wireguard-ui
wireguard-ui copied to clipboard
ngoduykhanh
Webui not working
Same problem here.
My docker-compose.yaml:
`version: "3"
services: wireguard: image: linuxserver/wireguard:latest container_name: wireguard cap_add: - NET_ADMIN volumes: - /data/docker/wireguard/:/config ports: - "1003:5000" # Port for WireGuard-UI - "51820:51820/udp" # Port of the WireGuard VPN server restart: unless-stopped
wireguard-ui: image: ngoduykhanh/wireguard-ui:latest container_name: wireguard-ui depends_on: - wireguard cap_add: - NET_ADMIN network_mode: service:wireguard environment: - SENDGRID_API_KEY - EMAIL_FROM_ADDRESS - EMAIL_FROM_NAME - SESSION_SECRET - WGUI_USERNAME=username - WGUI_PASSWORD=secretpassword - WG_CONF_TEMPLATE - WGUI_MANAGE_START=true - WGUI_MANAGE_RESTART=true restart: unless-stopped logging: driver: json-file options: max-size: 50m volumes: - /data/docker/wireguard-ui/:/app/db - /data/docker/wireguard/:/etc/wireguard`
Docker log of Wireguard:
`usermod: no changes
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 911
User GID: 911
───────────────────────────────────────
Uname info: Linux 05baa72cf85c 6.1.57-1-lts #1 SMP PREEMPT_DYNAMIC Wed, 11 Oct 2023 05:10:50 +0000 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, but it doesn't seem to be valid, skipping. ****
**** No valid tunnel config found. Please create a valid config and restart the container ****
[ls.io-init] done.`
Docker log of Wireguard-UI:
Warning: /etc/wireguard/wg0.conf' is world accessible
[#] ip link delete dev wg0
[#]
Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.252.1.0/24 dev wg0
[#] ip link set mtu 1450 up dev wg0
[#]
Wireguard UI
App Version : dev
Git Commit : b55543f
Git Ref : N/A
Build Time : 10-26-2023 10:58:16
Git Repo : https://github.com/ngoduykhanh/wireguard-ui
Authentication : true
Bind address : 0.0.0.0:5000
Email from :
Email from name : WireGuard UI
Custom wg.conf :
Base path : /
⇨ http server started on [::]:5000`
I've mapped the port to 1003, because 5000 is already taken, but even remapping to port 5000 doesn't work.
Manage to fix, in my case the problem was the volume
Can you explain more?
i can't tell exatcly what i did (i try a lot..) but this is my docker compose (i need to use the port 51820, or i had to restart ui when server start, not sure why )
version: "3"
services:
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE #optional
volumes:
- /[HOST_FOLDER]/wireguard:/config
environment:
- PUID=1000
- PGID=1000
- SERVERURL= MY_EXTERNAL_DNS
- SERVERPORT=51820 #optional
- PEERDNS= [MY_INTERNAL_DNS_IP_OUTSIDE_DOCKER],1.1.1.1
- INTERNAL_SUBNET=10.8.8.0 #optional
- ALLOWEDIPS=192.168.77.0/24 #optional
- PERSISTENTKEEPALIVE_PEERS=30 #optional
- LOG_CONFS=true #optional
- PEERS=1 #NEED THIS TO ENABLE SERVER MODE
ports:
# port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports
- "5000:5000"
# port of the wireguard server
- "51820:51820/udp"
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
# use the network of the 'wireguard' service. this enables to show active clients in the status page
network_mode: service:wireguard
environment:
- BIND_ADDRESS=0.0.0.0:5000
- SESSION_SECRET=SESSION_SECRET_RANDOM
- WGUI_DNS=[MY_INTERNAL_DNS_IP_OUTSIDE_DOCKER],1.1.1.1
- WGUI_USERNAME=[MY_USER_ADMIN]
- WGUI_PASSWORD=[MY_PASSWORD]
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
- WGUI_PERSISTENT_KEEPALIVE=15
- EMAIL_FROM_ADDRESS=MY_EMAIL
- EMAIL_FROM_NAME=MY_NAME
- SMTP_HOSTNAME=MY_SMTP
- SMTP_PORT=[MY_SMTP_PORT]
- SMTP_AUTH_TYPE=[MY_SMTP_AUTT]
- SMTP_ENCRYPTION=[MY_SMTP_ENCY]
- WGUI_DEFAULT_CLIENT_ALLOWED_IPS=192.168.77.0/24
#NEED THIS TO ACCESS LOCAL IP
- WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
- WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
logging:
driver: json-file
options:
max-size: 51m
volumes:
- /[HOST_FOLDER]/wireguard/ui/db:/app/db
- /[HOST_FOLDER]/wireguard:/etc/wireguard
Having the same problem. Wireguard is up and working just fine (tunnels up, etc.) running the linuxserver.io docker image. I have wireguard-ui installed via docker as well and pointing to the config directory of the wireguard service. The logs show both are up and running and no errors. I've tried bringing up the UI on port 5000 with no success. Have tried from my workstation, as well as directly from the host running docker (localhost:5000).
change the wireguard image to
image: linuxserver/wireguard:v1.0.20210914-ls6
change the wireguard image to
image: linuxserver/wireguard:v1.0.20210914-ls6
This worked for me. Thanks
change the wireguard image to
image: linuxserver/wireguard:v1.0.20210914-ls6
This worked for me too. :+1:
Isn't this a very old 2021 image. Will this cause any security concerns?
I'm concerned about the age of that image.
I'm sure there is something in one of the later updates that maybe broke things, but still strange that the web interface won't come up as a result.
Would think the best option would be to identify the compatibility issue with the latest wireguard image and resolve that. Though I suppose running an older image is an option if you absolutely need to use it, but I would also advise to check on potential security issues with an older image.
I had same problem. Similar yaml file as paulbrause. I fixed this issue by adding the environment section in wireguard config as follows:
environment:
- PUID=1000
- PGID=1000
- PEERS=1
after this everything worked great. I had to remove and create wireguard-ui again after server appeared to be running successfully
change the wireguard image to
image: linuxserver/wireguard:v1.0.20210914-ls6This worked for me too. 👍
Isn't this a very old 2021 image. Will this cause any security concerns?
Not sure what the 20210914 is referencing, but this seems to have been released yesterday.
All right i figured it out, we need 2 things. First, mount your config dir like this:
volumes:
- /etc/wireguard:/config
- /etc/wireguard:/config/wg_confs
/etc/wireguard depends of your conf, i putted it on root volume in /etc/wireguard, second mount is very important, cuz in never image, they changed path from /config/wg0.conf to /config/wg_confs/wg0.conf
on wireguard-ui you need to mount then:
volumes:
- /db:/app/db
- /etc/wireguard:/etc/wireguard
and now we need to make some tricks, cuz wireguard-ui depends on wireguard, but it start instantly, and trys to implement new config ofr server, faster than wireguard itself, and wireguard itself don't apply config and not work as haelthy container, and don't forward traffic, so wireguard must start 1st. We need to add some magic into docker-compose, we need to delay wireguard-ui startup, we can do it by simple haelthcheck in docker compose startup:
healthcheck:
test: stat /etc/passwd || exit 1
interval: 20s
timeout: 60s
start_period: 15s
and in wireguard-ui we need to modify depends_on directive for:
depends_on:
wireguard:
condition: service_healthy
So whole docker-compose:
---
version: "3"
services:
# WireGuard VPN service
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE ## NOT NEEDED IN MY CASE
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SERVERURL= opt #optional
- SERVERPORT=opt #optional
# - PEERS=1 #optional
# - PEERDNS=auto
# - ALLOWEDIPS=0.0.0.0/0
- LOG_CONFS=true
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- /etc/wireguard:/config
- /etc/wireguard:/config/wg_confs
ports:
# Port for WireGuard-UI
- "5000:5000/tcp"
# Port of the WireGuard VPN server
- "51820:51820/udp"
restart: unless-stopped
healthcheck:
test: stat /etc/passwd || exit 1
interval: 20s
timeout: 60s
start_period: 15s
# WireGuard-UI service
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
wireguard:
condition: service_healthy
cap_add:
- NET_ADMIN
# Use the network of the 'wireguard' service
# This enables to show active clients in the status page
network_mode: service:wireguard
environment:
- SENDGRID_API_KEY
- EMAIL_FROM_ADDRESS
- EMAIL_FROM_NAME
- SESSION_SECRET
- WGUI_USERNAME=yours
- WGUI_PASSWORD=also your
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
- WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE ### This is for Amazon EC2 2023 ami
- WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE ### This is for Amazon EC2 2023 ami
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 50m
volumes:
- /db:/app/db
- /etc/wireguard:/etc/wireguard
Now everythings work perfectly
Didn't work for me. Thought PEERS=1 is required for the wireguard container to run in server mode so i did leave this line enabled instead of commented out.
PEERS=1 set server mode, so required starting wg0.conf is created, i tested on clean install, and when not in server mode, wg wasnt able to startup and i wasn't able to connect to webui panel. So it need a little tweak, cuz after there is starting wg0.conf we don't need peers=1 and wireguard can run in client mode. Maybe there should be initilaiazation process, based on container run once, I will look forward to it, and implement evrything in ansible playbook
Changing the volumes and adding the healthcheck delay worked wonders for me, thank you karoolpl
Here's ultimate version, which setups everything from 0, PEERS=1 sets wireguard in server mode, so it generates wg0.conf, which then can be also managed by wiregiard-ui. If you already have wg0.conf you can comment PEERS=1. In my case, i'm setting up machine using aws ec2, and wanted fully automated process, so adding peers=1 create 1st wg0.conf. Nginx also adds possibility to manage SSL or set allowed IP address on which you can access webui :) for simplicity, nginx attach to host network.
---
version: "3"
services:
nginx:
image: nginx:latest
# network_mode: service:wireguard
network_mode: host
# ports:
# - "80:80"
volumes:
- /etc/nginx.conf:/etc/nginx/nginx.conf
restart: always
# WireGuard VPN service
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SERVERURL={{ wg_server_url }}
- SERVERPORT={{ wg_server_port }} #optional
- PEERS=1 #optional
- PEERDNS=1.1.1.1
# - ALLOWEDIPS=0.0.0.0/0
- LOG_CONFS=true
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- /etc/wireguard:/config
- /etc/wireguard:/config/wg_confs
ports:
- "5000:5000/tcp"
# Port of the WireGuard VPN server
- "51820:51820/udp"
restart: unless-stopped
healthcheck:
test: stat /etc/passwd || exit 1
interval: 20s
timeout: 60s
start_period: 60s
# WireGuard-UI service
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
wireguard:
condition: service_healthy
cap_add:
- NET_ADMIN
# Use the network of the 'wireguard' service
# This enables to show active clients in the status page
network_mode: service:wireguard
environment:
- SENDGRID_API_KEY
- EMAIL_FROM_ADDRESS
- EMAIL_FROM_NAME
- SESSION_SECRET
- WGUI_USERNAME={{ WGUI_USERNAME }}
- WGUI_PASSWORD={{ WGUI_PASSWORD }}
- WGUI_ENDPOINT_ADDRESS={{ wg_server_url }}
- WGUI_DNS=1.1.1.1
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
- WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
- WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 50m
volumes:
- /db:/app/db
- /etc/wireguard:/etc/wireguard
If you want never image, change something in containers settigns, remember to use docker-compose down and docker-compose up -d, cuz otherwise if you restart wireguard container wireguard-ui is unable to connect to wireguard network, you can also split wireguard-ui for own or host netowkr but you wan't see network statistics
Here's also my nginx config setup by ansible:
- name: create nginx entry
copy:
content: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
{% for ip in allowed_ips %}
allow {{ ip }};
{% endfor %}
deny all;
server {
listen 80;
server_name {{ wg_server_url }};
location / {
add_header Cache-Control no-cache;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:5000/;
}
}
include /etc/nginx/conf.d/*.conf;
}
dest: "/etc/nginx.conf"
mode: 0644
if you don't want restrict access to webui based on IP, just remove this section:
{% for ip in allowed_ips %}
allow {{ ip }};
{% endfor %}
deny all;
Also if on some servers you get slow vpn speed, you can try to use everywhere network: host, in my case if i have 2 vpn in india and korea, i faced some slow up/down bandwitch, recreated services using everywhere network_mode_host, without specyfing ports so it bind to host ports directly i get far better performance, also in postup/postdown check your interface names, if theres eth use eth if ens use ens etc.
The problem appears with some version of wireguard i believe. You are using same network for ui and for wireguard itself but there is the problem - everything is going over wg0 so you need to add rules to exclude ui traffic from wg0. Or - if you not need live info about client - you can run ui on different network. There is also option to switch to host mode but then in crowded server you must deal with busy ports and other mess. I do not have rule for it neither https://hub.docker.com/r/linuxserver/wireguard section helped much.
As @karoolpl figured out, the issue is that in the new wiregaurd docker image they changed path of the wg0.conf file from /config/wg0.conf to /config/wg_confs/wg0.conf. The wireguard-ui docker image is still expecting the file in the old location so it happily writes the file to the old location, which does not get used by wireguard. Thankfully the wireguard-ui has a setting to control where it expects the wg0.conf to be, which can be changed to fix the issue.
Once you have everything running do the following in the wireguard-ui:
- Go to "Global Settings"
- Update the "Wireguard Config File Path" from
/etc/wireguard/wg0.confto/etc/wireguard/wg_confs/wg0.conf. Note that you should not change any other part of this path, only add inwg_confs, as this is the path inside the wireguard-ui docker image, not the path on the host or the wireguard docker image. - Click the "Save" button.
- Click the "Apply Config" button in the top right of the screen. Note that sometimes this button doesn't appear after clicking save, in this case just reload the page, or navigate to another page and then back.
For reference this is my functioning compose file, which is based on @karoolpl 's one, just without the fix to the wireguard volumes:
services:
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SERVERURL=[you public ip address]
- SERVERPORT=51820
- PEERS=1
- PEERDNS=1.1.1.1
- LOG_CONFS=true
sysctls:
- net.ipv4.ip_forward=1 # forward requests
- net.ipv4.conf.all.src_valid_mark=1 # Permits rp_filter to function when the fwmark is used for routing traffic in both directions
volumes:
- /opt/wireguard:/config
ports:
- 5000:5000/tcp
- 51820:51820/udp
restart: unless-stopped
healthcheck:
test: stat /etc/passwd || exit 1
interval: 20s
timeout: 60s
start_period: 60s
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
wireguard:
condition: service_healthy
cap_add:
- NET_ADMIN
network_mode: service:wireguard
environment:
- WGUI_USERNAME=[your UI username]
- WGUI_PASSWORD=[your UI password]
- WGUI_DNS=1.1.1.1
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 50m
volumes:
- /opt/wireguard-ui:/app/db
- /opt/wireguard:/etc/wireguard
Note that I've used /opt/wireguard-ui and /opt/wireguard as the paths for the volumes in my host, but these can be anything you'd like.
Hope this helps someone :)
I was able to get the WebUI up by mapping the port to this service instead of the wireguard service container. Had to do this because I'm running Docker Swarm and "depends on" and "network_mode: service" do not work in Swarm. However, wireguard-ui wouldn't update/write to wg0.conf.
I tried both of these steps to see if it would work:
- Mapping to the new location by updating the compose file to have /mypath/config/wg_confs mapped to /etc/wireguard.
- Tried leaving the original path and instead changing the "Wireguard Config File Path" setting in the "Global Settings" of the UI to point to the updated location.
Both of the above methods allow wireguard-ui to see clients that I have added before (under the Status section) so I know it can see/read the wg0.conf file. But if I add a new client in the UI they don't work and don't show up in wg0.conf.
To rule out a problem with my existing deployment I have backed things up and then wiped to try with a fresh config, yet I still have the same result.
Really wish this would work, but just seems to have too many issues. In fairness, this is made to work with a multitude of different wireguard services and the dev can't control what LinuxServer or other releases do. In my case I just switched to an all-in-one service with wg-easy.
@ProfessorCha0s I experienced something similar, I knew the WebUI was pointing to the wg0.conf file, but changes to clients in the UI didn't reflect.
In my case it was because I hadn't clicked the Apply Config button after making changes to the clients through the UI. It seems like config changes are only written to the Wireguard config files when Apply Config is clicked, and client modifications seem to count as config changes.
@brendon1982 thanks for the info and for sharing so that this helps someone else out there to get this running. In my case, I definitely clicked the "Apply Config" button. When clicking it, the UI says something about "Reloading wg0.conf" or something to that effect. I can't recall the message specifically because I have since moved over to a different solution. But when I clicked it, it didn't seem to have any changes and none of my test clients would connect. It's as though it was finally able to be able to read the wg0.conf, but it wouldn't allow any changes or updates.
I might come back and play with this some more later on, but for now I have things going with a different UI.
Note to those using Docker Swarm, I don't believe the example compose file will work since "depends on" and "network_mode: service" don't work in Swarm. Going back to the original issue for this thread, I believe that is why the UI wouldn't load for me. I wonder if Swarm is also related to why this doesn't seem to be working after I was able to get the UI working by mapping the port to the wireguard-ui service instead.
I have been monitoring this thread for a good while and have tried different suggestions posted from time-to-time, only to finally stumbled on why this may be working for some and not others.
This applies to the docker install.
When I am using "image: linuxserver/wireguard:v1.0.20210914-ls7" as my image, I am able to login to the UI via port 5000 directly: ie.. http://<docker_server_ip>:5000 When I switch to "image: linuxserver/wireguard:latest" I can NO longer connect to the UI via http://<docker_server_ip>:5000
(Also had ENV of BIND_ADDRESS=0.0.0.0:5000 set)
Upon seeing another post about a reverse proxy, which I was no using prior for the UI. I setup nginx (NPM) on the same docker host and am able to connect to the UI while also using the latest image for wireguard.