I get this error in the docker logs after a fresh install of ubuntu 18.04.

dnsmasq: failed to create listening socket for port 53: Address already in use

What am I doing wrong?

**Is your feature request related to a problem? Better communication with the community

Describe the solution you'd like
Ability to communicate with the community via Slack

Describe alternatives you've considered
Continue to use Github Issues

Sometimes you might want to manage iptables yourself and be using a firewall that clears all current rules.

Similar to Pi Hole , if a network wide Ad blocker could be integrated and the option to turn it ON and OFF would be a nice to have feature. Not sure if its beyond the scope of this project.

We should add ISSUE Templates and Pull Request Templates in order to set out a standard format of what to expect a PR to look like or how to open a useful issue

running this on docker centos 8 i see 0 ports listening with docker ps ?? i also see 0 ports being provisioned in the instructions, so how does oine get this running on a vm so i can test it. ? maybe more clear instructions are required. As the documents i folloowed dont appear to provide any ports via docker.

Describe the bug
Environment variables are deleted by bin/my_init

To Reproduce
Some environment variables are used in handlers.go, for example on this line. allowedips is always "0.0.0.0/0, ::/0" even If I set SUBSPACE_ALLOWED_IPS when creating docker image. The rest of the variables behaves the same way.

Expected behavior
Variables set when creating a docker image will be used by subspace.

Desktop (please complete the following information):

• OS: Arch Linux
• Browser firefox

Additional context
This line is executing runsvdir with clean env.

Describe the bug
I cannot start the docker container. It exits with RTNETLINK answers: Not supported message.

To Reproduce
Steps to reproduce the behavior:

1. Set up Ubuntu 18.04 vm.
2. Follow the install instructions in the README.md. (Adding wireguard ppa, removing dnsmasq, etc.)
3. Create a docker-compose file like this:

version: "3.3"
services:
  subspace:
    image: subspacecommunity/subspace:latest
    container_name: subspace
    volumes:
      - /usr/bin/wg:/usr/bin/wg
      - /srv/subspace/data:/data
    restart: always
    environment:
      - SUBSPACE_HTTP_HOST=vpn.dynamicdns.hostname
      - SUBSPACE_LETSENCRYPT=false
      - SUBSPACE_HTTP_INSECURE=true
      - SUBSPACE_HTTP_ADDR=":80"
      - SUBSPACE_NAMESERVER=192.168.1.1
      - SUBSPACE_LISTENPORT=51820
      - SUBSPACE_IPV4_POOL=10.99.97.0/24
      - SUBSPACE_IPV6_POOL=fd00::10:97:0/64
      - SUBSPACE_IPV4_GW=10.99.97.1
      - SUBSPACE_IPV6_GW=fd00::10:97:1
      - SUBSPACE_IPV6_NAT_ENABLED=0
    cap_add:
      - NET_ADMIN
    network_mode: "host"

4. Run docker-compose up --force-recreate.

Expected behavior
A functional subspace container should start.

Actual behavior

root@vpn:/srv/subspace# docker-compose up --force-recreate
Recreating subspace ... done
Attaching to subspace
subspace    | + '[' -z vpn.dynamicdns.hostname ]
subspace    | + '[' -z  ]
subspace    | + export 'SUBSPACE_BACKLINK='
subspace    | + '[' -z 10.99.97.0/24 ]
subspace    | + '[' -z fd00::10:97:0/64 ]
subspace    | + '[' -z 192.168.1.1 ]
subspace    | + '[' -z false ]
subspace    | + '[' -z '":80"' ]
subspace    | + '[' -z 51820 ]
subspace    | + '[' -z true ]
subspace    | + export 'DEBIAN_FRONTEND=noninteractive'
subspace    | + '[' -z 10.99.97.1 ]
subspace    | + '[' -z fd00::10:97:1 ]
subspace    | + '[' -z 0 ]
subspace    | + echo 'nameserver 192.168.1.1'
subspace    | + '[' -z  ]
subspace    | + /sbin/iptables -t nat --check POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
subspace    | + /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
subspace    | + /sbin/iptables --check FORWARD -s 10.99.97.0/24 -j ACCEPT
subspace    | + '[[' 0 -gt 0 ]]
subspace    | + /sbin/iptables -t nat --check OUTPUT -s 10.99.97.0/24 -p udp --dport 53 -j DNAT --to 10.99.97.1:53
subspace    | + /sbin/iptables -t nat --check OUTPUT -s 10.99.97.0/24 -p tcp --dport 53 -j DNAT --to 10.99.97.1:53
subspace    | + /sbin/ip6tables --wait -t nat --check OUTPUT -s fd00::10:97:0/64 -p udp --dport 53 -j DNAT --to fd00::10:97:1
subspace    | + /sbin/ip6tables --wait -t nat --check OUTPUT -s fd00::10:97:0/64 -p tcp --dport 53 -j DNAT --to fd00::10:97:1
subspace    | + test -d /data/wireguard
subspace    | + cat
subspace    | + cat /data/wireguard/server.private
subspace    | + cat /data/wireguard/peers/null.conf
subspace    | + ip link show wg0
subspace    | + ip link add wg0 type wireguard
subspace    | RTNETLINK answers: Not supported

Additional context
Server OS: Ubuntu 18.04

root@vpn:/srv/subspace# docker images
REPOSITORY                   TAG                 IMAGE ID            CREATED             SIZE
subspacecommunity/subspace   latest              8825e8dfbe8f        2 days ago          38.4MB

I set SUBSPACE_IPV6_NAT_ENABLED=0 because I am not using IPV6 in my internal network.

I tried just commenting out the IPV6 environment variables, but then the iptable rules didn't apply, and it errored out due to that.

I have DD-WRT on my router between my network and the WAN. My dynamic dns address resolves to my isp provided dhcp address outside my network. Inside I've set it to the Ubuntu VM I'm using to host subspace. But I have had odd issues where my desktop resovles the dns address to my WAN ip.... That said, the Ubuntu vm does resolve the dynamic dns address of itself, to it's internal ip.

Oh, and DD-WRT is set to forward ports 80 and 443 to the internal ip of the Ubuntu VM.

Any ideas what my issue is?

Firstly, thanks for your work it seems to work really great and lowers the inhibition to use wireguard!

I installed subspace via the given docker-compose file and noticed, that the quotes around IPs need to be removed:

version: "3.3"
services:
  subspace:
   image: subspacecommunity/subspace:latest
   container_name: subspace
   volumes:
    - /usr/bin/wg:/usr/bin/wg
    - /opt/docker/subspace:/data
   restart: always
   environment:
    - SUBSPACE_HTTP_HOST=subspace.example.org
    - SUBSPACE_LETSENCRYPT=true
    - SUBSPACE_HTTP_INSECURE=false
    - SUBSPACE_HTTP_ADDR=":80"
    - SUBSPACE_NAMESERVER=1.1.1.1
    - SUBSPACE_LISTENPORT=51820
    - SUBSPACE_IPV4_POOL=10.99.97.0/24
    - SUBSPACE_IPV6_POOL=fd00::10:97:0/64 # remove quotes
    - SUBSPACE_IPV4_GW=10.99.97.1 # remove quotes
    - SUBSPACE_IPV6_GW=fd00::10:97:1 # remove quotes
    - SUBSPACE_IPV6_NAT_ENABLED=1
   cap_add:
    - NET_ADMIN
   network_mode: "host"

Secondly, for people who run into the problem where the logs say

dnsmasq: failed to create listening socket for port 53: Address already in use_

... you might need to disable systemd-resolved:
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

In the end it might be useful to add:
/etc/modules-load.d/wireguard.conf
/etc/modules-load.d/iptable_nat.conf
/etc/modules-load.d/ip6table_nat.conf
such that the modules will be loaded when rebooting.

Is your feature request related to a problem? Please describe.
nope

Describe the solution you'd like
ability to add other users not just an admin user so can have clients that dont use sso accounts for example a hosted domain on cpanel dosent use sso or saml

Describe alternatives you've considered
Cant see if this is already posisble

Additional context
Add any other context or screenshots about the feature request here.

name: Feature request
about: Ability to cap number of configurations a user can have

Is your feature request related to a problem? Please describe.
It would be nice to have the ability to configure the number of active configurations a single user can have from the settings page.

Describe the solution you'd like
The ability to configure the number of active configurations a single user of subspace can have at any given time. This would not apply to an admin user but again this could also be configurable.

Describe alternatives you've considered
N\A

macOS requires a different naming convention for wireguard interfaces.

Rather than use bash scripts, has there been any discussion on using wireguard-go directly ?

I've successfully modified the Makefile and Dockerfile to build for GOARCH=arm:

Everything builds and runs fine, client config is generated and a Wireguard tunnel is able to be established.

Unfortunately I'm not really that familiar with Docker and building for multiple architectures. If I get it worked out I'll put together a pull request.

Makefile

diff --git a/Makefile b/Makefile
index 4100cab..9af15ac 100644
--- a/Makefile
+++ b/Makefile
@@ -9,6 +9,13 @@ subspace-linux-amd64:
        CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
        go build -v --compiler gc --ldflags "-extldflags -static -s -w -X main.version=${BUILD_VERSION}" -o subspace-linux-amd64

+subspace-linux-arm:
+       go generate \
+       && go fmt \
+       && go vet --all
+       CGO_ENABLED=0 GOOS=linux GOARCH=arm \
+       go build -v --compiler gc --ldflags "-extldflags -static -s -w -X main.version=${BUILD_VERSION}" -o subspace-linux-arm
+
 clean:
        rm -f subspace-linux-amd64 bindata.go

Dockerfile:

diff --git a/Dockerfile b/Dockerfile
index 8abaddf..2cd95e0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,12 +18,12 @@ ARG BUILD_VERSION=unknown

 ENV GODEBUG="netdns=go http2server=0"

-RUN make BUILD_VERSION=${BUILD_VERSION}
+RUN make BUILD_VERSION=${BUILD_VERSION} subspace-linux-arm

-FROM phusion/baseimage:0.11
+FROM phusion/baseimage:master-arm
 LABEL maintainer="github.com/subspacecommunity/subspace"

-COPY --from=build  /src/subspace-linux-amd64 /usr/bin/subspace
+COPY --from=build  /src/subspace-linux-arm /usr/bin/subspace
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh

 ENV DEBIAN_FRONTEND noninteractive

Tested on:

➜ uname -a && lsb_release -dirc && docker --version && go version && wg --version
Linux ha 4.19.97-v7l+ #1294 SMP Thu Jan 30 13:21:14 GMT 2020 armv7l GNU/Linux
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
Docker version 19.03.8, build afacb8b
go version go1.14.2 linux/arm
wireguard-tools v1.0.20200319 - https://git.zx2c4.com/wireguard-tools/

Hi,

I have added the IDP Metadata XML generated with the correct ACS URL and Entity ID.

But unfortunately when I try to signin with the google account i have the following error :

Error: app_not_configured_for_user

Service is not configured for this user.

I have configured the SAML APPs:
Name ID : Basic information / Primary Email
Name ID Format: UNSPECIFIED

The SAML APPs is "On for everyone" and the Subspace docker is behind an Nginx Reverse proxy

Thanks for your help,
Clement

Provided I have the server configured and running, how do I connect to the server from my local machine ? Any Howto's on that ?

Describe the bug
There is the following section in handlers.go to set a split tunnel like vpn via allowed IPs

https://github.com/subspacecommunity/subspace/blob/master/handlers.go#L406

To Reproduce

sudo docker stop subspace
sudo docker rm subspace
docker create \
    --name subspace \
    --restart always \
    --network host \
    --cap-add NET_ADMIN \
    --volume /data:/data \
    --env SUBSPACE_IPV4_POOL="10.99.97.0/24" \
    --env SUBSPACE_IPV4_GW="10.99.97.1" \
    --env SUBSPACE_ALLOWED_IPS="10.60.0.0/18,10.20.0.0/16,10.99.97.0/24" \
    --env SUBSPACE_HTTP_INSECURE="true" \
    --env SUBSPACE_LETSENCRYPT="false" \
    subspace:test
sudo docker start subspace
sudo docker logs -f subspace

Expected behavior
The allowed ips should be setup in the config

We should add a wiki space to this fork and create some documentation for setting it up in various ways. This will help others picking this project up for the first time.

I am happy to contribute to some of the documentation

Seems like having this server hold all the private keys is against the basics of Wireguard.

I'm interested in something that handles the peer files - but keeps the private keys on the physical device.

name: API /delete/
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''

Is your feature request related to a problem? Please describe.
It would be great if it was possible to delete a user from subspace without having to go to a webpage and use an endpoint similar to /delete

Describe the solution you'd like
Ability to send data to an endpoint such as /delete_user in order to be able to script elements of a JML process. Subspace suffers currently with the following:

• A user can sign in to subspace, and can create a certificate
• User leaves the company but their certificate is still valid
• Admin user MUST log on to subspace in order to remove a users certificates.

If the above could be automated by exposing an endpoint then this process would be simpler for Admins of subspace. This would need to be protected by an API Key which should be tied to Admins.

Describe alternatives you've considered
Log on to subspace as an admin and remove the user and their configurations

Is your feature request related to a problem? Please describe.
No problem, just an improvement idea

Describe the solution you'd like
Adding a status page, as i did on my fork long ago:
https://github.com/BankaiNoJutsu/subspace

Describe alternatives you've considered
Rewriting the whole thing, but why reinvent the wheel?

Additional context
I find it handy so see the transferred amount of data, handshake etc. I had no docker support tho. Should i work on a pull to implement this here, trying to just add the status page?

Ubuntu 18.04
Docker Engine 19.03.11

docker logs end with:
"mkdir: can't create directory '/etc/sv/dnsmasq': No such file or directory"

Steps to reproduce the behavior:

1. install ubutnu 18.04
2. install docker-ce
3. follow README for 'docker create' with the addition of lines for wg libraries from Issue #72
4. docker start subspace
5. docker logs subspace

Output:
'''
...

• ip addr add fd00::10:97:1/64 dev wg0
• wg setconf wg0 /data/wireguard/server.conf
• ip link set wg0 up
• test -d /etc/sv/dnsmasq
• cat
• mkdir /etc/sv/dnsmasq
  mkdir: can't create directory '/etc/sv/dnsmasq': No such file or directory
  '''

subspace fails with
/usr/local/bin/entrypoint.sh: line 103: /sbin/ip6tables: not found

Process:
I'm using docker compose file from the README
(with SUBSPACE_HTTP_HOST set to my dns name)
I have also reproduced with manual docker create command from README
And with local docker file built from master of this repo

fails with
/usr/local/bin/entrypoint.sh: line 103: /sbin/ip6tables: not found
subspace exited with code 127

NOTE:
on this host /sbin/ip6tables was a symlink to
/sbin/ip6tables -> xtables-multi
I don't need ipv6 support so I'd be open to turning that off
though setting
SUBSPACE_IPV6_NAT_ENABLED=0
This seems to have no effect
On a lark I also copied xtables-multi to /sbin/ip6tables just in case it was the symlink causing the trouble (no dice)

To Reproduce

1. Copy default docker compost file from https://github.com/subspacecommunity/subspace/blob/master/README.md
2. Change - SUBSPACE_HTTP_HOST to your FQDN
3. docker-compose up
4. See error /usr/local/bin/entrypoint.sh: line 103: /sbin/ip6tables: not found

Expected behavior
I would expect setting SUBSPACE_IPV6_NAT_ENABLED=0 to disable ipv6 (this does not happen)
Or failing that that it work with ipv6
or failing that, to fail gracefully attempting to configure ipv6 and simply work with ipv4

• OS: Ubuntu 18.04 (default AWS image)

Additional context
I tried modifying the entry point.sh to comment out all the ipv6 commands (76-89 and 101-108).
I then get a different error (wg not present) but that's a different issue I suppose.

When starting a fresh instance of the Subspace Docker container it is unable to generate a Let's Encrypt SSL certificate due to ACMEv1 and as of now Let's Encrypt supports only ACMEv2 only.

Exact error from the logs:

2020/05/23 18:56:08 http: TLS handshake error from 123.123.123.123:62878: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://c
ommunity.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
2020/05/23 18:56:08 http: TLS handshake error from 123.123.123.123:62879: acme/autocert: missing certificate

Steps to reproduce the behavior:

1. Create a fresh new Ubuntu 18.04 server
2. Follow all of the steps from the documentation
3. Start a new container
4. Check the logs

Hey I think it may be a good idea to make a channel on Gopher Slack Specifically for subspace it would be a way to have ad-hoc discussions and potentially help drive up maintainers.

Describe the bug
Trying to bind to http://localhost w/o https, relying on a proper reverse proxy to offload SSL and send traffic to subspace. Resulting on a https redirection each time

To Reproduce

$ git clone https://github.com/subspacecommunity/subspace.git \
&& cd subspace \
&& go get -d \
&& make \
&& go install \
&& /root/go/bin/subspace -datadir /data/subspace   -http-insecure -http-addr 127.0.0.1:80 -http-host foo.bar.baz -letsencrypt false
INFO[0000] Subspace version:  https://foo.bar.baz/ 

and then:

$ curl 127.1
<a href="https://foo.bar.baz/">Found</a>.

$ curl 127.1 -i
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https://foo.bar.baz/
Date: Wed, 27 May 2020 14:38:34 GMT
Content-Length: 43

<a href="https://foo.bar.baz/">Found</a>

Expected behavior
Not being redirected to https

Desktop (please complete the following information):

• OS: debian 10

The wg binary cannot be found inside the docker container. Although the volume mount is specified in my docker run command. I also tried it via the example docker-compose variant, no luck.

I double checked locally, wg is installed at /usr/bin/wg and its not a symlink somewhere.

I'm at my whits end why in the entrypoint.sh:139, while running, it can't find the wg binary.

Any idea whats going on here?

• Ubuntu 18.04 Server x64
• Docker 19.03.8

Describe the bug

While starting subspace from docker, ip6table command fails and I can't start the daemon:

And also, inserted v4 rules are not cleaned up and left after the command 😅

To Reproduce

• I used the latest docker image (8825e8dfbe8f)
• Enable SUBSPACE_IPV6_NAT_ENABLED=1
• Try to start the subspace via docker-compose run --rm

Expected behavior

I can start the daemon.

Screenshots

Here is a log:

$ cat docker-compose.yml
...
  wg:
    image: subspacecommunity/subspace:latest
    container_name: subspace
    volumes:
      - ./wg:/data
    restart: always
    environment:
      - SUBSPACE_HTTP_HOST=******
      - SUBSPACE_LETSENCRYPT=false
      - SUBSPACE_HTTP_INSECURE=true
      - SUBSPACE_HTTP_ADDR="localhost:8080"
      - SUBSPACE_NAMESERVER=8.8.8.8
      - SUBSPACE_LISTENPORT=51820
      - SUBSPACE_IPV4_POOL=10.99.97.0/24
      - SUBSPACE_IPV6_POOL=fd00::10:97:0/64
      - SUBSPACE_IPV4_GW=10.99.97.1
      - SUBSPACE_IPV6_GW=fd00::10:97:1
      - SUBSPACE_IPV6_NAT_ENABLED=1
    cap_add:
      - NET_ADMIN
    network_mode: "host"

$ docker-compose run --rm wg
+ '[' -z (hostname) ]
+ '[' -z  ]
+ export 'SUBSPACE_BACKLINK='
+ '[' -z 10.99.97.0/24 ]
+ '[' -z fd00::10:97:0/64 ]
+ '[' -z 8.8.8.8 ]
+ '[' -z false ]
+ '[' -z '":80"' ]
+ '[' -z 51820 ]
+ '[' -z true ]
+ export 'DEBIAN_FRONTEND=noninteractive'
+ '[' -z 10.99.97.1 ]
+ '[' -z fd00::10:97:1 ]
+ '[' -z 1 ]
+ echo 'nameserver 8.8.8.8'
+ '[' -z  ]
+ /sbin/iptables -t nat --check POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
iptables: No chain/target/match by that name.
+ /sbin/iptables -t nat --append POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
+ /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
+ /sbin/iptables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+ /sbin/iptables --check FORWARD -s 10.99.97.0/24 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
+ /sbin/iptables --append FORWARD -s 10.99.97.0/24 -j ACCEPT
+ '[[' 1 -gt 0 ]]
+ /sbin/ip6tables -t nat --check POSTROUTING -s fd00::10:97:0/64 -j MASQUERADE
modprobe: can't change directory to '/lib/modules': No such file or directory
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.3 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
+ /sbin/ip6tables -t nat --append POSTROUTING -s fd00::10:97:0/64 -j MASQUERADE
modprobe: can't change directory to '/lib/modules': No such file or directory
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.3 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

Additional context

It looks we also have to install kmod package (See: moby/moby#33605 )

Describe the bug
When running the docker container for the first time, the boot up stops at

/usr/local/bin/entrypoint.sh: line 157: wg: not found

To Reproduce
Follow the installation procedure of subspace

Expected behavior
No error in logs

Desktop (please complete the following information):

• OS: Ubuntu 18.04, fresh installation on a Linode VPS.

Describe the bug
Successful auth just goes back to the "Admin Sign In"

I currently use Docker-compose to run the server and here are the details of the docker-compose:

version: "3.7"
services:
  subspace:
    image: subspacecloud/subspace:latest
    container_name: subspace
    volumes:
      - /usr/bin/wg:/usr/bin/wg
      - /srv/app/wireguard:/data
    restart: always
    expose:
      - 8080
    ports:
      - "553:53"
    environment:
      - SUBSPACE_HTTP_HOST=space.xxx
      - SUBSPACE_LETSENCRYPT=false
      - SUBSPACE_HTTP_INSECURE=false
      - SUBSPACE_HTTP_ADDR=":8080"
      - SUBSPACE_NAMESERVER=1.1.1.1
      - SUBSPACE_LISTENPORT=51820
      - SUBSPACE_IPV4_POOL=10.99.97.0/24
      - SUBSPACE_IPV6_POOL=fd00::10:97:0/64
      - SUBSPACE_IPV4_GW=10.99.97.1
      - SUBSPACE_IPV6_GW=fd00::10:97:1
      - SUBSPACE_IPV6_NAT_ENABLED=1
      - VIRTUAL_HOST=vpn.xxx
      - VIRTUAL_PORT=8080
      - LETSENCRYPT_HOST=vpn.xxx
      - LETSENCRYPT_EMAIL=it@xxx
    cap_add:
      - NET_ADMIN
    network_mode: "host"

I took the suggested docker compose and used convert to implement it on k8s.....
it created 3 files....
cat subspace-claim0-persistentvolumeclaim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
creationTimestamp: null
labels:
io.kompose.service: subspace-claim0
name: subspace-claim0
spec:
accessModes:

• ReadWriteOnce
  resources:
  requests:
  storage: 100Mi
  status: {}

and ....
cat subspace-claim1-persistentvolumeclaim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
creationTimestamp: null
labels:
io.kompose.service: subspace-claim1
name: subspace-claim1
spec:
accessModes:

• ReadWriteOnce
  resources:
  requests:
  storage: 100Mi
  status: {}

and...
cat subspace-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kompose.cmd: kompose convert -f subspace-compose.yml
kompose.version: 1.21.0 (992df58d8)
creationTimestamp: null
labels:
io.kompose.service: subspace
name: subspace
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: subspace
strategy:
type: Recreate
template:
metadata:
annotations:
kompose.cmd: kompose convert -f subspace-compose.yml
kompose.version: 1.21.0 (992df58d8)
creationTimestamp: null
labels:
io.kompose.service: subspace
spec:
containers:
- env:
- name: SUBSPACE_HTTP_ADDR
value: '":80"'
- name: SUBSPACE_HTTP_HOST
value: subspace.optimcloud.com
- name: SUBSPACE_HTTP_INSECURE
value: "true"
- name: SUBSPACE_IPV6_NAT_ENABLED
value: "1"
- name: SUBSPACE_LETSENCRYPT
value: "false"
- name: SUBSPACE_LISTENPORT
value: "51821"
- name: SUBSPACE_NAMESERVER
value: 1.1.1.1
image: subspacecommunity/subspace:latest
imagePullPolicy: ""
name: subspace
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
volumeMounts:
- mountPath: /usr/bin/wg
name: subspace-claim0
- mountPath: /data
name: subspace-claim1
restartPolicy: Always
serviceAccountName: ""
volumes:
- name: subspace-claim0
persistentVolumeClaim:
claimName: subspace-claim0
- name: subspace-claim1
persistentVolumeClaim:
claimName: subspace-claim1
status: {}

kubectl apply works for both volumen claims no problem

however here is the log output for subspace-deployment.yaml
kubectl logs -f subspace-67c9475df9-rh6gx -n default   12:35  09.03.20  50.53G RAM

• '[' -z subspace.domainedited.com ']'
• '[' -z '' ']'
• export SUBSPACE_BACKLINK=
• SUBSPACE_BACKLINK=
• '[' -z '' ']'
• export SUBSPACE_IPV4_POOL=10.99.97.0/24
• SUBSPACE_IPV4_POOL=10.99.97.0/24
• '[' -z '' ']'
• export SUBSPACE_IPV6_POOL=fd00::10:97:0/112
• SUBSPACE_IPV6_POOL=fd00::10:97:0/112
• '[' -z 1.1.1.1 ']'
• '[' -z false ']'
• '[' -z '":80"' ']'
• '[' -z 51821 ']'
• '[' -z true ']'
• export DEBIAN_FRONTEND=noninteractive
• DEBIAN_FRONTEND=noninteractive
• '[' -z '' ']'
  ++ echo 10.99.97.0/24
  ++ cut -d / -f1
  ++ sed 's/.0$/./g'
• export SUBSPACE_IPV4_PREF=10.99.97.
• SUBSPACE_IPV4_PREF=10.99.97.
  ++ echo 10.99.97.1
• export SUBSPACE_IPV4_GW=10.99.97.1
• SUBSPACE_IPV4_GW=10.99.97.1
• '[' -z '' ']'
  ++ echo fd00::10:97:0/112
  ++ sed 's/:0$/:/g'
  ++ cut -d / -f1
• export SUBSPACE_IPV6_PREF=fd00::10:97:
• SUBSPACE_IPV6_PREF=fd00::10:97:
  ++ echo fd00::10:97:1
• export SUBSPACE_IPV6_GW=fd00::10:97:1
• SUBSPACE_IPV6_GW=fd00::10:97:1
• '[' -z 1 ']'
• echo 'nameserver 1.1.1.1'
• /sbin/iptables -t nat --check POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
• /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
• /sbin/iptables --check FORWARD -s 10.99.97.0/24 -j ACCEPT
• [[ 1 -gt 0 ]]
• /sbin/ip6tables -t nat --check POSTROUTING -s fd00::10:97:0/112 -j MASQUERADE
• /sbin/ip6tables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
• /sbin/ip6tables --check FORWARD -s fd00::10:97:0/112 -j ACCEPT
• /sbin/iptables -t nat --check OUTPUT -s 10.99.97.0/24 -p udp --dport 53 -j DNAT --to 10.99.97.1:53
• /sbin/iptables -t nat --check OUTPUT -s 10.99.97.0/24 -p tcp --dport 53 -j DNAT --to 10.99.97.1:53
• /sbin/ip6tables --wait -t nat --check OUTPUT -s fd00::10:97:0/112 -p udp --dport 53 -j DNAT --to fd00::10:97:1
• /sbin/ip6tables --wait -t nat --check OUTPUT -s fd00::10:97:0/112 -p tcp --dport 53 -j DNAT --to fd00::10:97:1
• test -d /data/wireguard
• cat
  ++ cat /data/wireguard/server.private
• cat /data/wireguard/peers/null.conf
• ip link show wg0
  240: wg0: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN mode DEFAULT group default qlen 1000
  link/none
• ip link del wg0
• ip link add wg0 type wireguard
  ++ cut -d / -f2
  ++ echo 10.99.97.0/24
• export SUBSPACE_IPV4_CIDR=24
• SUBSPACE_IPV4_CIDR=24
• ip addr add 10.99.97.1/24 dev wg0
  ++ cut -d / -f2
  ++ echo fd00::10:97:0/112
• export SUBSPACE_IPV6_CIDR=112
• SUBSPACE_IPV6_CIDR=112
• ip addr add fd00::10:97:1/112 dev wg0
  RTNETLINK answers: Permission denied

any help for kubernetes users?

TL;DR has anyone got this working with JumpCloud?

I have been trying to get SAML SSO Setup with JumpCloud as the IDP (Identity provider) and this being the SP (Service provider).

Using this with google, it works fine, but with JumpCloud i keep getting SAML Errors. Has anyone managed to get this to work.

i have raised this in the original repo but i no longer know if that is maintained?
https://github.com/subspacecloud/subspace/issues/66

current master does not build:

╰─➤  go build . 
# github.com/subspacecommunity/subspace
./mailer.go:91:27: undefined: AssetNames
./mailer.go:96:13: undefined: Asset
./web.go:109:27: undefined: AssetNames
./web.go:114:13: undefined: Asset
./web.go:253:12: undefined: Asset
./web.go:258:13: undefined: AssetInfo

Hi I suggest we sign up to something like CircleCI or Travis for the organisation from that we can do CI linting using golang-ci lint and confirm docker builds are correct.

Any thoughts on which service / checks we should do on PRs ?

Background

Description

When adding new profiles on the frontend i get Adding device failed as an error

Steps to reproduce

• Pull down master, rebuild and run it
• attempt to add a profile to a user

Error message

template: template:29:16: executing "template" at <$.allowedips>: can't evaluate field allowedips in type struct { Profile main.Profile; EndpointHost string; Datadir string; IPv4Gw string; IPv6Gw string; IPv4Pref string; IPv6Pref string; IPv4Cidr string; IPv6Cidr string; Listenport string; AllowedIPS string }

Hi, congrats for the fork, I really like the project but looked indeed stale for a while.

I have one question that might turn into a feature request.

Is there a way to use subspace alongside another container running wireguard?
For example the guys at Linuxserver have a neat image that works out of the box without installing wg modules on the host [1].
Would it be possible/good idea to find a way to have that container only handling the network stuff and subspace the UI/configuration?

[1] https://github.com/linuxserver/docker-wireguard

The original project does not have this but we should honour the WireGuard trademark and ensure the project and server contains

WireGuard is a registered trademark of Jason A. Donenfeld. 

Hello, is there a way to run subspace without docker ? What would be steps/instructions for that if possible ?

Thank you, A.

We should update the UI to include the current signed in user something similar to:

This will improve the user experience of the portal

Title about sums it up

I.e. not using Lets Encrypt.

Or using DNS based Lets Encrypt - I'm interested in running this inside the firewall.

This might just be a simple ignorant pebcak error, but the error message --http-host flag is required doesn't match the help docs below, which indicated that the flag is -http-host (one hyphen prefix). Perhaps either will technically work, I'm not familiar enough with go to say.

ERROR: --http-host flag is required
Usage: ./subspace-linux-amd64 --http-host subspace.example.com

  -backlink string
    	backlink (optional)
  -datadir string
    	data dir (default "/data")
  -debug
    	debug mode
  -help
    	display help and exit
  -http-addr string
    	HTTP listen address (default ":80")
  -http-host string
    	HTTP host
  -http-insecure
    	enable sessions cookies for http (no https) not recommended
  -letsencrypt
    	enable TLS using Let's Encrypt on port 443 (default true)
  -version
    	display version and exit

To Reproduce

1. Latest master clone
2. make and run without the flag

Background

Description

Make it possible to disable the automatic iptables masquerade settings so that the user of subspace can have more control over the connections to wireguard

Why?
I would like clients to be able to connect to the server after they have acquired a Wireguard.conf from subspace, but not be able to use the tunnel until they have authenticated via a push notification. Once they have done this second step of authentication, i will then update the iptables to allow their client ip through

This is done by monitoring the last_handshake from wg show wg0 dump for each ip address and mapping it to the relevant client in order to send a push notification

Desired Change

Make it possible to disable the iptables masquerade settings with a flag/env variables

First of all, finished installing this and tried it. Its incredible. Hats off for the cool work. However, wondering whether the minimum resource of 512 MB ram exceeds as no of users grow ? How many simultaneous connections without dropping the quality can subspace serve at min config ? The purpose is to pick the lowest AWS node for deployment.

I was excited to try this project so I did a 'go get' and the build fails. The log is below.

$ go version
go version go1.14.3 linux/arm64
$ go get github.com/subspacecommunity/subspace
# github.com/subspacecommunity/subspace
go/src/github.com/subspacecommunity/subspace/handlers.go:33:20: samlSP.GetAuthorizationToken undefined (type *samlsp.Middleware has no field or method GetAuthorizationToken)
go/src/github.com/subspacecommunity/subspace/handlers.go:38:8: samlSP.RequireAccountHandler undefined (type *samlsp.Middleware has no field or method RequireAccountHandler)
go/src/github.com/subspacecommunity/subspace/mailer.go:91:27: undefined: AssetNames
go/src/github.com/subspacecommunity/subspace/mailer.go:96:13: undefined: Asset
go/src/github.com/subspacecommunity/subspace/web.go:109:27: undefined: AssetNames
go/src/github.com/subspacecommunity/subspace/web.go:114:13: undefined: Asset
go/src/github.com/subspacecommunity/subspace/web.go:190:22: samlSP.GetAuthorizationToken undefined (type *samlsp.Middleware has no field or method GetAuthorizationToken)
go/src/github.com/subspacecommunity/subspace/web.go:191:23: undefined: samlsp.WithToken
go/src/github.com/subspacecommunity/subspace/web.go:253:12: undefined: Asset
go/src/github.com/subspacecommunity/subspace/web.go:258:13: undefined: AssetInfo
go/src/github.com/subspacecommunity/subspace/web.go:258:13: too many errors

We should update the Screenshots to include changes to the UI since they were previously taken

Allow you to use a dns service on the host, i.e unbound dns server which is well suited to dns forwarding.

Would be nice to have organizations within subspace (kinda like github) such that we can have multiple people on multiple organizations independent of each other.

Being able to select between different configurations, which are based on templates would be really nice.

Like this we could serve a fully routed and a split vpn to our users.

description

Subspace's docker container have no documented option to disable ipv6. Default values on a host with explicitely disabled ipv6 are making the container crash:

+ ip addr add fd00::10:97:1/112 dev wg0
RTNETLINK answers: Permission denied

Reproduce

sysctl -w net.ipv6.conf.all.disable_ipv6=1

Then run community docker with those environment variable:

SUBSPACE_HTTP_HOST="subspace.example.com"
SUBSPACE_HTTP_ADDR="127.0.0.1"
SUBSPACE_LETSENCRYPT=false
SUBSPACE_HTTP_INSECURE=true
SUBSPACE_NAMESERVER="1.1.1.1"
SUBSPACE_LISTENPORT="51820" 
SUBSPACE_IPV4_POOL="192.168.123.0/24"
SUBSPACE_IPV4_GW="192.168.123.1"
SUBSPACE_IPV6_NAT_ENABLED=0

Expected behavior

ipv6 not being enabled

Describe the bug
Admin is limited to 10 profiles.

To Reproduce
Steps to reproduce the behavior:

1. Go to subspace page
2. Login as admin
3. Create 10 profiles
4. Try to create 11th one, this will fail

Expected behavior
Admin has no limit on the number of profiles.

Desktop (please complete the following information):

• OS: Arch Linux
• Browser firefox
• Version 77

Additional context
profileAddHandler is expecting form parameter admin to be yes, but my browser is not sending admin at all. I can manually edit HTTP request to send these parameters:

name=new_user&platform=yes&admin=yes

I can add as many users as I want with this, this does not seem secure at all.