A basic, self-contained management service for WireGuard with a self-serve web UI.
- Self-serve and web based
- QR-Code for convenient mobile client configuration
- Optional multi-user support behind an authenticating proxy
- Zero external dependencies - just a single binary using the wireguard kernel module
- Container-first deployment
- Added automatic authentication if cookie wguserfront is set
- Re-coded root relative UI for directory relative UI so UI would work on a reverse proxy subdirectory
The easiest way to run wireguard-ui is using the container image. To test it, run:
docker run --rm -it --privileged --entrypoint "/wireguard-ui" -v /tmp/wireguard-ui:/data -p 8080:8080 -p 5555:5555 embarkstudios/wireguard-ui:latest --data-dir=/data --log-level=debug
When running in production, we recommend using the latest release as opposed to latest.
npm install --prefix=ui
npm run --prefix=ui dev
go get -u github.com/go-bindata/go-bindata/...
go get github.com/elazarl/go-bindata-assetfs/...
go-bindata-assetfs -prefix ui/dist ui/dist
go build .
sudo ./wireguard-ui --log-level=debug --dev-ui-server http://localhost:5000
The code can be easily built for the ARM platform so it can, for example, run natively on a Raspberry PI.
make ui
go-bindata-assetfs -prefix ui/dist ui/dist
env GOOS=linux GOARCH=arm GOARM=5 go build .
As root copy the wireguard-ui ARM binary to /usr/local/bin and then run
/usr/local/bin/wireguard-ui --wg-dns="192.168.1.10" --wg-endpoint="my.domain.com:51820" --log-level=debug
Where 192.168.1.10 is a local DNS server (for example when running PiHole) and my.domain.com is how the VPN can be accessed over the Internet.
You may want to add the --client-ip-range flag if there is a previously configured wireguard interface on the machine and you need to use those IPs instead.
You can access the wg-ui interface via an apache2 reverse proxy by adding the following before the tag in /etc/apache2/sites-enabled/000-default.conf. Your configuration file may differ depending on the services enabled.
Install mod_proxy and restart apache. The following example is for Ubuntu.
sudo a2enmod proxy
sudo systemctl restart apache2
Add the following lines.
ProxyPass /wireguardui/ http://192.168.1.10:8080/
ProxyPassReverse /wireguardui/ http://192.168.1.10:8080/
Where /wireguardui/ is the relative URL to access the wg-ui interface on the apache server and http://192.168.1.10:8080/ is the address that the wg-ui can be accessed. When complete restart the web server.
You can access the wg-ui interface via a lighthttpd reverse proxy by creating a 99-reverse-proxy-wireguard.conf in the /etc/lighttpd/conf-available directory with the following content:
server.modules += ( "mod_proxy" )
$HTTP["url"] =~ "^/wireguardui/" {
proxy.header = ( "map-urlpath" => ("/wireguardui/" => "/") )
proxy.server = ( "" => ( "" => ( "host" => "192.168.1.10", "port" => 8080)))
}
Where /wireguardui/ is the virtual path on the lighthttpd server, 192.168.1.10 is the host that wg-ui is running on and 8080 is the port wg-ui is running on.
When complete enable the module and force reload to apply the changes.
# /usr/sbin/lighty-enable-mod reverse-proxy-wireguard
Enabling reverse-proxy-wireguard: ok
Run "service lighttpd force-reload" to enable changes
# service lighttpd force-reload
We welcome community contributions to this project.
Please read our Contributor Guide for more information on how to get started.
Licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
