wireguard-ui
wireguard-ui copied to clipboard
ngoduykhanh
How to integrate in existing setup?
I have created a new Ubuntu server (non-Docker) and installed Wireguard. It's working. I have managed to run the ./wireguard-ui script so now I have the nice webpage available.
However when I create a new client, there is no connection. Probably because the wireguard-ui script created it's own public and private key which doesn't match my existing setup. Should I copy the public and private key from wireguard-ui and overwrite my /etc/wireguard/wg0.conf ? Rather I'd change my existing keys and have wireguard-ui match them. But there is only the option to generate a new key. I'm confused how this should work.
I wonder how hard it would be to build an import utility, where you could point it to an existing wg0.conf and have the underlying database get updated with existing peer information and other things (keys, etc). I'll take a look at it since I'm curious, no promises since I'm still learning Golang along the way. This seems like a useful thing to have, especially if others will use it.
ability to import existing client configs would be brill! Watching closely but might have a go at making an importer too..
Any update on that ? Did you manage to make it work with your existing installation @jpatje ?
Basically if you pre-populate the JSON DB with the private key and public keys of your peers, it'll "just work". I haven't had enough time yet to work on automating this, but a parser that would take the wg0.conf file and fill out the JSON DB is exactly what I was thinking.
Aaah ok I see, I'll give it a try tonight. Thank you for the explanation!
Le mer. 9 mars 2022 à 17:25, brittondodd @.***> a écrit :
Basically if you pre-populate the JSON DB with the private key and public keys of your peers, it'll "just work". I haven't had enough time yet to work on automating this, but a parser that would take the wg0.conf file and fill out the JSON DB is exactly what I was thinking.
— Reply to this email directly, view it on GitHub https://github.com/ngoduykhanh/wireguard-ui/issues/135#issuecomment-1063109185, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADLPRAOWSWPUA23RWWGWMI3U7DGIJANCNFSM5JZTVTGA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: @.***>
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
I've totally forgotten about this, but it reminded me I need to look at implementing this, so I can migrate wgui to a new VPS server soon, which includes existing clients.
Any update on this? @brittondodd Do you mind breaking down your workaround for the newcomers (including myself :D)? Thanks
Apologies, I've been short on extra time to look at this, workaround is as follows:
The data is persisted internally as JSON in a flat-file DB. The file location will vary depending on OS (on Linux it seems to persist as the homedir of the user the application runs as -- /home/
The server configuration exists under keypairs.json and will look like this:
{
"private_key": "<private_key>",
"public_key": "<public_key>",
"updated_at": "2023-01-01T02:03:04.000000000Z"
}
each client (I'd create them in the UI first, then modify, I'm not sure what mechanism exists to generate the IDs, they seem random, which means I suppose you could just generate them and the app will simply read them in:
clients/
{
"id": "c7i4vthmiubjov8fokvg",
"private_key": "<private_key>",
"public_key": "<public_key>",
"preshared_key": "<preshared_key>",
"name": "phone",
"email": "<email>",
"allocated_ips": [
"<IP address in configured block in global_settings>"
],
"allowed_ips": [
"0.0.0.0/0"
],
"use_server_dns": true,
"enabled": true,
"created_at": "<UTC timestamp>",
"updated_at": "<UTC timestamp>"
}
The app I imagined would parse a/the WG configs and populate the server parts and the peer/client information into these structures.
I went through some job changes, but have to re-do my WG stack again, but still utilize the same configs, so I'll be working on this very soon anyway. Let me know if the workaround description makes sense or not. I'd start out with a configured wireguard-ui setup, then replace values with the values you have in your existing WG setup :)
Thanks @brittondodd for the details. I'll give this a look asap as I'm redoing my own WG stack :sweat_smile:
I am unsure if this is the place to put it, but I have an existing wireguard connection, but wireguard-ui doesn't see/acknowledge it at all. I know /etc/wireguard/ can't be accessed as non-root but should wireguard-ui really be run as root?
You could run it with a common group that owns /etc/wireguard/wg0.conf. As for me, I run wireguard-ui as root (I have wireguard-ui running, and a path 'watcher' that watches for updates to the wg0.conf file and will automatically restart wiregiard for me -- something I'd love to eventually add in a PR). I run as root, but you could chgrp the wireguard conf file as a group that you can run the daemon as, which would then be able to read/modify the wireguard conf file too.
Update - I managed to move my existing wireguard setup three times by copying the db folder (as a tarball) to a new server, but I've also started working on a import utility to parse an existing wireguard conf and create the JSON DB too. Be on the lookout for a PR coming soon.
It looks like a good idea. But it can be hard to implement. As @bd1308 said, we need to build import utility from a some config to wireguard-ui db. Obviously that config must use pre-shared keys, or it must have predefined keys as files with specific names mb and etc.
@bd1308 I am having trouble finding the files, I am using ubuntu 22.04 LTS. I would like to edit these files, since I have an existing server config, and client configs. Do you know if I can put in my own server public and private key into this config file?
So the daemon actually creates a folder called 'db' in the user's home directory (or in my case /, as I'm running this as root via systemd unit files I've made and might do a PR against here). You'll see JSON structures that form a database. My plan was to setup a utility, but I'm not sure whether or not it should be integrated into wireguard-ui or distributed as a separate program, in this repo. While I've figured out the parsing/templating part, the build system I'm still working through. I've not had as much time lately to work on this, but hopefully I should have some time to look at this tomorrow.
I found it, even though I ran it as root, it put the folder in the same directory that I untar'd the binary from. That is why I was confused, when you say if you use root, that it would put it in the root directory. Thanks for the help though.
I created systemd service files for the wireguard-ui app, the wg0 file watcher (it'll auto restart wg-quick if wg0.conf or whatever you named your wg changes). Also, I still need to setup an importer tool, but not sure how to integrate this into wireguard-ui...should I make a utility golang utility, or create a web-facing utility to copy/paste wireguard config templates? This should setup the server portion of the jsondb, the clients I suppose could be recreated as well. I'm open to suggestions, I haven't been able to decide on a solution, but still interested in adding this to wireguard-ui.
Some cli utility to parse the existing wg0.conf and producing compatible json database should be enough. It requires only for initial migration to wireguard-ui, then the UI takes the full control over the config file.
Same issue here - importing the server settings is rather easy by setting these variables:
WGUI_SERVER_INTERFACE_ADDRESSES
WGUI_SERVER_LISTEN_PORT
WGUI_SERVER_POST_UP_SCRIPT
WGUI_SERVER_POST_DOWN_SCRIPT
However, for the peers it requires some kind of import script. I am thinking some bash + jq will probably do the job.
I think you are right, I think bash+jq is the way to go here, as it won’t require additional packaging effort. I struggled to find a way to integrate it into the stack, but having a bash solution will just allow it to do its one off work without being cumbersome to use. I have one more WG move left, so I have incentive to work on this. I also would like to add systemd unit files eventually here too
I just found https://github.com/WireGuard/wireguard-tools/blob/master/contrib/json/wg-json by @zx2c4. Either a combination of this script with a jq transformer or a fork to output direct wireguard-ui JSON should do the job.
I have many clients on my WG setup, all of them were configured manually using original WG. An importing tool would be awesome.
I took a look at this, there's two major hurdles to making a utility for this:
- In my mind a tool like this should run outside of wireguard-ui, because it will need to possibly read files outside of the scope of the application (e.g. previous wg0.conf from another build) and I haven't yet figured out enough about golang to build and bundle a new utility that would be bundled with wireguard-ui.
- If importing configuration from a existing wg0.conf, all of the peer private keys would not exist. IIRC wgui creates these when creating a client, and persists these in the clients JSONDB, but I'm not really sure what would go there in place of a correct private key. The existing peer pubkey and related information could be easily imported, or each peer private key could somehow be provided (although that doesn't seem secure to me to bring together peer wg0 configs in one place for importing).
I'm willing to dig into this to figure it out, I just need some input on how to proceed with how to handle point # 2. I kinda stopped looking after realizing the private keys wouldn't exist for imported peers, thus the QR code containing peer info wouldn't be complete.
It's ok to have old clients imported without private key. This means the private key was generated on the clients and is already stored somewhere on them (which is, from the security point of view, even more correct).
In json database such client looks like:
{
"id": "cbntgb5pbihtd5ukh210",
"private_key": "",
"public_key": "MVW9LfHoofR12uI2KKSdk0t/UvYypFb+isdFOGPU2x4=",
"preshared_key": "",
"name": "openwrt@home",
...
And it's displayed and managed in UI correctly. You just cannot generate QR code.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.