Comments (6)
+1
from wg-portal.
Actually, acording to this and this, ldap config should be under auth, something like this:
auth:
ldap:
- id: 1
...
But don't bother, that still doesn't work either.
from wg-portal.
Actually, acording to this and this, ldap config should be under auth, something like this:
auth: ldap: - id: 1 ...
But don't bother, that still doesn't work either.
Woops - formatting woes in github hid that line and the callback url. I updated the original comment.
from wg-portal.
Got it to work eventually myself as well, beware ldap_sync_interval
is just for show, it's not mapped to anything in code - once you enable syncronize: true
, the LDAP service is queried every 10 seconds as per https://github.com/h44z/wg-portal/blob/master/internal/app/auth/auth.go#L39. What a mess...
from wg-portal.
How did you get it to work? What backend are you using for LDAP?
Would you be able to post your configuration? I'm hoping it can help me track down my issues.
from wg-portal.
Here's my working config for v2:
advanced:
log_level: trace
ldap_sync_interval: 15m
core:
admin_user: [email protected]
admin_password: password
create_default_peer: true
create_default_peer_on_creation: false
web:
external_url: https://example.com
request_logging: true
auth:
callback_url_prefix: https://example.com/api/v0
ldap:
- id: ldap1
provider_name: company ldap
display_name: Login with</br>LDAP
url: ldap://example.com:389
start_tls: true
bind_user: [email protected],ou=users,dc=example,dc=com
bind_pass: password
base_dn: ou=users,dc=example,dc=com
login_filter: (&(objectClass=inetOrgPerson)(memberOf=cn=users_of_wgportal,ou=groups,dc=example,dc=com)(mail={{login_identifier}}))
admin_group: cn=administrators,ou=users,dc=example,dc=com
synchronize: false
sync_filter: (&(objectClass=inetOrgPerson)(memberOf=cn=users_of_wgportal,ou=groups,dc=example,dc=com))
registration_enabled: true
field_map:
user_identifier: uid
email: mail
memberof: memberOf
firstname: givenName
lastname: sn
phone: mobile
department: title
Since ldap_sync_interval
is useless in v2, and syncronization happens every 10 seconds for some insane reason (hardcoded), I have gone to using v1 which also has a hardcoded value, but at least on that it is 1 minute. Here's my config there (docker-compose.yml
):
version: '3.6'
services:
wg-portal:
image: wgportal/wg-portal:v1
container_name: wg-portal
restart: unless-stopped
cap_add:
- NET_ADMIN
network_mode: "host"
volumes:
- /etc/wireguard:/etc/wireguard
- ./data:/app/data
ports:
- '8123:8123'
environment:
# WireGuard Settings
- WG_DEVICES=wg0,wg1
- WG_DEFAULT_DEVICE=wg0
- WG_CONFIG_PATH=/etc/wireguard
- SELF_PROVISIONING=true
# Core Settings
- EXTERNAL_URL=https://example.com
- LOGO_URL=https://example.com/logo.png
- CREATE_DEFAULT_PEER=true
- WEBSITE_TITLE=Example VPN
- COMPANY_NAME=Example
- [email protected]
- ADMIN_PASS=password
# Mail Settings
- MAIL_FROM=Example VPN <[email protected]>
- EMAIL_HOST=1.1.1.1
- EMAIL_PORT=25
# LDAP Settings
- LDAP_ENABLED=true
- LDAP_URL=ldap://example.com:389
- LDAP_STARTTLS=true
- LDAP_CERT_VALIDATION=false
- LDAP_BASEDN=ou=users,dc=example,dc=com
- [email protected],ou=users,dc=example,dc=com
- LDAP_PASSWORD=password
- LDAP_LOGIN_FILTER=(&(objectClass=inetOrgPerson)(memberOf=cn=users_of_wgportal,ou=groups,dc=example,dc=com)(mail={{login_identifier}}))
- LDAP_SYNC_FILTER=(&(objectClass=inetOrgPerson)(memberOf=cn=users_of_wgportal,ou=groups,dc=example,dc=com))
- LDAP_SYNC_GROUP_FILTER=(&(objectClass=inetOrgPerson)(ou=groups,dc=example,dc=com))
- LDAP_ADMIN_GROUP=cn=administrators,ou=groups,dc=example,dc=com
- LDAP_ATTR_EMAIL=mail
- LDAP_ATTR_FIRSTNAME=givenName
- LDAP_ATTR_LASTNAME=sn
- LDAP_ATTR_PHONE=mobile
- LDAP_ATTR_GROUPS=memberOf
- LDAP_CERT_CONN=false
# Log
- LOG_LEVEL=trace
Although, to be perfectly honest with you, I don't like the interface of this project at all - it is too complicated for the casual users; I will probably go back to a custom patched wg-easy with an external authenticator. Here is the patch to wg-easy to support the Remote-User
header from Authelia (it's in a comment on YouTube):
@WolfgangsChannel Managed to pull it off. It's rather simple actually. The changes are as follows:
- In file
ansible-easy-vpn/roles/bunkerweb/templates/env.j2
, add{{ wireguard_host }}_REVERSE_PROXY_HEADERS=Remote-User $user
on the last line. docker exec -it wg-easy apk add nano
.docker exec -it wg-easy nano lib/Server.js
Ctrl + W
, typereturn WireGuard.getClients(
,Enter
. Replace the line withreturn WireGuard.getClients(req.header("Remote-User"));
.Ctrl + W
, typereturn WireGuard.createClient(
,Enter
. 2 lines above (where function starts), add[req.body.name](javascript:void(0);) = req.header("Remote-User") + "_" + [req.body.name](javascript:void(0););
.Ctrl + W
, typereturn WireGuard.updateClientName(
,Enter
. 3 lines above (where function starts), add[req.body.name](javascript:void(0);) = req.header("Remote-User") + "_" + [req.body.name](javascript:void(0););
.Ctrl+X
,y
,Enter
to exit nano.docker exec -it wg-easy nano lib/WireGuard.js
Ctrl + W
, typeasync getClients(remote_user) {
. In this method, replace lines 2 and 4 with this, respectively:
const clients = Object.entries(config.clients).filter(([clientId, client]) => client.name.startsWith(remote_user + "_")).map(([clientId, client]) => ({
name: client.name.substring((remote_user + "_").length, client.name.length),
-
docker exec -it wg-easy nano www/index.html
-
Ctrl+W
, type<span class="text-sm">New</span>
,Enter
. After 2 lines, where thediv
closes, add this:<div class="flex-shrink-0"> <button @click="location.replace('[https://auth.example.com/logout?rd=https%3A%2F%2Fwg.example.com%2F');](javascript:void(0);)" class="hover:bg-red-800 hover:border-red-800 hover:text-white text-gray-700 border-2 border-gray-100 py-2 px-4 rounded inline-flex items-center transition"> <svg style="transform-box: fill-box; transform-origin: center; transform: rotate(45deg);" class="w-4 mr-2" inline xmlns="[http://www.w3.org/2000/svg](javascript:void(0);)" fill="none" viewBox="0 0 24 24" stroke="currentColor"> <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 6v6m0 0v6m0-6h6m-6 0H6" /> </svg> <span class="text-sm">Log out</span> </button> </div>
-
cd ansible-easy-vpn/
-
ansible-playbook run.yml
, enter valut password. -
reboot
This patch has the effect that the headers sent by Authelia always contain the Remote-User
field populated with the LDAP uid of the currently logged in user. On the wg-easy side, what I did was to prefix config files with "username_", and then filter the returned configs to only include those belonging to the currently logged in user. Finally, steps 10-11 add a "Log out" button to the "wg-easy" web page, so users can easily log out. Remember to replace example.com
with your actual domain.
I am a bit amazed by the lack of proper options in this area of WireGuard frontend, but I always keep looking since the protocol in itself is SO GOOD compared to anything else I have used.
from wg-portal.
Related Issues (20)
- [v2] Keypairs/PublicKey can not be changed HOT 3
- Deploy and run HOT 1
- Squashed PostUp / PostDown HOT 2
- wg-portal deletes routes HOT 4
- User management
- LDAP disable Peers deleted from ldap HOT 1
- Issue with Postgres database HOT 1
- Redirect traffic to domain HOT 1
- Option to bind webserver to specific interface HOT 1
- Customizing homepage HOT 1
- Instructions/example for `field_map`? HOT 6
- Docker container refuses to find/load config.yml when not mapped directly to the file
- Peers are added to wg0.conf with a mask of /24
- Doc: Showing prominently config format for current stable version HOT 2
- Error when using mysql as database
- LDAP sync runs every 10 seconds, ldap_sync_interval is ignored
- Sending Wireguard-Config via Postfix Mailserver Fails
- no work with ghcr.io/wg-easy/wg-easy:latest after update HOT 1
- [ Feature Request ] - v2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wg-portal.