nhas / wag Goto Github PK
View Code? Open in Web Editor NEWSimple Wireguard 2FA
License: BSD 3-Clause "New" or "Revised" License
Simple Wireguard 2FA
License: BSD 3-Clause "New" or "Revised" License
I have a second problem, I tried to set up oidc
I added an oidc to Authenticators Methods, received data from Google API and wrote down the necessary:
"DomainURL": "https://my domain",
"OIDC": {
"IssuerURL": "https://accounts.google.com",
"ClientSecret": "secret",
"ClientID": "client ID",
"GroupsClaimName": "groups"
In the Google management console, I specified Authorized redirect URIs for my domain (https://mydomain/authorise/oidc)
Also in the config I specified "accounts.google.com" in the allow section so that it would be available during the mfa
But when i choose SSO and choose my google account, then I get
https://mydomain/authorise/oidc?state=some key
ERR_CONNECTION_REFUSED
Could you please tell me what I'm doing wrong?
I also read a lot of documents about oidc but I can't understand what is the problem here
I put this on a different system to test some more. Previously it was on Alpine Linux 3.15, now I put it on Debian 11
I'll confess to being a go
novice.
$ go build
router/bpf_bpfel.go:9:2: package embed is not in GOROOT (/usr/lib/go-1.15/src/embed)
I suspect it is a difference in the go
package on the two environments.
$ doas apk add go
$ go version
go version go1.17.10 linux/amd64
Versus
$ sudo apt install golang
$ go version
go version go1.15.15 linux/amd64
Hey there! I came across this project and it fits my goals almost to a T for what I am looking for! I just had one question (hoping this is already how this works and not additional features)
I aim to have custom expiration based on the policy / ip/port being connected to. This is to allow say, VPNing in to access my email server to require MFA each time, but VPNing in to route to my diagram software to only need it once a month.
I do not believe this is currently possible, but wanted to check!
hi,
first, thanks for the project ... i like wireguard - and MFA on top of it ... great
do you think it would be a good idea to use the client-src-IP/port as a parameter to timeout a session?
means: if client-src-ip or client-src-port changes a re-authentication is requrired
the solution with a time-based session-timout ... hmm ...
Users should be able to add multiple MFA devices so they arent immediately locked out on MFA device loss.
Currently the only way to do this is by adding another wireguard device, which is not ideal for single user deployments.
You made me work hard for this update :D
Needed to upgrade to go 1.18 from 1.17 as a module requires 1.18. This meant an upgrade from Alpine 3.15 to 3.16 to get go 1.18
Then the change in the config.json required the creation of a "Wireguard": {}
stanza as per the new documented example_config.json
.
A release notes file would be useful to prevent prolonged downtime when upgrading.
Hi
I'm trying to setup WAG on my local intranet but the eBPF firewall blocks the connection by returning XDP_DROP.
This seems to be due to the Device having sessionExpiry = 0, as pasted below as output from kernel ring buffer.
Steps:
internal/router/xdp.c
to print the checks done that result in XDP_DROP and also the values of each test branch.> sudo cat /sys/kernel/debug/tracing/trace_pipe
kworker/3:0-4612 [003] d.s1 8233.786962: bpf_trace_printk: conntrack(): *isAccountLocked || isTimedOut || current_device->
kworker/3:0-4612 [003] d.s1 8233.787763: bpf_trace_printk: current_device->sessionExpiry == 0
kworker/3:0-4612 [003] d.s1 8233.787770: bpf_trace_printk: currentTime > current_device->sessionExpiry
kworker/3:0-4612 [003] d.s1 8233.787771: bpf_trace_printk: xdp_wag_firewall() = XDP_DROP
Is there something I didn't understand from the Usage guides or is this actually a bug in WAG?
Thank you!
Hello,
so i try to get https in front of the MFA Portal, but a soon as i change it, no connection can be established.
tcpdump show traffic, but no response from portal.
Is there any limitation built into your webserver?
Hello!
I've set NAT to false and am trying to get WAG to route traffic to another host on the same LAN as the WAG server.
But all my attempts failed
Is this feature supported and what do I need to do to get it?
I saw the section with Limitations, but I don't quite understand if it fits this case
Would be great to have support for IPv6 as well as IPv4 :)
Due to the change in how ACLs are parsed when a device is registered it may get a list of AllowedIps that contains the port definitions.
Happens on versions after v5.0.0
Hi
Thank you for a great project, it is really useful.
Would it be possible for to extend wag to support user authentication using OpenID Connect / oauth 2.0 protocol? This would add the benefit of both simplifying the user managment and allow for a rich set of MFA solutions in addtion to supporting single sign-on from different providers. Authentication could be implemented using locally hosted services, e.g. by using implementations such as keycloak, or provided by trusted third parties for example google or github?
https://github.com/coreos/go-oidc
https://pkg.go.dev/golang.org/x/oauth2#section-readme
examples:
https://fusionauth.io/blog/2020/10/22/securing-a-golang-app-with-oauth
https://medium.com/@pliutau/getting-started-with-oauth2-in-go-2c9fae55d187
After upgrading/pulling the latest version, when using the version option, it returns UNKNOWN
$ sudo ./wag version
UNKNOWN
Other than that, it appears to behave as previously.
Hi, is it possible to have a network map of the example you published? I can't understand the rules and how it handles the rules after I've authenticated. It would seem that it works only for internal networks and not through public ip and therefore wireguard input from public ip. Thank you
It would be nice for Wag to have a CLI command to generate a configuration file interactively.
For example
What is the public address your devices will connect to? 1.2.3.4:4321
What help email would you like displayed on the auth page? [email protected]
.. etc ..
As discussed, would be a cool feature to make a re-usable registration token, that generates a new key on each use, or something?
Edited config.json
and added an IP address to a policy - 10.0.4.125/32
then tried to use reload.
"group:infrastructure": {
"Mfa": [
"10.0.4.24/32",
"10.0.4.125/32"
]
},
sudo ./wag reload
2022/09/08 18:59:10 Unable to reload config: Unable to load configuration file from : open : no such file or directory
Stop and start wag and if fires up as it should with the new rule.
Have to say I'm rather impressed by this so far. I was expecting it to add in lots of iptables
rules that I could see happening, but I see it uses xdp ebpf - which must be where the cleverness hides.
If you have a mind for future expansion, I'd consider further authentication modules, maybe as plugins. LDAP, OpenIDC, maybe SAML, even a simple database auth.
Keep up the excellent work
Hi All
In OpenVPN, our clients are able to access each other using the VPN tunnel IP address. We are unable to do this with WAG.
10.125.0.0/16
is the VPN tunnel network. 10.125.0.1
is the VPN tunnel IP address of the WG interface of our WG "server".
The config below does not work because the Mfa takes precedence over the Allow. So 10.125.0.1 also requires MFA and therefore we cannot reach http://10.125.0.1:8080 to enter the MFA code.
"group:users": {
"Allow": [
"10.125.0.1/32 8080/any"
],
"Mfa": [
"10.125.0.0/16",
"192.168.5.0/24",
"192.168.6.0/24"
]
},
To make it work, we have to remove the "10.125.0.0/16"
from the Mfa. The config below works:
"group:users": {
"Allow": [
"10.125.0.1/32 8080/any"
],
"Mfa": [
"192.168.5.0/24",
"192.168.6.0/24"
]
},
But we want to be able to reach all the other peers in the VPN tunnel network 10.125.0.0/16 like we can do with OpenVPN. We tried doing "Mfa": [ "10.125.0.0/16 1-8079/any 8081-10000/any"]
but it didn't work.
"Mfa": ["10.125.0.1 1-8079/any 8081-10000/any"]
also did not work.
Looks like there's no way to do this?
Except specifying all the peers IP addresses in 10.125.0.0/16
one by one except 10.125.0.1
(since "10.125.0.1 1-8079/any 8081-10000/any"
does not work) ?
Thank you very much in anticipation.
I'm trying to create a 2.0.0 installation using Alpine or Debian, and I am struggling with the prerequisites. In particular glibc-2.34+.
Can I ask what base OS you were using to instal WAG?
I tried your package (binary) and it seems to work i.e. webui (admin) opens, I can add devices and I get the wireguard config via curl, and the remote peer connects.
But I fail to understand how to enter MFA.
In the docs is written:
Entering MFA
"To authenticate the user should browse to the servers vpn address, in the example, case 192.168.1.1:8080, where they will be prompted for their 2fa code.
The configuration file specifies how long a session can live for, before expiring."
I have no idea to WHICH server vpn address to call: is it the external IP VPN address or internal (vpn) one ?
I get a 404/not found error in http://externalipaddress:8080 and a SSL error with https://externalvnpaddress:8080
Management interface works.
There is a working example...somewhere ? Docs are quite confusing on many subjects.
Thanks a lot.
Hi,
Thank you for a great product. It is very helpful for me!
Would it be possible for to extend wag to support PresharedKey
?
PresharedKey
is a standard feature of wireguard.
ref.: https://man7.org/linux/man-pages/man8/wg.8.html#CONFIGURATION_FILE_FORMAT
I would like to use PresharedKey
to improve security.
I want to ask how to set wireguard PostUp and PostDown settings in config.json?
Even with Certpath
and KeyPath
management UI runs without TLS.
"ManagementUI": {
"ListenAddress": "10.0.0.78:8443",
"Enabled": true,
"CertPath": "/etc/letsencrypt/live/domain.tld/fullchain.pem",
"KeyPath": "/etc/letsencrypt/live/domain.tld/privkey.pem"
},
$ curl https://10.0.0.78:8443
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
$ curl http://10.0.0.78:8443
<a href="/login">Temporary Redirect</a>.
PS. Nice job on the web gui ๐
Need to make it so that when each peer is added/removed that the change is synced to the disk.
Building the latest version:
$ make
BPF_CLANG=clang BPF_CFLAGS='-O2 -g -Wall -Werror' go generate ./...
Compiled /opt/wag/internal/router/bpf_bpfeb.o
Stripped /opt/wag/internal/router/bpf_bpfeb.o
Wrote /opt/wag/internal/router/bpf_bpfeb.go
Compiled /opt/wag/internal/router/bpf_bpfel.o
Stripped /opt/wag/internal/router/bpf_bpfel.o
Wrote /opt/wag/internal/router/bpf_bpfel.go
cd ui/src; npm install; gulp build
/bin/sh: npm: not found
/bin/sh: gulp: not found
make: *** [Makefile:21: .build_ui] Error 127
sudo apk add npm
sudo npm install --global gulp-cli
Your current version takes all ips which the client has to access and put them into AllowedIPs. It would be nice to overwrite them. So e.g instead of:
Simply 10.0.0.0/8 if needed
e.g ConfigKey OverwriteAllowedIPs= 10.0.0.0/8, 192.168.0.0/16
I hope its understandable
So far everything is running, I only have the problem that, apart from the server, no other devices can ping WireGuard peers or generally no communication can be established
err = ipt.Append("filter", "FORWARD", "-i", "ens160", "-o", "wg0", "-j", "ACCEPT")
if err != nil {
return err
}
So i added this code in iptables.go before line 29 to allow incoming traffic from interface where everything else is connected to wg0 interface
There should be a way to allow this, but i do not know really how. How i solved it allows EVERYTHING from internal, thats may not be the best way
If a user is using 3rd party wifi/4G etc. when they roam between points and get a new connection they will be seen as a new connection. This will cause a need to revisit the OTP page to reauth. I have a few users who see this as an issue.
Is there any thought you have toward maintaining authentication between roaming changes?
sudo -u wag git clone https://github.com/NHAS/wag.git
cd /home/wag/wag
sudo -u make OR sudo make both not working
sudo ./wag start
BPF_CLANG=clang BPF_CFLAGS='-O2 -g -Wall -Werror' go generate ./...
go: downloading golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde
go: downloading golang.zx2c4.com/wireguard v0.0.0-20230304142546-b6a68cf211aa
go: downloading github.com/NHAS/webauthn v0.0.0-20230305085302-c94263588cef
go: downloading github.com/mattn/go-sqlite3 v1.14.16
go: downloading golang.org/x/crypto v0.7.0
go: downloading github.com/cilium/ebpf v0.10.0
go: downloading github.com/coreos/go-iptables v0.6.0
go: downloading github.com/mdlayher/netlink v1.7.1
go: downloading golang.org/x/sys v0.6.0
go: downloading github.com/boombuler/barcode v1.0.1
go: downloading github.com/pquerna/otp v1.4.0
go: downloading github.com/zitadel/oidc v1.13.0
go: downloading github.com/josharian/native v1.1.0
go: downloading github.com/mdlayher/socket v0.4.0
go: downloading golang.org/x/net v0.8.0
go: downloading github.com/golang-jwt/jwt/v4 v4.5.0
go: downloading github.com/golang-jwt/jwt v3.2.2+incompatible
go: downloading github.com/google/go-tpm v0.3.3
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading golang.org/x/oauth2 v0.6.0
go: downloading gopkg.in/square/go-jose.v2 v2.6.0
go: downloading github.com/gorilla/securecookie v1.1.1
go: downloading golang.org/x/text v0.8.0
go: downloading golang.org/x/sync v0.1.0
go: downloading github.com/mdlayher/genetlink v1.3.1
go: downloading github.com/go-webauthn/revoke v0.1.9
go: downloading github.com/fxamacker/cbor/v2 v2.4.0
go: downloading github.com/gorilla/schema v1.2.0
go: downloading github.com/x448/float16 v0.8.4
Compiled /home/wag/wag/internal/router/bpf_bpfel.o
Stripped /home/wag/wag/internal/router/bpf_bpfel.o
Wrote /home/wag/wag/internal/router/bpf_bpfel.go
Compiled /home/wag/wag/internal/router/bpf_bpfeb.o
Stripped /home/wag/wag/internal/router/bpf_bpfeb.o
Wrote /home/wag/wag/internal/router/bpf_bpfeb.go
cd ui/src; npm install; gulp build
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated [email protected]: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
added 491 packages, and audited 492 packages in 15s
29 packages are looking for funding
run `npm fund` for details
7 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
[10:42:20] Using gulpfile ~/wag/ui/src/gulpfile.js
[10:42:20] Starting 'build'...
[10:42:20] Starting 'clean'...
[10:42:20] Finished 'clean' after 26 ms
[10:42:20] Starting 'modules'...
[10:42:20] Finished 'modules' after 145 ms
[10:42:20] Starting 'js'...
[10:42:20] Starting 'scss'...
[10:42:20] Finished 'js' after 364 ms
Deprecation Warning: Using / for division outside of calc() is deprecated and will be removed in Dart Sass 2.0.0.
Recommendation: math.div($spacer, 2) or calc($spacer / 2)
More info and automated migrator: https://sass-lang.com/d/slash-div
โท
302 โ $headings-margin-bottom: $spacer / 2 !default;
โ ^^^^^^^^^^^
โต
vendor/bootstrap/scss/_variables.scss 302:31 @import
vendor/bootstrap/scss/bootstrap.scss 9:9 @import
scss/sb-admin-2.scss 5:9 root stylesheet
Deprecation Warning: Using / for division outside of calc() is deprecated and will be removed in Dart Sass 2.0.0.
Recommendation: math.div($input-padding-y, 2) or calc($input-padding-y / 2)
More info and automated migrator: https://sass-lang.com/d/slash-div
โท
498 โ $input-height-inner-quarter: add($input-line-height * .25em, $input-padding-y / 2) !default;
โ ^^^^^^^^^^^^^^^^^^^^
โต
vendor/bootstrap/scss/_variables.scss 498:73 @import
vendor/bootstrap/scss/bootstrap.scss 9:9 @import
scss/sb-admin-2.scss 5:9 root stylesheet
Deprecation Warning: Using / for division outside of calc() is deprecated and will be removed in Dart Sass 2.0.0.
Recommendation: math.div($custom-control-indicator-size, 2) or calc($custom-control-indicator-size / 2)
More info and automated migrator: https://sass-lang.com/d/slash-div
โท
568 โ $custom-switch-indicator-border-radius: $custom-control-indicator-size / 2 !default;
โ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
โต
vendor/bootstrap/scss/_variables.scss 568:49 @import
vendor/bootstrap/scss/bootstrap.scss 9:9 @import
scss/sb-admin-2.scss 5:9 root stylesheet
Deprecation Warning: Using / for division outside of calc() is deprecated and will be removed in Dart Sass 2.0.0.
Recommendation: math.div($spacer, 2) or calc($spacer / 2)
More info and automated migrator: https://sass-lang.com/d/slash-div
โท
713 โ $nav-divider-margin-y: $spacer / 2 !default;
โ ^^^^^^^^^^^
โต
vendor/bootstrap/scss/_variables.scss 713:37 @import
vendor/bootstrap/scss/bootstrap.scss 9:9 @import
scss/sb-admin-2.scss 5:9 root stylesheet
Deprecation Warning: Using / for division outside of calc() is deprecated and will be removed in Dart Sass 2.0.0.
Recommendation: math.div($spacer, 2) or calc($spacer / 2)
More info and automated migrator: https://sass-lang.com/d/slash-div
โท
718 โ $navbar-padding-y: $spacer / 2 !default;
โ ^^^^^^^^^^^
โต
vendor/bootstrap/scss/_variables.scss 718:37 @import
vendor/bootstrap/scss/bootstrap.scss 9:9 @import
scss/sb-admin-2.scss 5:9 root stylesheet
Warning: 64 repetitive deprecation warnings omitted.
[10:42:23] gulp-autoprefixer:
autoprefixer: /home/wag/wag/ui/src/scss/sb-admin-2.css:3269:3: Replace color-adjust to print-color-adjust. The color-adjust shorthand is currently deprecated.
[10:42:23] Finished 'scss' after 3.24 s
[10:42:23] Starting 'css'...
[10:42:24] Finished 'css' after 676 ms
[10:42:24] Finished 'build' after 4.1 s
go build -ldflags="-X 'github.com/NHAS/wag/internal/config.Version=v5.1.1'"
WAG:
newest (5.1.1)
GO:
go version go1.20.2 linux/amd64
Clang:
Ubuntu clang version 14.0.0-1ubuntu1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/11
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/11
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Candidate multilib: x32;@mx32
Selected multilib: .;@m64
2023/03/10 10:43:38 can do migrations, backing up database to devices.db.20230310104338.bak
2023/03/10 10:43:38 Running migration: 202206251953_inital.sql
2023/03/10 10:43:38 Running migration: 202210171955_rename_totp_devices_table.sql
2023/03/10 10:43:38 Running migration: 20221130174858_registration_update_device.sql
2023/03/10 10:43:38 Running migration: 20221130203322_multi_device.sql
2023/03/10 10:43:38 Running migration: 20221217161441_add_mfa_type.sql
2023/03/10 10:43:38 Running migration: 20221224115527_add_registration_groups.sql
2023/03/10 10:43:38 Running migration: 20230123215232_add_ui_users.sql
2023/03/10 10:43:38 Running migration: 20230211004046_preshared_key.sql
; int xdp_wag_firewall(struct xdp_md *ctx)
0: (b7) r2 = 0
; struct ip ip_info = {0};
1: (63) *(u32 *)(r10 -28) = r2
last_idx 1 first_idx 0
regs=4 stack=0 before 0: (b7) r2 = 0
2: (63) *(u32 *)(r10 -32) = r2
3: (63) *(u32 *)(r10 -36) = r2
4: (b7) r6 = 1
; void *data_end = (void *)(long)ctx->data_end;
5: (61) r2 = *(u32 *)(r1 +4)
; void *data = (void *)(long)ctx->data;
6: (61) r1 = *(u32 *)(r1 +0)
; if ((void *)(ip + 1) > data_end)
7: (bf) r3 = r1
8: (07) r3 += 20
; if ((void *)(ip + 1) > data_end)
9: (2d) if r3 > r2 goto pc+244
R1_w=pkt(id=0,off=0,r=20,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=0,off=20,r=20,imm=0) R6_w=inv1 R10=fp0 fp-32=00000000 fp-40=0000????
; if (ip->version != 4)
10: (71) r3 = *(u8 *)(r1 +0)
; if (ip->version != 4)
11: (57) r3 &= 240
; if (ip->version != 4)
12: (55) if r3 != 0x40 goto pc+241
R1_w=pkt(id=0,off=0,r=20,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=inv64 R6_w=inv1 R10=fp0 fp-32=00000000 fp-40=0000????
; ip_info->proto = ip->protocol;
13: (71) r3 = *(u8 *)(r1 +9)
14: (b7) r8 = 0
; ip_info->src_port = 0;
15: (6b) *(u16 *)(r10 -36) = r8
last_idx 15 first_idx 0
regs=100 stack=0 before 14: (b7) r8 = 0
; ip_info->proto = ip->protocol;
16: (63) *(u32 *)(r10 -24) = r3
; switch (ip->protocol)
17: (15) if r3 == 0x1 goto pc+11
R1=pkt(id=0,off=0,r=20,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6=inv1 R8=invP0 R10=fp0 fp-24=????mmmm fp-32=00000000 fp-40=0000????
18: (15) if r3 == 0x6 goto pc+18
R1=pkt(id=0,off=0,r=20,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6=inv1 R8=invP0 R10=fp0 fp-24=????mmmm fp-32=00000000 fp-40=0000????
19: (55) if r3 != 0x11 goto pc+31
R1=pkt(id=0,off=0,r=20,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=inv17 R6=inv1 R8=invP0 R10=fp0 fp-24=????mmmm fp-32=00000000 fp-40=0000????
; struct udphdr *udph = (data + (ip->ihl * 4));
20: (71) r3 = *(u8 *)(r1 +0)
; struct udphdr *udph = (data + (ip->ihl * 4));
21: (67) r3 <<= 2
22: (57) r3 &= 60
; struct udphdr *udph = (data + (ip->ihl * 4));
23: (bf) r4 = r1
24: (0f) r4 += r3
last_idx 24 first_idx 17
regs=8 stack=0 before 23: (bf) r4 = r1
regs=8 stack=0 before 22: (57) r3 &= 60
regs=8 stack=0 before 21: (67) r3 <<= 2
regs=8 stack=0 before 20: (71) r3 = *(u8 *)(r1 +0)
; if (udph + 1 > (struct udphdr *)data_end)
25: (bf) r5 = r4
26: (07) r5 += 8
; if (udph + 1 > (struct udphdr *)data_end)
27: (2d) if r5 > r2 goto pc+226
R1=pkt(id=0,off=0,r=20,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=invP(id=0,umax_value=60,var_off=(0x0; 0x3c)) R4=pkt(id=1,off=0,r=8,umax_value=60,var_off=(0x0; 0x3c)) R5=pkt(id=1,off=8,r=8,umax_value=60,var_off=(0x0; 0x3c)) R6=inv1 R8=invP0 R10=fp0 fp-24=????mmmm fp-32=00000000 fp-40=0000????
28: (05) goto pc+16
; struct udphdr *udph = (data + (ip->ihl * 4));
45: (bf) r2 = r1
46: (0f) r2 += r3
;
47: (69) r8 = *(u16 *)(r2 +2)
invalid access to packet, off=2 size=2, R2(id=2,off=2,r=0)
R2 offset is outside of the packet
processed 32 insns (limit 1000000) max_states_per_insn 0 total_states 2 peak_states 2 mark_read 22023/03/10 10:43:38 Removing Firewall rules...
2023/03/10 10:43:38 unable to start router: loading objects: field XdpWagFirewall: program xdp_wag_firewall: load program: permission denied: invalid access to packet, off=2 size=2, R2(id=2,off=2,r=0): R2 offset is outside of the packet (68 line(s) omitted)
When starting from a different directory, I'm unable to specify a path to the config.json
.
$ /opt/wag/wag start --config ./config.json
flag provided but not defined: -config
Usage of start:
Error: flag provided but not defined: -config
Usage of start:
Run the wag server on the settings found in config.json
But the help details how:
$ /opt/wag/wag -h
Wag
Adds 2fa and device enrolment to wireguard deployments.
Supported commands: start, cleanup, reload, registration, devices, firewall
All commands require:
-config string
Configuration file location (default "./config.json")
At the moment, i have to download source and customize template files.
Maybe it is possible, that the compiled version looks for a folder where templates are in
$ sudo ./wag version
remote
Version: v4.1.1-1-gf055b4c
Hash: 853da9fd51248b4cb68c9418b6e3fc871b7dad492521b5b7bb02689c14d04633
I just registered a new user, and it generated the config for me.
[Interface]
PrivateKey = SuperSecretKey
DNS = 10.10.6.254/32
Address = 192.168.254.27
[Peer]
Endpoint = 82.123.123.123:51821
PresharedKey = SuperSecretKey
PublicKey = SecretKey
AllowedIPs = ...
PersistentKeepAlive = 10
I wasn't paying attention, and then wondered why it never used resolvd and I could not do any DNS lookups.
It stuck a bogus /32
onto the DNS entry. Removed this and DNS now works.
Very nice.
I'm just testing it out and picked one small issue. When stopping, it leaves one iptables rule behind. So next time you start you get another one, and another one, etc.
-A INPUT -i wg0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i wg0 -p tcp -m tcp --dport 8080 -j ACCEPT
The wag wireguard endpoint watcher mechanism detects that the peers have changed from <nil>
to a value, this causes them to be de-authenticated kind of defeating the point of hot upgrading.
This can be solved up adding a field to the database table Totp
that records the last endpoint and sets it on device startup.
err = ipt.Append("nat", "POSTROUTING", "-s", config.Values().Wireguard.Range.String(), "-j", "MASQUERADE")
if err != nil {
return err
}
Me again,
it would be great if you could set whether the traffic should be routed or natted, since routing can later be used to clearly identify which request comes from which client
DEFAULT: false
"routing": "false"
If routing is true, just skip that code
Hope it is understandable.
Hi All
When we start the wag service, we got this:
root@server015:/opt/wag# systemctl status wag
? wag.service - Wireguard Manager
Loaded: loaded (/etc/systemd/system/wag.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2023-04-20 03:50:04 PDT; 5s ago
Process: 345636 ExecStart=/opt/wag/wag start (code=exited, status=1/FAILURE)
Process: 345678 ExecStopPost=/opt/wag/wag cleanup (code=exited, status=1/FAILURE)
Main PID: 345636 (code=exited, status=1/FAILURE)
root@server015:/opt/wag#
root@server015:/opt/wag# journalctl -u wag
Apr 20 03:58:39 pa015 systemd[1]: Started Wireguard Manager.
Apr 20 03:58:39 pa015 wag[349530]: 2023/04/20 03:58:39 Removing Firewall rules...
Apr 20 03:58:39 pa015 wag[349530]: 2023/04/20 03:58:39 unable to start router: could not attach XDP program: bpf_link not supported (>
Apr 20 03:58:39 pa015 systemd[1]: wag.service: Main process exited, code=exited, status=1/FAILURE
Apr 20 03:58:39 pa015 wag[349572]: 2023/04/20 03:58:39 Cleaning up
Apr 20 03:58:39 pa015 wag[349572]: 2023/04/20 03:58:39 Removing Firewall rules...
Apr 20 03:58:39 pa015 wag[349572]: 2023/04/20 03:58:39 Unable to clean up firewall rules: running [/usr/sbin/iptables -t filter -D F>
Apr 20 03:58:39 pa015 wag[349572]: 2023/04/20 03:58:39 Unable to clean up firewall rules: running [/usr/sbin/iptables -t filter -D F>
We are running Wag and Wireguard on Ubuntu 20.04.1.
Thank you very much in anticipation.
Line 36 in 66fc1b2
โโ# make
BPF_CLANG=clang BPF_CFLAGS='-O2 -g -Wall -Werror' go generate ./...
go: downloading golang.zx2c4.com/wireguard/wgctrl v0.0.0-20220916014741-473347a5e6e3
go: downloading github.com/mattn/go-sqlite3 v1.14.15
go: downloading golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d
go: downloading github.com/pquerna/otp v1.3.0
go: downloading github.com/cilium/ebpf v0.9.3
go: downloading github.com/mdlayher/netlink v1.6.2
go: downloading github.com/coreos/go-iptables v0.6.0
go: downloading golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43
go: downloading golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4
go: downloading github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
go: downloading github.com/josharian/native v1.0.0
go: downloading github.com/mdlayher/socket v0.2.3
go: downloading golang.org/x/net v0.0.0-20221014081412-f15817d10f9b
go: downloading golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7
go: downloading github.com/mdlayher/genetlink v1.2.0
Error: exec: "llvm-strip": executable file not found in $PATH
exit status 1
router/routes.go:36: running "go": exit status 1
make: *** [Makefile:12: .generate_ebpf] Error 1
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf xdp.c -- -I headers
it is wrong to attack the two // but just detach them and the make continues.
// go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf xdp.c -- -I headers
bye bye
It would be very useful to include the DNS directive in the users config.
In my case, I add the DNS into the wg0.conf
before giving it to the user. In the ACL's I have a policy that allows the wildcard "*" to access the DNS servers IP Address. The DNS server has a record for otp
. After a user connects using WireGuard they can then visit http://otp
to authenticate.
config.json
"Policies": {
"*": {
"Allow": [
"10.0.6.254"
]
},
wg0.conf
[Interface]
PrivateKey = SuperSecretKey
DNS = 10.0.6.254
Address = 192.168.4.4
Hi
Thank you for a great product!
Would it be possible to extend wag to limit users & group by destanation port?
For example, I need to allow 'public' users only specitic destanation port "10.10.0.1:8080", but for MFA users allow a port range "10.10.0.1:2000-3000". As I discovered XDP is a very flexible, but I am a potato to implement this in C-code.
It would be handy for people designing things that autodetect when the VPN has de-authenticated to have an easy way of getting that information.
/status
would work perfectly and also be open for sharing more details about the connection
Hello! I loved these feature and we are using real time. But i was looking for a feature If we can redirect to the MFA URL after activating wireguard in windows as well as ubuntu.
Hey there,
there is an issue we have come up with. The setup is the following:
wag runs on a system with the IP 192.168.1.2 and has the IP 10.1.2.1 for its WireGuard interface. The Tunnel listener is set to Port 443 for the authentication web UI and the 192.168.1.0/24 network is set as MFA only for everyone.
The problem is, after the initial WireGuard connection and without authentication Port 443 is accessible on 192.168.1.2 as well but shouldn't without authentication. When the authentication is done, 192.168.1.2 should be accessible with all ports but has still only port 443 reachable.
Hope you can help us there. Thanks a lot :)
Hello,
I noticed that no license is shown for this project, is this done intentionally?
Wag should be able to interactively generate its own config with wag gen-config
Currently a 2fa TOTP code can be used as many times as a user wants within the 30 second window it is valid.
This may allow a malicious actor who can somehow capture one valid 2fa code to reauthenticate during this time.
So we need to invalidate the token once it is used once.
This issue is to discuss the ins-and-outs of making a highly-available Wag.
In general, it would be nice to have the ability to have Wag running on 2 different servers, for a highly available configuration, so if one server fails (or needs to be shut down), then operation can continue.
Since Wag relies on in-memory maps, it would quite difficult to support to an active-active configuration, so instead, allowing for an active-passive (failover) configuration would be nice.
During a failover condition, users would have to re-auth, but I think that's fine.
The first problem I see is the SQLite database cannot be easily shared, so perhaps one of the first steps could be allowing for other databases (Postgres, MySQL..?)
I don't think it should be Wag's responsibility to direct traffic to the different instances. Instead, the administrator should use features of their networking equipment to perform failover, or use something like keepalived with Vrrp.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.