subspacecommunity / subspace Goto Github PK
View Code? Open in Web Editor NEWThis project forked from subspacecloud/subspace
A fork of the simple WireGuard VPN server GUI community maintained
License: MIT License
This project forked from subspacecloud/subspace
A fork of the simple WireGuard VPN server GUI community maintained
License: MIT License
I get this error in the docker logs after a fresh install of ubuntu 18.04.
dnsmasq: failed to create listening socket for port 53: Address already in use
What am I doing wrong?
**Is your feature request related to a problem? Better communication with the community
Describe the solution you'd like
Ability to communicate with the community via Slack
Describe alternatives you've considered
Continue to use Github Issues
Sometimes you might want to manage iptables yourself and be using a firewall that clears all current rules.
Similar to Pi Hole , if a network wide Ad blocker could be integrated and the option to turn it ON and OFF would be a nice to have feature. Not sure if its beyond the scope of this project.
We should add ISSUE Templates and Pull Request Templates in order to set out a standard format of what to expect a PR to look like or how to open a useful issue
running this on docker centos 8 i see 0 ports listening with docker ps ?? i also see 0 ports being provisioned in the instructions, so how does oine get this running on a vm so i can test it. ? maybe more clear instructions are required. As the documents i folloowed dont appear to provide any ports via docker.
Describe the bug
Environment variables are deleted by bin/my_init
To Reproduce
Some environment variables are used in handlers.go, for example on this line. allowedips is always "0.0.0.0/0, ::/0" even If I set SUBSPACE_ALLOWED_IPS when creating docker image. The rest of the variables behaves the same way.
Expected behavior
Variables set when creating a docker image will be used by subspace.
Desktop (please complete the following information):
Additional context
This line is executing runsvdir with clean env.
Describe the bug
I cannot start the docker container. It exits with RTNETLINK answers: Not supported
message.
To Reproduce
Steps to reproduce the behavior:
version: "3.3"
services:
subspace:
image: subspacecommunity/subspace:latest
container_name: subspace
volumes:
- /usr/bin/wg:/usr/bin/wg
- /srv/subspace/data:/data
restart: always
environment:
- SUBSPACE_HTTP_HOST=vpn.dynamicdns.hostname
- SUBSPACE_LETSENCRYPT=false
- SUBSPACE_HTTP_INSECURE=true
- SUBSPACE_HTTP_ADDR=":80"
- SUBSPACE_NAMESERVER=192.168.1.1
- SUBSPACE_LISTENPORT=51820
- SUBSPACE_IPV4_POOL=10.99.97.0/24
- SUBSPACE_IPV6_POOL=fd00::10:97:0/64
- SUBSPACE_IPV4_GW=10.99.97.1
- SUBSPACE_IPV6_GW=fd00::10:97:1
- SUBSPACE_IPV6_NAT_ENABLED=0
cap_add:
- NET_ADMIN
network_mode: "host"
docker-compose up --force-recreate
.Expected behavior
A functional subspace container should start.
Actual behavior
root@vpn:/srv/subspace# docker-compose up --force-recreate
Recreating subspace ... done
Attaching to subspace
subspace | + '[' -z vpn.dynamicdns.hostname ]
subspace | + '[' -z ]
subspace | + export 'SUBSPACE_BACKLINK='
subspace | + '[' -z 10.99.97.0/24 ]
subspace | + '[' -z fd00::10:97:0/64 ]
subspace | + '[' -z 192.168.1.1 ]
subspace | + '[' -z false ]
subspace | + '[' -z '":80"' ]
subspace | + '[' -z 51820 ]
subspace | + '[' -z true ]
subspace | + export 'DEBIAN_FRONTEND=noninteractive'
subspace | + '[' -z 10.99.97.1 ]
subspace | + '[' -z fd00::10:97:1 ]
subspace | + '[' -z 0 ]
subspace | + echo 'nameserver 192.168.1.1'
subspace | + '[' -z ]
subspace | + /sbin/iptables -t nat --check POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
subspace | + /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
subspace | + /sbin/iptables --check FORWARD -s 10.99.97.0/24 -j ACCEPT
subspace | + '[[' 0 -gt 0 ]]
subspace | + /sbin/iptables -t nat --check OUTPUT -s 10.99.97.0/24 -p udp --dport 53 -j DNAT --to 10.99.97.1:53
subspace | + /sbin/iptables -t nat --check OUTPUT -s 10.99.97.0/24 -p tcp --dport 53 -j DNAT --to 10.99.97.1:53
subspace | + /sbin/ip6tables --wait -t nat --check OUTPUT -s fd00::10:97:0/64 -p udp --dport 53 -j DNAT --to fd00::10:97:1
subspace | + /sbin/ip6tables --wait -t nat --check OUTPUT -s fd00::10:97:0/64 -p tcp --dport 53 -j DNAT --to fd00::10:97:1
subspace | + test -d /data/wireguard
subspace | + cat
subspace | + cat /data/wireguard/server.private
subspace | + cat /data/wireguard/peers/null.conf
subspace | + ip link show wg0
subspace | + ip link add wg0 type wireguard
subspace | RTNETLINK answers: Not supported
Additional context
Server OS: Ubuntu 18.04
root@vpn:/srv/subspace# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
subspacecommunity/subspace latest 8825e8dfbe8f 2 days ago 38.4MB
I set SUBSPACE_IPV6_NAT_ENABLED=0
because I am not using IPV6 in my internal network.
I tried just commenting out the IPV6 environment variables, but then the iptable rules didn't apply, and it errored out due to that.
I have DD-WRT on my router between my network and the WAN. My dynamic dns address resolves to my isp provided dhcp address outside my network. Inside I've set it to the Ubuntu VM I'm using to host subspace. But I have had odd issues where my desktop resovles the dns address to my WAN ip.... That said, the Ubuntu vm does resolve the dynamic dns address of itself, to it's internal ip.
Oh, and DD-WRT is set to forward ports 80 and 443 to the internal ip of the Ubuntu VM.
Any ideas what my issue is?
Firstly, thanks for your work it seems to work really great and lowers the inhibition to use wireguard!
I installed subspace via the given docker-compose file and noticed, that the quotes around IPs need to be removed:
version: "3.3"
services:
subspace:
image: subspacecommunity/subspace:latest
container_name: subspace
volumes:
- /usr/bin/wg:/usr/bin/wg
- /opt/docker/subspace:/data
restart: always
environment:
- SUBSPACE_HTTP_HOST=subspace.example.org
- SUBSPACE_LETSENCRYPT=true
- SUBSPACE_HTTP_INSECURE=false
- SUBSPACE_HTTP_ADDR=":80"
- SUBSPACE_NAMESERVER=1.1.1.1
- SUBSPACE_LISTENPORT=51820
- SUBSPACE_IPV4_POOL=10.99.97.0/24
- SUBSPACE_IPV6_POOL=fd00::10:97:0/64 # remove quotes
- SUBSPACE_IPV4_GW=10.99.97.1 # remove quotes
- SUBSPACE_IPV6_GW=fd00::10:97:1 # remove quotes
- SUBSPACE_IPV6_NAT_ENABLED=1
cap_add:
- NET_ADMIN
network_mode: "host"
Secondly, for people who run into the problem where the logs say
dnsmasq: failed to create listening socket for port 53: Address already in use_
... you might need to disable systemd-resolved:
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
In the end it might be useful to add:
/etc/modules-load.d/wireguard.conf
/etc/modules-load.d/iptable_nat.conf
/etc/modules-load.d/ip6table_nat.conf
such that the modules will be loaded when rebooting.
Is your feature request related to a problem? Please describe.
nope
Describe the solution you'd like
ability to add other users not just an admin user so can have clients that dont use sso accounts for example a hosted domain on cpanel dosent use sso or saml
Describe alternatives you've considered
Cant see if this is already posisble
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
It would be nice to have the ability to configure the number of active configurations a single user can have from the settings page.
Describe the solution you'd like
The ability to configure the number of active configurations a single user of subspace
can have at any given time. This would not apply to an admin
user but again this could also be configurable.
Describe alternatives you've considered
N\A
macOS requires a different naming convention for wireguard interfaces.
Rather than use bash scripts, has there been any discussion on using wireguard-go directly ?
I've successfully modified the Makefile and Dockerfile to build for GOARCH=arm
:
Everything builds and runs fine, client config is generated and a Wireguard tunnel is able to be established.
Unfortunately I'm not really that familiar with Docker and building for multiple architectures. If I get it worked out I'll put together a pull request.
Makefile
diff --git a/Makefile b/Makefile
index 4100cab..9af15ac 100644
--- a/Makefile
+++ b/Makefile
@@ -9,6 +9,13 @@ subspace-linux-amd64:
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
go build -v --compiler gc --ldflags "-extldflags -static -s -w -X main.version=${BUILD_VERSION}" -o subspace-linux-amd64
+subspace-linux-arm:
+ go generate \
+ && go fmt \
+ && go vet --all
+ CGO_ENABLED=0 GOOS=linux GOARCH=arm \
+ go build -v --compiler gc --ldflags "-extldflags -static -s -w -X main.version=${BUILD_VERSION}" -o subspace-linux-arm
+
clean:
rm -f subspace-linux-amd64 bindata.go
Dockerfile:
diff --git a/Dockerfile b/Dockerfile
index 8abaddf..2cd95e0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,12 +18,12 @@ ARG BUILD_VERSION=unknown
ENV GODEBUG="netdns=go http2server=0"
-RUN make BUILD_VERSION=${BUILD_VERSION}
+RUN make BUILD_VERSION=${BUILD_VERSION} subspace-linux-arm
-FROM phusion/baseimage:0.11
+FROM phusion/baseimage:master-arm
LABEL maintainer="github.com/subspacecommunity/subspace"
-COPY --from=build /src/subspace-linux-amd64 /usr/bin/subspace
+COPY --from=build /src/subspace-linux-arm /usr/bin/subspace
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
ENV DEBIAN_FRONTEND noninteractive
Tested on:
โ uname -a && lsb_release -dirc && docker --version && go version && wg --version
Linux ha 4.19.97-v7l+ #1294 SMP Thu Jan 30 13:21:14 GMT 2020 armv7l GNU/Linux
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster
Docker version 19.03.8, build afacb8b
go version go1.14.2 linux/arm
wireguard-tools v1.0.20200319 - https://git.zx2c4.com/wireguard-tools/
Hi,
I have added the IDP Metadata XML generated with the correct ACS URL and Entity ID.
But unfortunately when I try to signin with the google account i have the following error :
Error: app_not_configured_for_user
Service is not configured for this user.
I have configured the SAML APPs:
Name ID : Basic information / Primary Email
Name ID Format: UNSPECIFIED
The SAML APPs is "On for everyone" and the Subspace docker is behind an Nginx Reverse proxy
Thanks for your help,
Clement
Provided I have the server configured and running, how do I connect to the server from my local machine ? Any Howto's on that ?
Describe the bug
There is the following section in handlers.go to set a split tunnel like vpn via allowed IPs
https://github.com/subspacecommunity/subspace/blob/master/handlers.go#L406
To Reproduce
sudo docker stop subspace
sudo docker rm subspace
docker create \
--name subspace \
--restart always \
--network host \
--cap-add NET_ADMIN \
--volume /data:/data \
--env SUBSPACE_IPV4_POOL="10.99.97.0/24" \
--env SUBSPACE_IPV4_GW="10.99.97.1" \
--env SUBSPACE_ALLOWED_IPS="10.60.0.0/18,10.20.0.0/16,10.99.97.0/24" \
--env SUBSPACE_HTTP_INSECURE="true" \
--env SUBSPACE_LETSENCRYPT="false" \
subspace:test
sudo docker start subspace
sudo docker logs -f subspace
Expected behavior
The allowed ips should be setup in the config
We should add a wiki space to this fork and create some documentation for setting it up in various ways. This will help others picking this project up for the first time.
I am happy to contribute to some of the documentation
Seems like having this server hold all the private keys is against the basics of Wireguard.
I'm interested in something that handles the peer files - but keeps the private keys on the physical device.
name: API /delete/
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
Is your feature request related to a problem? Please describe.
It would be great if it was possible to delete a user from subspace
without having to go to a webpage and use an endpoint similar to /delete
Describe the solution you'd like
Ability to send data to an endpoint such as /delete_user
in order to be able to script elements of a JML process. Subspace suffers currently with the following:
If the above could be automated by exposing an endpoint then this process would be simpler for Admins of subspace
. This would need to be protected by an API Key
which should be tied to Admins.
Describe alternatives you've considered
Log on to subspace
as an admin and remove the user and their configurations
Is your feature request related to a problem? Please describe.
No problem, just an improvement idea
Describe the solution you'd like
Adding a status page, as i did on my fork long ago:
https://github.com/BankaiNoJutsu/subspace
Describe alternatives you've considered
Rewriting the whole thing, but why reinvent the wheel?
Additional context
I find it handy so see the transferred amount of data, handshake etc. I had no docker support tho. Should i work on a pull to implement this here, trying to just add the status page?
Ubuntu 18.04
Docker Engine 19.03.11
docker logs end with:
"mkdir: can't create directory '/etc/sv/dnsmasq': No such file or directory"
Steps to reproduce the behavior:
Output:
'''
...
subspace fails with
/usr/local/bin/entrypoint.sh: line 103: /sbin/ip6tables: not found
Process:
I'm using docker compose file from the README
(with SUBSPACE_HTTP_HOST set to my dns name)
I have also reproduced with manual docker create command from README
And with local docker file built from master of this repo
fails with
/usr/local/bin/entrypoint.sh: line 103: /sbin/ip6tables: not found
subspace exited with code 127
NOTE:
on this host /sbin/ip6tables was a symlink to
/sbin/ip6tables -> xtables-multi
I don't need ipv6 support so I'd be open to turning that off
though setting
SUBSPACE_IPV6_NAT_ENABLED=0
This seems to have no effect
On a lark I also copied xtables-multi to /sbin/ip6tables just in case it was the symlink causing the trouble (no dice)
To Reproduce
Expected behavior
I would expect setting SUBSPACE_IPV6_NAT_ENABLED=0 to disable ipv6 (this does not happen)
Or failing that that it work with ipv6
or failing that, to fail gracefully attempting to configure ipv6 and simply work with ipv4
Additional context
I tried modifying the entry point.sh to comment out all the ipv6 commands (76-89 and 101-108).
I then get a different error (wg not present) but that's a different issue I suppose.
When starting a fresh instance of the Subspace Docker container it is unable to generate a Let's Encrypt SSL certificate due to ACMEv1 and as of now Let's Encrypt supports only ACMEv2 only.
Exact error from the logs:
2020/05/23 18:56:08 http: TLS handshake error from 123.123.123.123:62878: 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://c
ommunity.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
2020/05/23 18:56:08 http: TLS handshake error from 123.123.123.123:62879: acme/autocert: missing certificate
Steps to reproduce the behavior:
Hey I think it may be a good idea to make a channel on Gopher Slack Specifically for subspace it would be a way to have ad-hoc discussions and potentially help drive up maintainers.
Describe the bug
Trying to bind to http://localhost w/o https, relying on a proper reverse proxy to offload SSL and send traffic to subspace. Resulting on a https redirection each time
To Reproduce
$ git clone https://github.com/subspacecommunity/subspace.git \
&& cd subspace \
&& go get -d \
&& make \
&& go install \
&& /root/go/bin/subspace -datadir /data/subspace -http-insecure -http-addr 127.0.0.1:80 -http-host foo.bar.baz -letsencrypt false
INFO[0000] Subspace version: https://foo.bar.baz/
and then:
$ curl 127.1
<a href="https://foo.bar.baz/">Found</a>.
$ curl 127.1 -i
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https://foo.bar.baz/
Date: Wed, 27 May 2020 14:38:34 GMT
Content-Length: 43
<a href="https://foo.bar.baz/">Found</a>
Expected behavior
Not being redirected to https
Desktop (please complete the following information):
The wg
binary cannot be found inside the docker container. Although the volume mount is specified in my docker run command. I also tried it via the example docker-compose variant, no luck.
I double checked locally, wg is installed at /usr/bin/wg
and its not a symlink somewhere.
I'm at my whits end why in the entrypoint.sh:139
, while running, it can't find the wg binary.
Any idea whats going on here?
Describe the bug
While starting subspace from docker, ip6table command fails and I can't start the daemon:
And also, inserted v4 rules are not cleaned up and left after the command ๐
To Reproduce
docker-compose run --rm
Expected behavior
I can start the daemon.
Screenshots
Here is a log:
$ cat docker-compose.yml
...
wg:
image: subspacecommunity/subspace:latest
container_name: subspace
volumes:
- ./wg:/data
restart: always
environment:
- SUBSPACE_HTTP_HOST=******
- SUBSPACE_LETSENCRYPT=false
- SUBSPACE_HTTP_INSECURE=true
- SUBSPACE_HTTP_ADDR="localhost:8080"
- SUBSPACE_NAMESERVER=8.8.8.8
- SUBSPACE_LISTENPORT=51820
- SUBSPACE_IPV4_POOL=10.99.97.0/24
- SUBSPACE_IPV6_POOL=fd00::10:97:0/64
- SUBSPACE_IPV4_GW=10.99.97.1
- SUBSPACE_IPV6_GW=fd00::10:97:1
- SUBSPACE_IPV6_NAT_ENABLED=1
cap_add:
- NET_ADMIN
network_mode: "host"
$ docker-compose run --rm wg
+ '[' -z (hostname) ]
+ '[' -z ]
+ export 'SUBSPACE_BACKLINK='
+ '[' -z 10.99.97.0/24 ]
+ '[' -z fd00::10:97:0/64 ]
+ '[' -z 8.8.8.8 ]
+ '[' -z false ]
+ '[' -z '":80"' ]
+ '[' -z 51820 ]
+ '[' -z true ]
+ export 'DEBIAN_FRONTEND=noninteractive'
+ '[' -z 10.99.97.1 ]
+ '[' -z fd00::10:97:1 ]
+ '[' -z 1 ]
+ echo 'nameserver 8.8.8.8'
+ '[' -z ]
+ /sbin/iptables -t nat --check POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
iptables: No chain/target/match by that name.
+ /sbin/iptables -t nat --append POSTROUTING -s 10.99.97.0/24 -j MASQUERADE
+ /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
+ /sbin/iptables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+ /sbin/iptables --check FORWARD -s 10.99.97.0/24 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
+ /sbin/iptables --append FORWARD -s 10.99.97.0/24 -j ACCEPT
+ '[[' 1 -gt 0 ]]
+ /sbin/ip6tables -t nat --check POSTROUTING -s fd00::10:97:0/64 -j MASQUERADE
modprobe: can't change directory to '/lib/modules': No such file or directory
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.3 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
+ /sbin/ip6tables -t nat --append POSTROUTING -s fd00::10:97:0/64 -j MASQUERADE
modprobe: can't change directory to '/lib/modules': No such file or directory
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.3 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
Additional context
It looks we also have to install kmod
package (See: moby/moby#33605 )
Describe the bug
When running the docker container for the first time, the boot up stops at
/usr/local/bin/entrypoint.sh: line 157: wg: not found
To Reproduce
Follow the installation procedure of subspace
Expected behavior
No error in logs
Desktop (please complete the following information):
Describe the bug
Successful auth just goes back to the "Admin Sign In"
I currently use Docker-compose to run the server and here are the details of the docker-compose:
version: "3.7"
services:
subspace:
image: subspacecloud/subspace:latest
container_name: subspace
volumes:
- /usr/bin/wg:/usr/bin/wg
- /srv/app/wireguard:/data
restart: always
expose:
- 8080
ports:
- "553:53"
environment:
- SUBSPACE_HTTP_HOST=space.xxx
- SUBSPACE_LETSENCRYPT=false
- SUBSPACE_HTTP_INSECURE=false
- SUBSPACE_HTTP_ADDR=":8080"
- SUBSPACE_NAMESERVER=1.1.1.1
- SUBSPACE_LISTENPORT=51820
- SUBSPACE_IPV4_POOL=10.99.97.0/24
- SUBSPACE_IPV6_POOL=fd00::10:97:0/64
- SUBSPACE_IPV4_GW=10.99.97.1
- SUBSPACE_IPV6_GW=fd00::10:97:1
- SUBSPACE_IPV6_NAT_ENABLED=1
- VIRTUAL_HOST=vpn.xxx
- VIRTUAL_PORT=8080
- LETSENCRYPT_HOST=vpn.xxx
- LETSENCRYPT_EMAIL=it@xxx
cap_add:
- NET_ADMIN
network_mode: "host"
I took the suggested docker compose and used convert to implement it on k8s.....
it created 3 files....
cat subspace-claim0-persistentvolumeclaim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
creationTimestamp: null
labels:
io.kompose.service: subspace-claim0
name: subspace-claim0
spec:
accessModes:
and ....
cat subspace-claim1-persistentvolumeclaim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
creationTimestamp: null
labels:
io.kompose.service: subspace-claim1
name: subspace-claim1
spec:
accessModes:
and...
cat subspace-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kompose.cmd: kompose convert -f subspace-compose.yml
kompose.version: 1.21.0 (992df58d8)
creationTimestamp: null
labels:
io.kompose.service: subspace
name: subspace
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: subspace
strategy:
type: Recreate
template:
metadata:
annotations:
kompose.cmd: kompose convert -f subspace-compose.yml
kompose.version: 1.21.0 (992df58d8)
creationTimestamp: null
labels:
io.kompose.service: subspace
spec:
containers:
- env:
- name: SUBSPACE_HTTP_ADDR
value: '":80"'
- name: SUBSPACE_HTTP_HOST
value: subspace.optimcloud.com
- name: SUBSPACE_HTTP_INSECURE
value: "true"
- name: SUBSPACE_IPV6_NAT_ENABLED
value: "1"
- name: SUBSPACE_LETSENCRYPT
value: "false"
- name: SUBSPACE_LISTENPORT
value: "51821"
- name: SUBSPACE_NAMESERVER
value: 1.1.1.1
image: subspacecommunity/subspace:latest
imagePullPolicy: ""
name: subspace
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
volumeMounts:
- mountPath: /usr/bin/wg
name: subspace-claim0
- mountPath: /data
name: subspace-claim1
restartPolicy: Always
serviceAccountName: ""
volumes:
- name: subspace-claim0
persistentVolumeClaim:
claimName: subspace-claim0
- name: subspace-claim1
persistentVolumeClaim:
claimName: subspace-claim1
status: {}
kubectl apply works for both volumen claims no problem
however here is the log output for subspace-deployment.yaml
kubectl logs -f subspace-67c9475df9-rh6gx -n default ๎ฒ ๏ 12:35 ๏ณ 09.03.20 ๎ฒ 50.53G RAM
any help for kubernetes users?
TL;DR has anyone got this working with JumpCloud?
I have been trying to get SAML SSO Setup with JumpCloud as the IDP (Identity provider) and this being the SP (Service provider).
Using this with google, it works fine, but with JumpCloud i keep getting SAML Errors. Has anyone managed to get this to work.
i have raised this in the original repo but i no longer know if that is maintained?
https://github.com/subspacecloud/subspace/issues/66
current master does not build:
โฐโโค go build .
# github.com/subspacecommunity/subspace
./mailer.go:91:27: undefined: AssetNames
./mailer.go:96:13: undefined: Asset
./web.go:109:27: undefined: AssetNames
./web.go:114:13: undefined: Asset
./web.go:253:12: undefined: Asset
./web.go:258:13: undefined: AssetInfo
Hi I suggest we sign up to something like CircleCI or Travis for the organisation from that we can do CI linting using golang-ci lint and confirm docker builds are correct.
Any thoughts on which service / checks we should do on PRs ?
When adding new profiles on the frontend i get Adding device failed
as an error
template: template:29:16: executing "template" at <$.allowedips>: can't evaluate field allowedips in type struct { Profile main.Profile; EndpointHost string; Datadir string; IPv4Gw string; IPv6Gw string; IPv4Pref string; IPv6Pref string; IPv4Cidr string; IPv6Cidr string; Listenport string; AllowedIPS string }
Hi, congrats for the fork, I really like the project but looked indeed stale for a while.
I have one question that might turn into a feature request.
Is there a way to use subspace alongside another container running wireguard?
For example the guys at Linuxserver have a neat image that works out of the box without installing wg modules on the host [1].
Would it be possible/good idea to find a way to have that container only handling the network stuff and subspace the UI/configuration?
The original project does not have this but we should honour the WireGuard trademark and ensure the project and server contains
WireGuard is a registered trademark of Jason A. Donenfeld.
Hello, is there a way to run subspace without docker ? What would be steps/instructions for that if possible ?
Thank you, A.
Title about sums it up
I.e. not using Lets Encrypt.
Or using DNS based Lets Encrypt - I'm interested in running this inside the firewall.
This might just be a simple ignorant pebcak error, but the error message --http-host flag is required
doesn't match the help docs below, which indicated that the flag is -http-host
(one hyphen prefix). Perhaps either will technically work, I'm not familiar enough with go to say.
ERROR: --http-host flag is required
Usage: ./subspace-linux-amd64 --http-host subspace.example.com
-backlink string
backlink (optional)
-datadir string
data dir (default "/data")
-debug
debug mode
-help
display help and exit
-http-addr string
HTTP listen address (default ":80")
-http-host string
HTTP host
-http-insecure
enable sessions cookies for http (no https) not recommended
-letsencrypt
enable TLS using Let's Encrypt on port 443 (default true)
-version
display version and exit
To Reproduce
make
and run without the flagMake it possible to disable the automatic iptables masquerade settings so that the user of subspace can have more control over the connections to wireguard
Why?
I would like clients to be able to connect to the server after they have acquired a Wireguard.conf from subspace
, but not be able to use the tunnel until they have authenticated via a push notification. Once they have done this second step of authentication, i will then update the iptables
to allow their client ip through
This is done by monitoring the last_handshake
from wg show wg0 dump
for each ip address and mapping it to the relevant client in order to send a push notification
Make it possible to disable the iptables masquerade
settings with a flag/env variables
First of all, finished installing this and tried it. Its incredible. Hats off for the cool work. However, wondering whether the minimum resource of 512 MB ram exceeds as no of users grow ? How many simultaneous connections without dropping the quality can subspace serve at min config ? The purpose is to pick the lowest AWS node for deployment.
I was excited to try this project so I did a 'go get' and the build fails. The log is below.
$ go version
go version go1.14.3 linux/arm64
$ go get github.com/subspacecommunity/subspace
# github.com/subspacecommunity/subspace
go/src/github.com/subspacecommunity/subspace/handlers.go:33:20: samlSP.GetAuthorizationToken undefined (type *samlsp.Middleware has no field or method GetAuthorizationToken)
go/src/github.com/subspacecommunity/subspace/handlers.go:38:8: samlSP.RequireAccountHandler undefined (type *samlsp.Middleware has no field or method RequireAccountHandler)
go/src/github.com/subspacecommunity/subspace/mailer.go:91:27: undefined: AssetNames
go/src/github.com/subspacecommunity/subspace/mailer.go:96:13: undefined: Asset
go/src/github.com/subspacecommunity/subspace/web.go:109:27: undefined: AssetNames
go/src/github.com/subspacecommunity/subspace/web.go:114:13: undefined: Asset
go/src/github.com/subspacecommunity/subspace/web.go:190:22: samlSP.GetAuthorizationToken undefined (type *samlsp.Middleware has no field or method GetAuthorizationToken)
go/src/github.com/subspacecommunity/subspace/web.go:191:23: undefined: samlsp.WithToken
go/src/github.com/subspacecommunity/subspace/web.go:253:12: undefined: Asset
go/src/github.com/subspacecommunity/subspace/web.go:258:13: undefined: AssetInfo
go/src/github.com/subspacecommunity/subspace/web.go:258:13: too many errors
We should update the Screenshots to include changes to the UI since they were previously taken
Allow you to use a dns service on the host, i.e unbound dns server which is well suited to dns forwarding.
Would be nice to have organizations within subspace (kinda like github) such that we can have multiple people on multiple organizations independent of each other.
Being able to select between different configurations, which are based on templates would be really nice.
Like this we could serve a fully routed and a split vpn to our users.
Subspace's docker container have no documented option to disable ipv6. Default values on a host with explicitely disabled ipv6 are making the container crash:
+ ip addr add fd00::10:97:1/112 dev wg0
RTNETLINK answers: Permission denied
sysctl -w net.ipv6.conf.all.disable_ipv6=1
Then run community docker with those environment variable:
SUBSPACE_HTTP_HOST="subspace.example.com"
SUBSPACE_HTTP_ADDR="127.0.0.1"
SUBSPACE_LETSENCRYPT=false
SUBSPACE_HTTP_INSECURE=true
SUBSPACE_NAMESERVER="1.1.1.1"
SUBSPACE_LISTENPORT="51820"
SUBSPACE_IPV4_POOL="192.168.123.0/24"
SUBSPACE_IPV4_GW="192.168.123.1"
SUBSPACE_IPV6_NAT_ENABLED=0
ipv6 not being enabled
Describe the bug
Admin is limited to 10 profiles.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Admin has no limit on the number of profiles.
Desktop (please complete the following information):
Additional context
profileAddHandler is expecting form parameter admin to be yes, but my browser is not sending admin at all. I can manually edit HTTP request to send these parameters:
name=new_user&platform=yes&admin=yes
I can add as many users as I want with this, this does not seem secure at all.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.