wg-portal icon indicating copy to clipboard operation
wg-portal copied to clipboard

Published 20 hours ago verified publisher icon h44z

Add mapping of wg interfaces to users group

Open krom opened this issue 2 years ago • 1 comments

I don't know how to implement it but I have my own congiguration:

  • 2 or more wg interfaces with different settings
  • Some user have access to wg0 and some users have access to wg1
  • wg0 is default interface and when user log in first time wg-portal create default configuration for wg0 but, I need to create manualy configuration for wg1 per user.

My rouge idea: add configuration like

WG_DEVICE_WG0_GROUP=CN=WireGuardProfile1,OU=Users,DC=COMPANY,DC=LOCAL
WG_DEVICE_WG1_GROUP=CN=WireGuardProfile2,OU=Users,DC=COMPANY,DC=LOCAL

And if user is member of WG_DEVICE_WG1_GROUP wg_portal will create peer for WG1 and user can create peer for himself only for `WG1 device.

It's looks like 2 different portals, for now I can create sample configuration

version: '3.6'
services:
  wg-portal1:
    image: h44z/wg-portal:latest
    container_name: wg-portal1
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: "host"
    volumes:
      - /etc/wireguard:/etc/wireguard
      - ./data1:/app/data
    ports:
      - '8123:8123'
    environment:
      # WireGuard Settings
      - WG_DEVICES=wg0
      - WG_DEFAULT_DEVICE=wg0
      - WG_CONFIG_PATH=/etc/wireguard
      # Core Settings
      - EXTERNAL_URL=https://vpn1.company.com
      - LDAP_ENABLED=true
      - LDAP_URL=ldap://srv-ad01.company.local:389
      - LDAP_BASEDN=DC=COMPANY,DC=LOCAL
      - [email protected]
      - LDAP_PASSWORD=supersecretldappassword
      - LDAP_ADMIN_GROUP=CN=WireGuardAdmins,OU=Users,DC=COMPANY,DC=LOCAL
      - LDAP_LOGIN_FILTER=(&(objectClass=organizationalPerson)(uid={{login_identifier}})(memberOf=cn=vpn_group1,cn=groups,cn=accounts,dc=company,dc=local))
      - LDAP_SYNC_FILTER=(&(memberOf=cn=vpn_group1,cn=groups,cn=accounts,dc=company,dc=local)(!(nsaccountlock=TRUE)))
      - LDAP_TYPE=OpenLDAP

  wg-portal2:
    image: h44z/wg-portal:latest
    container_name: wg-portal2
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: "host"
    volumes:
      - /etc/wireguard:/etc/wireguard
      - ./data2:/app/data
    ports:
      - '8124:8123'
    environment:
      # WireGuard Settings
      - WG_DEVICES=wg1
      - WG_DEFAULT_DEVICE=wg1
      - WG_CONFIG_PATH=/etc/wireguard
      # Core Settings
      - EXTERNAL_URL=https://vpn2.company.com
      - LDAP_ENABLED=true
      - LDAP_URL=ldap://srv-ad01.company.local:389
      - LDAP_BASEDN=DC=COMPANY,DC=LOCAL
      - [email protected]
      - LDAP_PASSWORD=supersecretldappassword
      - LDAP_ADMIN_GROUP=CN=WireGuardAdmins,OU=Users,DC=COMPANY,DC=LOCAL
      - LDAP_LOGIN_FILTER=(&(objectClass=organizationalPerson)(uid={{login_identifier}})(memberOf=cn=vpn_group2,cn=groups,cn=accounts,dc=company,dc=local))
      - LDAP_SYNC_FILTER=(&(memberOf=cn=vpn_group2,cn=groups,cn=accounts,dc=company,dc=local)(!(nsaccountlock=TRUE)))
      - LDAP_TYPE=OpenLDAP

But i'd like to create only one instance of wg-portal with 2 groups, each group for each wg device

krom avatar Dec 23 '22 20:12 krom