting up wg0 with peers on my local network but a number of peer connections to other public endpoints via wg1, wg2, etc. and would love to be able to manage those configurations via the same web interface as my local peers.

Option to disable email attachments for security reasons (QR and client configuration). And allow the configuration to only download the email given the link. Could be optional.

Found your project, very promising, almost what I need.
But it contains your management interface and Wireguard in the same container. Had a quick look at the sourcecode if I could easily split it, but it doesn't look that way. I'd like to run the management in a different container, maybe even a different machine.

So this is a feature request, probably quite a big one:

• two images/containers that don't have to run on the same machine
• the management interface container can run without special docker privileges, on a secure machine, possibly even only on-demand
• the wireguard container runs in network mode host, provides the wireguard connectivity and a port where the management interface connects to
• some kind of security feature should secure the management port, best would be LDAP_ADMIN_GROUP

Let me know what you think

I'm encountering an issue that the routes table doesn't update the same way that it does when wg-quick up wg0 is run. Specifically, I have a Peer with AllowedIPs = 10.1.25.5/32, 10.1.0.0/24. When wg-quick up is run, a route for 10.1.0.0/24 if wg0 is added. However, when saving the config with wg-portal it removes that route and doesn't re-add it.

Has anyone solved the problem of filtering outgoing connections for wierguard clients on the server side without using AllowedIPs on the client side or in combination with it?
Something like a whitelists, easy to edit, ideally for each client its own. I would be grateful if someone would advise an existing solution.

Hi,
in my opinion, the WG-Portal is the best solution so far for managing Wireguard in enterprise networks with LDAP/AD connection. In addition, some features are solved very performant. Great work!
The cookies that WG-Portal creates, on the other hand, need a better implementation. From a security point of view, they are not secured against possible XSS attacks (cross-site scripting) and against insecure http connections. The attribute "Secure" and "HttpOnly" therfore must be added.

To add this attributes to the cookies the following line of code at /internal/server/server.go must be replaced by the following part or something like this:

replace line 119:

s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte(s.config.Core.SessionSecret))))

with something like this:

store := memstore.NewStore([]byte(s.config.Core.SessionSecret))
store.Options(sessions.Options{
	Path: "/",
	MaxAge: 86400, // 1 Day
	Secure: true,
	HttpOnly: true,
})
s.server.Use(sessions.Sessions("authsession", store))

the operationId field is not populated, making it unecessary hard to use the api with pyswagger vis jp_compose/app.resolve
c.f. https://petstore.swagger.io/v2/swagger.json

Hello,
May we have some kind of API to script tunnel deployment ? We're using WG on some servers for management purposes and auto-deployment would be great.

There's 2 features in one here : authentication and config generation/retrieval.

I have no clue how to authentication should be done, especially if we have more and more auth backends. I see no problem having a specific user stored in local database for this purpose. We could imagine running a request with curl with username and password as arguments and getting a temporary token (or cookie ?). This is certainly NOT the better and safer way but it's a first step.

On the generation side, we need a specific URL that could take every arg needed for a peer :
Private Key : OPTIONAL (could be auto-generated)
Public Key : not needed as derived from the private key
Preshared Key : OPTIONAL (could be auto-generated)
Client Friendly Name : REQUIRED
Client Email Address : REQUIRED
Client IP Address : OPTIONAL (could be derived from the configured pools)
Allowed IPs : OPTIONAL (default as configured in the interface)
Client DNS Servers : OPTIONAL (default as configured in the interface, potentially empty)
Keepalive : OPTIONAL (default as configured in the interface)
MTU : OPTIONAL (default as configured in the interface)
Disabled : OPTIONAL (default as false)
Ignore global settings : I'm not very sure of this setting's effect

And the URL will return a JSON array with return code and configuration, parsed with jq in a simple bash script.

We can also imagine another endpoint used only for retrieval of the config data of already-created peers.

I would recommend to create the API endpoints on a 'versioned' URL for future releases eg. /api/v1/peer/create and /api/v1/peer/retrieve to respect the actual URL scheme of the application.

From the admin point, it's only a simple script :
Ask for username
Ask for password
curl for token
curl to create the peer and pipe to jq to verify return code and store the configuration
systemctl enable/start tunnel or other OS equivalent

This is the theory ;-)

Hi,

thank you for the great work of wg-portal, first off!

I have an issue where the allowed-ips do not get set correctly by wg-portal.

Im trying to set this as the allowed IPs:

AllowedIPs = 10.8.0.2/32, 10.1.0.0/24

but wireguard only gets set the following:

AllowedIPs = 10.8.0.2/32

I see the correct configuration in the "Configuration" tab in wg-portal, but not as the actual configuration in Wireguard.

I dont see any info in the docker logs that would explain it.
I am using the latest docker image.

Any further info you need from me?

Thank you.

We use FreeIPA as OpenLDAP provider to authenticate for wg-portal. Unfortunatly, logins are rejected without any error. May this be due to the use of UID (hence a username only) instead of a mail address?

This is our env file for LDAP

cat ldap.env 
# LDAP Settings
LDAP_ENABLED=true
LDAP_URL=ldap://X.X.X.X:389
LDAP_STARTTLS=false
LDAP_CERT_VALIDATION=false
LDAP_BASEDN=CN=users,CN=accounts,DC=XXXXX,DCc=XXXXX
LDAP_USER=UID=admin,CN=users,CN=accounts,DC=XXXXX,DC=XXXXX
LDAP_PASSWORD=AVeryStrongPassword
LDAP_ADMIN_GROUP=CN=admins,CN=users,CN=accounts,DC=XXXXX,DCc=XXXXX
LDAP_TYPE=OpenLDAP
#LDAP_USER_CLASS=inetOrgPerson
LDAP_ATTR_EMAIL=UID

We assume this issue comes from the LDAP_ATTR_EMAIL=UID. May this be correct and/or is there any solution? Or may this be due to the password comparison (server-side, we use B-Crypt)?

version: '3.6'
services:
  wg-portal:
    image: h44z/wg-portal:latest
    restart: always
    cap_add:
      - NET_ADMIN
    network_mode: "host"
    volumes:
      - /etc/wireguard:/etc/wireguard
      - ./data/wg-portal:/app/data
    ports:
      - '8123:8123'
    env_file:
      - ldap.env
      - user.env
    environment:
      # WireGuard Settings
      - WG_DEVICES=wg0
      - WG_DEFAULT_DEVICE=wg0
      - WG_CONFIG_PATH=/etc/wireguard
      # Core Settings
      - EXTERNAL_URL=https://vpn.XXXX.XXXX
      - WEBSITE_TITLE=XXXX
      - COMPANY_NAME=XXXX

(Don't judge the plain text connection; it's a test setup only.)

already logged in user that was deleted from ldap (and wg-portal synced it) can't access http://masked-ip:8123/user/profile

but still can http://masked-ip:8123/

(it's also strange the path to /home/travis)

Jul 05 17:59:54 myhost wgportal[2804]: 2021/07/05 17:59:54 [Recovery] 2021/07/05 - 17:59:54 panic recovered:
Jul 05 17:59:54 myhost wgportal[2804]: GET /user/profile HTTP/1.1
Jul 05 17:59:54 myhost wgportal[2804]: Host: masked-ip:8123
Jul 05 17:59:54 myhost wgportal[2804]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Jul 05 17:59:54 myhost wgportal[2804]: Accept-Encoding: gzip, deflate
Jul 05 17:59:54 myhost wgportal[2804]: Accept-Language: en,es;q=0.9,ca;q=0.8,en-US;q=0.7
Jul 05 17:59:54 myhost wgportal[2804]: Cache-Control: max-age=0
Jul 05 17:59:54 myhost wgportal[2804]: Connection: keep-alive
Jul 05 17:59:54 myhost wgportal[2804]: Cookie: authsession=MTYyNTUwMDc4OHxOd3dBTkZJeVVrNHlOVkZRU0VneldGQk1TVTlNVVRkV1ZraEtTalZVTlVaQk5WTkVVMGhUTTFkYU16WlBWVXBhU1ZaT1V6VlpRVUU9fKiqnkCVnEjUJFJKecq_T6pkWnS2dUcl5pucnnAV4cTX
Jul 05 17:59:54 myhost wgportal[2804]: Dnt: 1
Jul 05 17:59:54 myhost wgportal[2804]: Upgrade-Insecure-Requests: 1
Jul 05 17:59:54 myhost wgportal[2804]: User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Jul 05 17:59:54 myhost wgportal[2804]: [1B blob data]
Jul 05 17:59:54 myhost wgportal[2804]: runtime error: invalid memory address or nil pointer dereference
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/.gimme/versions/go1.16.5.linux.amd64/src/runtime/panic.go:212 (0x442b9a)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/.gimme/versions/go1.16.5.linux.amd64/src/runtime/signal_unix.go:734 (0x45b792)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/src/github.com/h44z/wg-portal/internal/server/handlers_common.go:144 (0xb4e953)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0xb678c8)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/src/github.com/h44z/wg-portal/internal/server/routes.go:144 (0xb678a7)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0xaba73d)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/utrack/[email protected]/csrf.go:94 (0xaba71c)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0xab97d5)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-contrib/[email protected]/sessions.go:52 (0xab97bd)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0x8fecd0)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-gonic/[email protected]/recovery.go:83 (0x8fecb7)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0x8f5ccf)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:409 (0x8f5cb6)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/gopath/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:367 (0x8f576c)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/.gimme/versions/go1.16.5.linux.amd64/src/net/http/server.go:2887 (0x6e68e2)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/.gimme/versions/go1.16.5.linux.amd64/src/net/http/server.go:1952 (0x6e1d0c)
Jul 05 17:59:54 myhost wgportal[2804]: /home/travis/.gimme/versions/go1.16.5.linux.amd64/src/runtime/asm_amd64.s:1371 (0x47b820)
Jul 05 17:59:54 myhost wgportal[2804]: 

First of all, thanks for a great tool so far there is a lot of potential in this.

I'm trying to hook it up to our FreeIPA server but it doesn't seem to sync users over.
i'ved tried to enable trace log or even debug, no information on that.
So I don't really know where it's stuck, if it's the connection, DN, filters (i use default in this case).

If I feel email address and then click Create, it does not do anything

if focus is no where or in client friendly name it does nothing

only when focus is in email address field, it "squares" the address and with another enter creates the client "client(s) created succesfully"

Managed to set Gmail SMPT sending config files to client. The e-mail message shows “Your mail client does not support HTML. Please find the configuration attached to this mail.” Is there a way to customize the e-mail templates?

Hello,
Just giving a try to your piece of code ;-) That seems to be really well done, specifically the multiple interfaces support.

In my early start of the container on a test host, the container kept restarting with this error :
setup failed: unable to setup peer manager: unable to initialize peer manager: failed to get peer list for device wg0: could not get WireGuard device: file does not exist

As it seems you have a 'setup' step in the deployment, could you consider generating a key pair and firing up the interface if it's inexistent ?

That should be much work but I'm not a dev, only a sysadmin and Perl is my last fluent language in date ;-)

As you're commits are quite frequent, I'll probably have a few more features proposals in the next days as my trial goes on (like OIDC).

Thanks again for this works, I'll probably save a project with multi-interface that couldn't be achieved by wg-gen-web.

I just saw

2021/09/29 10:59:11 http: Accept error: accept tcp [::]:8123: accept4: too many open files; retrying in 5ms
2021/09/29 10:59:13 http: Accept error: accept tcp [::]:8123: accept4: too many open files; retrying in 5ms
2021/09/29 10:59:14 http: Accept error: accept tcp [::]:8123: accept4: too many open files; retrying in 5ms

sudo ss -anp | grep wg-portal

shows lots of

???   UNCONN     213504 0                                                                                 0.0.0.0:1                          0.0.0.0:*      users:(("wg-portal-amd64",pid=320939,fd=18))                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
???   UNCONN     213504 0                                                                                 0.0.0.0:1                          0.0.0.0:*      users:(("wg-portal-amd64",pid=320939,fd=17))    

0.0.0.0:1 would be 0.0.0.0:icmp if ran without -n

lsof
shows:

wg-portal 320939 321603 wg-portal             root 1021u      raw                          0t0     438376 00000000:0001->00000000:0000 st=07
wg-portal 320939 321603 wg-portal             root 1022u      raw                          0t0     441464 00000000:0001->00000000:0000 st=07
wg-portal 320939 321603 wg-portal             root 1023u      raw                          0t0     435798 00000000:0001->00000000:0000 st=07

I can not reproduce, I guess wgctrl.

the properties in the swagger spec mismatch the values returned.

I'm currently with

        for k, v in six.iteritems(val):
            k = k[0].lower() + k[1:]
            if k == 'iPsStr':
                k = "ipsStr"

which is most likely incomplete.

type != Type, deviceName != DeviceName …

Thank You again for the great job creating wg-portal.
I’m running wg-portal on ubuntu 20.04, in a docker stack with several apps installed with docker compose. All containers are being update automatically with Watchtower (daily scheduled at 4:00 am).
Found two new issues:
First: Although wg-portal is working, despite of the issues #40, #41 and #42, the client configuration download button is not working; to download the client .conf file, I had to press the right mouse button and choose, “open link in a new tab”.

Second: Wg-portal log shows a warning after Watchtower updated the container last night:

INFO[2021-09-13 04:00:29] starting WireGuard Portal Server [master-9147fe3]... ,
INFO[2021-09-13 04:00:29] real working directory: /app ,
INFO[2021-09-13 04:00:29] current working directory: . ,
### WARN[2021-09-13 04:00:29] unable to load config.yml file: failed to open config file config.yml: open config.yml: no such file or directory, using default configuration... ,
INFO[2021-09-13 04:00:29] setup of service completed! ,
INFO[2021-09-13 04:00:29] starting web service on :8123 ,

Could it be a folder permissions issue? My docker-compose is setting WG_CONFIG_PATH to /etc/wireguard wich is a root acess folder. No config.yml is beyng created on that folder. Do I need to change this path to another folder where wg-portal as write permissions.

Sorry for the basic beginner questions.

For our use case, we would like to allow normal users to create their own VPN profiles.

We imagine of the following options

• an admin option to enable the whole self-service
• self-service profiles always use the inherited global settings
• option to limit number of self-service profiles

In this case, admins are only responsible for managing special profiles.

An alternative we imagine of is one automatically created default profile per user.

when I press enter this is what happens:

if I press enter again, it creates two accounts

Jun 23 19:29:57 cdist-t1 wgportal[20418]: INFO[2021-06-23 19:29:57] creating 2 ldap peers

For our setup, we have very difficult IP ranges we provide (Allowed IPs). In some cases, they consist of more than 50 different IP blocks we provide in the config. If we do this, the QR codes are no longer displayed, even though qrencode -t ansiutf8 < myconfig.conf properly works for importing the profiles.

Hi.

In code wg-portal/internal/wireguard/config.go

type Config struct {
	DeviceNames         []string `yaml:"devices" envconfig:"WG_DEVICES"`             // managed devices
	DefaultDeviceName   string   `yaml:"devices" envconfig:"WG_DEFAULT_DEVICE"`      // this device is used for auto-created peers, use GetDefaultDeviceName() to access this field
	ConfigDirectoryPath string   `yaml:"configDirectory" envconfig:"WG_CONFIG_PATH"` // optional, if set, updates will be written to this path, filename: <devicename>.conf
	ManageIPAddresses   bool     `yaml:"manageIPAddresses" envconfig:"MANAGE_IPS"`   // handle ip-address setup of interface
}

there is yaml field with same name... Seems to be a bug.

First of all, it is an interesting and useful project. thanks for your efforts.

just wonder if we can have a button that can mail all peers once we have some changes in server interface.

it is really helpful not to click all the plus button one-by-one.

thanks!

Hello I have the 1.09 version running.
The endpoint is correctly set in the configuration, but when a client logs in and a configuration is created the endpoint is empty.
Only when I then press Apply Global Settings without a change in the server configuration, all are always updated.
The endpoint is then also entered for the missing ones. This was not the case before, it only updated the changed clients.

What can be the reason that when creating the endpoint is not set immediately?

Hi,

how config.yml file should look like, something like this:

environment:
     - LISTENING_ADDRESS=:8080
     - EXTERNAL_URL=https://wg-test.test.com
     - WEBSITE_TITLE=TEST VPN Portal
     - COMPANY_NAME=TEST
     - MAIL_FROM=TEST
     - [email protected]
     - ADMIN_PASS=test
     - EDITABLE_KEYS=true
     - CREATE_DEFAULT_PEER=false
     - LDAP_ENABLED=false

every time i start the portal with go run cmd/wg-portal/main.go or execute the binary file, i got message:
unable to load config.yml file: failed to open config file config.yml: open config.yml: no such file or directory, using default configuration...

Hello,
I just tried to use a SSL (not StartTLS) server as admin users' source.

It seems there's no respect of the certcheck configuration option in this specific case :

WARN[2021-04-21 07:26:43] failed to setup LDAP connection, LDAP features disabled
ERRO[2021-04-21 07:26:43] skipping provider registration: unable to open ldap connection: LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority

As go-ldap seems to able nicely ldap(s) urls, you could simply add the tls.Config to the first call of first ldap.DialURL.
Or create the tls.Config at the start at the ldap.Open function and use it for every subsequent DialURL.

As previously said, I can't really write a formal PR as I have no clue of golang, sorry.

when create new user in 1.0.12 and try to login, the new account will get a "CSRF token mismatch" error without creating authsession cookie

after rollback to 1.0.11 this problem is resolved.

direct use of docker images instead of building from source.

Getting the following error when trying to start with wg-portal pointed at a mysql database (new, empty RDS instance):

setup failed: unable to setup peer manager: failed to migrate peer database: Error 1822: Failed to add the foreign key constraint. Missing index for constraint 'fk_peers_device' in the referenced table 'peers'

Any suggestions on how to fix that?

Thank you for your great work! Got wg-portal to work and I really appreciate the way it handles server and client configurations, including Post-up and Post-down. The only thing I can´t find is a way to delete users from the user management tab. I also can’t change user name or remove administration privileges. When I save the changes made to the user I get a success message but it all keeps the same.

Hello, this project looks interesting, will you plan to add radius support and 2FA?

I'm trying to use another LDAP Attribute than the email address as the login name. I tried attrEmail: uid (or cn) to override the default, but no luck. Also the Filter loginFilter: (&(objectClass=organizationalPerson)(uid={{login_identifier}}) didn't help.

I suppose this is more of a feature request, I do not see it mentioned within any of the previous issues, it would be nice to see Postgres supported.

Hi,
first things first; Thanks for this great project! ❤️

I am trying to find a way to run wg-portal in my specific setup, where i use traefik as a reverse proxy and for ssl termination.

This collides with the need to run wg-portal with the option network_mode: "host"

I am trying to run wg-portal, without host mode, with something like

version: '3.6'
services:
  wg-portal:
    image: h44z/wg-portal:latest
    container_name: wg-portal
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    #network_mode: "host"
    volumes:
      - /etc/wireguard:/etc/wireguard
      - ./data:/app/data
    ports:
    #  - '8123:8123'
      - 51820:51820/udp
    environment:
      # WireGuard Settings
      - WG_DEVICES=wg0
      - WG_DEFAULT_DEVICE=wg0
      - WG_CONFIG_PATH=/etc/wireguard
      # Core Settings
      - EXTERNAL_URL=https://vpn.company.com
      - WEBSITE_TITLE=WireGuard VPN
      - COMPANY_NAME=Your Company Name
      - [email protected]
      - ADMIN_PASS=supersecret
      # Mail Settings
      - MAIL_FROM=WireGuard VPN <[email protected]>
      - EMAIL_HOST=10.10.10.10
      - EMAIL_PORT=25
      # LDAP Settings
      - LDAP_ENABLED=true
      - LDAP_URL=ldap://srv-ad01.company.local:389
      - LDAP_BASEDN=DC=COMPANY,DC=LOCAL
      - [email protected]
      - LDAP_PASSWORD=supersecretldappassword
      - LDAP_ADMIN_GROUP=CN=WireGuardAdmins,OU=Users,DC=COMPANY,DC=LOCAL
    networks:
     # network of reverse proxy 
      - front
      
    labels:
      - "treafik.enable=true"
      - "traefik.http.services.service-wg.loadbalancer.server.port=8123"
      - "traefik.http.routers.rt-wg.rule=Host(`vpn.company.com`)"
      - "traefik.http.routers.rt-wg.tls.certresolver=letsencrypt-resolver"
      - "traefik.http.routers.rt-wg.entrypoints=webtls"
networks:
  # network of reverse proxy 
  front:
    external: true

This routes port 8123 for the webinterface through the reverse proxy to a public domain (vpn.company.com) reachable via ssh/https.
Port 51820 for the wg stuff is still public via docker port expose.

But wg-portal crashes as it does get the wg device configured:

wg-portal    | FATA[2021-06-01 19:27:15] setup failed: unable to setup peer manager: unable to initialize peer manager: failed to get peer list for device wg0: could not get WireGuard device: file does not exist 

I dont get what i am missing here. In principle wireguard in a container does not seem to need full host network attachment, see https://hub.docker.com/r/linuxserver/wireguard

Do you have any ideas if and how i can workaround this issue?