Skip to content

WGNetwork. Managing a WireGuard®-based Private Secured Network and NFTables Firewall

License

Notifications You must be signed in to change notification settings

zyablitsev/wgnetwork

Repository files navigation

WGNetwork. Managing a Private Secured Network

Tool for creating, configuring and managing Wireguard network and NFTables traffic filtering system using web-interface.

  • Wireguard — modern, fast and secure communication protocol.
  • NFTables — Linux kernel subsystem providing filtering network connections.

Access to the web management interface is provided within the created network. Access control of the device (wireguard peer) and the user with the role of "manager" associated with this device (time-based one-time password authentication).


Control interfaces

Create, modify, delete users, their devices, manage the list of ip-addresses allowed to access the server via ssh.

Web

Access protocol: http over tcp/ip, connection encryption is provided by the Wireguard protocol.

Available by default at http://172.16.0.1, can be changed during installation.

Screenshots of web-interface pages

Authentication

authentication

Manage the list of ip-addresses allowed for remote access to the server via ssh

server

List of users

users

Creating a user

user-create

User information

user

List of devices

devices

Creating a device

device-create

Device information

device

Cli-Tool

Access protocol: http over unix-socket

After installation in the system, the wgn_managercli command is available in the server console.

Arguments and parameters

Display the parameters of the wireguard server
~$ wgn_managercli wgcfg
  -unix-socket
    	path (default "/tmp/wgmanager.sock")
Adding a new user (if you pass the parameter is_manager=true, the user will be created with the role of manager and a qr-code will be displayed to quickly import the totp key into the mobile device)
~$ wgn_managercli user-create
  -is_manager
    	is manager flag (default "false")
  -name
    	name
  -unix-socket
    	unix-socket (default "/tmp/wgmanager.sock")
Editing user by uuid
~$ wgn_managercli user-edit
  -is_manager
    	is manager flag
  -name string
    	name
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
  -uuid string
    	user uuid
Deleting user and all associated devices by uuid
~$ wgn_managercli user-remove
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
  -uuid string
    	user uuid
Getting user information by uuid
~$ wgn_managercli user
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
  -uuid string
    	user uuid
Display complete list of users
~$ wgn_managercli users
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
Adding a new user device (if you do not pass the wg_pubkey parameter, the keys will be generated and a qr-code will be displayed to quickly import the wireguard-configuration into the mobile device)
~$ wgn_managercli device-create
  -label string
    	label
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
  -user_uuid string
    	user uuid
  -wan_forward
    	allow ip forwarding (default "false")
  -wg_pubkey string
    	wireguard public key (optional)
Editing device by ip
~$ wgn_managercli device-edit
  -ip string
    	device ip
  -label string
    	label
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
  -wan_forward
    	wan_forward
  -wg_pubkey string
    	wireguard public key
Deleting device by ip
~$ wgn_managercli device-remove
  -ip string
    	device ip
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
Getting device information by ip
~$ wgn_managercli device
  -ip string
    	device ip
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
Display complete list of devices
~$ wgn_managercli devices
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
Adding an ip-address to the list of permissions for remote access to the server via ssh
~$ wgn_managercli trust-ipset-add
  -ip string
    	device ip
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
Removing an ip-address from the list of permissions for remote access to the server via ssh
~$ wgn_managercli trust-ipset-remove
  -ip string
    	device ip
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
Display full list of ip-addresses allowed for remote access to the server via ssh
~$ wgn_managercli trust-ipset
  -unix-socket string
    	unix-socket (default "/tmp/wgmanager.sock")
Database initialization with the list of ip-addresses allowed for remote access to the server via ssh. (used in the server installation process before the first start of the service)
~$ wgn_bootstrap-trust-ipset
  -dbpath string
    	dbpath
  -trustip value
    	device ip

Getting started

Requirements:

  • Wireguard
  • NFTables

the service can be run in a docker container or installed to run on the system.

Run in Docker

  1. download tool to initialize the service database
~$ curl -L -o ./wgn_bootstrap-trust-ipset "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-bootstrap-trust-ipset_linux_amd64"
~$ chmod +x ./wgn_bootstrap-trust-ipset
  1. initialize the database with your ip-address, which will be added to the list of allowed remote access via ssh protocol when you start the service
~$ mkdir /usr/local/boltdb/
~$ TRUSTIP=`last -1w | grep $USER | awk '{ print $3 }'`
~$ ./wgn_bootstrap-trust-ipset -dbpath="/usr/local/boltdb/wgnetwork.db" -trustip="$TRUSTIP"
  1. turn on ip_forward
~$ sed -i -e '/^#net.ipv4.ip_forward/s/^.*$/net.ipv4.ip_forward=1/' /etc/sysctl.conf
~$ sysctl -p
  1. start the service container
~$ SESSION_SECRET=`cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-20} | head -n 1`
~$ docker run \
    -e LOG_LEVEL="info" \
    -e DB_PATH="/wgnetwork.db" \
    -e WG_BINARY="/usr/bin/wg" \
    -e WG_PORT="51820" \
    -e WG_CIDR="172.16.0.1/24" \
    -e FE_HTTP_PORT="80" \
    -e API_HTTP_PORT="8080" \
    -e OTP_ISSUER="wgnetwork" \
    -e SESSION_SECRET="$SESSION_SECRET" \
    -e SESSION_TTL="5m" \
    -e NFT_ENABLED="true" \
    -e NFT_DEFAULT_POLICY="drop" \
    -e NFT_TRUST_PORTS="22" \
    --network host \
    --cap-add NET_ADMIN \
    --volume /usr/bin/wg:/usr/bin/wg \
    --volume /usr/local/boltdb/wgnetwork.db:/wgnetwork.db \
    --restart always \
    --name wgnetwork \
    -d zyablitsev/wgnetwork
  1. create the first user with the role of "manager" and register the device

IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"


~$ docker exec wgnetwork \
    /wgn_managercli user-create -name="admin" -is_manager="true"

scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.

~$ docker exec wgnetwork \
    /wgn_managercli device-create --label="mobile" --user_uuid="INSERT_VALUE"

the configuration for your device will be generated, add it to your Wireguard client.

Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1

Installing manually into the system

  1. install required system packages
~$ apt-get update -y
~$ apt-get upgrade -y
~$ apt-get install -y ca-certificates curl nftables wireguard
  1. turn on ip_forward
~$ sed -i -e '/^#net.ipv4.ip_forward/s/^.*$/net.ipv4.ip_forward=1/' /etc/sysctl.conf
~$ sysctl -p
  1. add system user wgnetwork
~$ useradd --system \
    -M \
    --user-group \
    --shell /sbin/nologin \
    wgnetwork
  1. download binaries
~$ curl -L -o /usr/local/bin/wgn_bootstrap-trust-ipset "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-bootstrap-trust-ipset_linux_amd64"
~$ chmod +x /usr/local/bin/wgn_bootstrap-trust-ipset
~$ chown wgnetwork:wgnetwork /usr/local/bin/wgn_bootstrap-trust-ipset

~$ curl -L -o /usr/local/bin/wgn_managercli "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-managercli_linux_amd64"
~$ chmod +x /usr/local/bin/wgn_managercli
~$ chown wgnetwork:wgnetwork /usr/local/bin/wgn_managercli

~$ curl -L -o /usr/local/bin/wgnetwork "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgnetwork_linux_amd64"
~$ chmod +x /usr/local/bin/wgnetwork
~$ chown wgnetwork:wgnetwork /usr/local/bin/wgnetwork
~$ setcap cap_net_admin,cap_net_bind_service+eip /usr/local/bin/wgnetwork
  1. create service environment variables configuration
~$ WG_BINARY=`which wg`
~$ SESSION_SECRET=`cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-20} | head -n 1`
~$ cat <<EOF > /etc/default/wgnetwork
LOG_LEVEL="info"
DB_PATH="/usr/local/boltdb/wgnetwork.db"
WG_BINARY="$WG_BINARY"
WG_PORT="51820"
WG_CIDR="172.16.0.1/24"
FE_HTTP_PORT="80"
API_HTTP_PORT="8080"
API_UNIX_SOCKET="/tmp/wgmanager.sock"
OTP_ISSUER="wgnetwork"
SESSION_SECRET="$SESSION_SECRET"
SESSION_TTL="5m"
NFT_ENABLED="true"
NFT_DEFAULT_POLICY="drop"
NFT_TRUST_PORTS="22"
EOF

~$ chown root:root /etc/default/wgnetwork
~$ chmod 0644 /etc/default/wgnetwork
  1. create a systemd service configuration description
~$ cat <<EOF > /lib/systemd/system/wgnetwork.service
[Unit]
Description=WGNetworkService
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/wgnetwork

[Service]
WorkingDirectory=/usr/local/

User=wgnetwork
Group=wgnetwork

EnvironmentFile=/etc/default/wgnetwork

ExecStart=/usr/local/bin/wgnetwork

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

[Install]
WantedBy=multi-user.target
EOF

~$ chown root:root /lib/systemd/system/wgnetwork.service
~$ chmod 0644 /lib/systemd/system/wgnetwork.service
  1. initialize the database with your ip-address, which will be added to the list of allowed remote access via ssh protocol when you start the service
~$ mkdir /usr/local/boltdb/
~$ TRUSTIP=`last -1w | grep $USER | awk '{ print $3 }'`
~$ wgn_bootstrap-trust-ipset -dbpath="/usr/local/boltdb/wgnetwork.db" -trustip="$TRUSTIP"
~$ chown wgnetwork:wgnetwork /usr/local/boltdb
~$ chmod 0700 /usr/local/boltdb
~$ chown wgnetwork:wgnetwork /usr/local/boltdb/wgnetwork.db
~$ chmod 0600 /usr/local/boltdb/wgnetwork.db
  1. run service
~$ systemctl enable nftables.service
~$ systemctl enable wgnetwork
~$ systemctl start nftables.service
~$ systemctl start wgnetwork
  1. create the first user with the role of "manager" and register the device

IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"


~$ wgn_managercli user-create -name="admin" -is_manager="true"

scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.

~$ wgn_managercli device-create --label="mobile" --user_uuid="INSERT_VALUE"

the configuration for your device will be generated, add it to your Wireguard client.

Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1

Using script for automating installation

Limitations: Debian 11 (bullseye)

  1. open terminal and run:
~$ apt-get install -y ca-certificates curl
~$ bash <(curl -s "https://raw.githubusercontent.com/zyablitsev/wgnetwork/main/stuff/install.sh")
  1. create the first user with the role of "manager" and register the device

IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"


~$ wgn_managercli user-create -name="admin" -is_manager="true"

scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.

~$ wgn_managercli device-create -label="laptop" -user_uuid="INSERT_VALUE" -wan_forward="false"

the configuration for your device will be generated, add it to your Wireguard client.

Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1

Build from sources

Requirements:

  • go 1.19+
  • node 16.14+
  1. clone repository
~$ git clone git@github.com:zyablitsev/wgnetwork.git
  1. get dependencies
~$ make install-dependencies-fe
  1. run build
~$ BIN_DIR=./bin/ make build
  1. build docker-image
~$ make docker-build

Testing

~$ make test