suquant / wgrest Goto Github PK

WireGuard REST API

License: Apache License 2.0

Makefile 2.02% Go 95.89% Dockerfile 0.97% Shell 1.12%

wireguard rest-api vpn vpn-manager wireguard-ui wireguard-vpn restful-api

wgrest's Introduction

WGRest

WGRest is a WireGuard REST API server. It operates wireguard through IPC and doesn't require any dependencies. It aims to be simpler, faster, and usable on embedded devices such as routers or any other low power and low memory devices.

WireGuard is a simple and modern VPN. It is cross-platform (Windows, macOS, BSD, iOS, Android).

Swagger UI: https://wgrest.forestvpn.com/swagger/

1	2	3	4

Features:

Manage device: update wireguard interface
Manage device's peers: create, update, and delete peers
Peer's QR code, for use in WireGuard & ForestVPN client
Peers search by query
Peers sort by: pub_key, receive_bytes, transmit_bytes, total_bytes, last_handshake_time
ACME TLS support
Bearer token auth

Check all features here

Install

On Debian / Ubuntu

WGRest server

curl -L https://github.com/suquant/wgrest/releases/latest/download/wgrest_amd64.deb -o wgrest_amd64.deb

dpkg -i wgrest_amd64.deb

WGRest Web App

curl -L https://github.com/suquant/wgrest-webapp/releases/latest/download/wgrest-webapp_amd64.deb -o wgrest-webapp_amd64.deb

dpkg -i wgrest-webapp_amd64.deb

Manual

WGRest optionally comes with web ui and it is not included by default into binary. You need to do some extra actions to enable it.

curl -L https://github.com/suquant/wgrest/releases/latest/download/wgrest-linux-amd64 -o wgrest

chmod +x wgrest

wgrest -h

NAME:
   wgrest - wgrest - rest api for wireguard

USAGE:
   wgrest [global options] command [command options] [arguments...]

COMMANDS:
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --conf value                wgrest config file path (default: "/etc/wgrest/wgrest.conf") [$WGREST_CONF]
   --version                   Print version and exit (default: false)
   --listen value              Listen address (default: "127.0.0.1:8000") [$WGREST_LISTEN]
   --data-dir value            Data dir (default: "/var/lib/wgrest") [$WGREST_DATA_DIR]
   --static-auth-token value   It is used for bearer token authorization [$WGREST_STATIC_AUTH_TOKEN]
   --tls-domain value          TLS Domains [$WGREST_TLS_DOMAIN]
   --demo                      Demo mode (default: false) [$WGREST_DEMO]
   --device-allowed-ips value  Default device allowed ips. You can overwrite it through api (default: "0.0.0.0/0", "::0/0") [$WGREST_DEVICE_ALLOWED_IPS]
   --device-dns-servers value  Default device DNS servers. You can overwrite it through api (default: "8.8.8.8", "1.1.1.1", "2001:4860:4860::8888", "2606:4700:4700::1111") [$WGREST_DEVICE_DNS_SERVERS]
   --device-host value         Default device host. You can overwrite it through api [$WGREST_DEVICE_HOST]
   --help, -h                  show help (default: false)

For Web UI support you need to:

curl -L https://github.com/suquant/wgrest-webapp/releases/latest/download/webapp.tar.gz -o webapp.tar.gz

sudo mkdir -p /var/lib/wgrest/
sudo chown `whoami` /var/lib/wgrest/
tar -xzvf webapp.tar.gz -C /var/lib/wgrest/

After run the server web ui will be available at http://127.0.0.1:8000/

Run WireGuard REST API Server

wgrest --static-auth-token "secret" --listen "127.0.0.1:8000"

Output:

⇨ http server started on 127.0.0.1:8000

Update wg0 device

curl -v -g \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer secret" \
    -X PATCH \
    -d '{
        "listen_port":51820, 
        "private_key": "cLmxIyJx/PGWrQlevBGr2LQNOqmBGYbVfu4XcRO2SEo="
    }' \
    http://127.0.0.1:8000/v1/devices/wg0/

{
  "name": "wg0",
  "listen_port": 51820,
  "public_key": "7TvriTzbaXdrsGXI8oMrMoNAWrVCXRUfiEvksOewLyg=",
  "firewall_mark": 0,
  "networks": null,
  "peers_count": 7,
  "total_receive_bytes": 0,
  "total_transmit_bytes": 0
}

Get devices

curl -v -g \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer secret" \
    -X GET \
    http://127.0.0.1:8000/v1/devices/

[
  {
    "name": "wg0",
    "listen_port": 51820,
    "public_key": "7TvriTzbaXdrsGXI8oMrMoNAWrVCXRUfiEvksOewLyg=",
    "firewall_mark": 0,
    "networks": null,
    "peers_count": 7,
    "total_receive_bytes": 0,
    "total_transmit_bytes": 0
  }
]

Add peer

curl -v -g \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer secret" \
    -X POST \
    -d '{
        "allowed_ips": ["10.10.1.2/32"], 
        "preshared_key": "uhFI9c9rInyxqgZfeejte6apHWbewoiy32+Bo34xRFs="
    }' \
    http://127.0.0.1:8000/v1/devices/wg0/peers/

{
  "public_key": "zTCuhw7g4Q7YVH6xpCjrz48UJ7qqJBwrXUpuofUTzD8=",
  "url_safe_public_key": "zTCuhw7g4Q7YVH6xpCjrz48UJ7qqJBwrXUpuofUTzD8=",
  "preshared_key": "uhFI9c9rInyxqgZfeejte6apHWbewoiy32+Bo34xRFs=",
  "allowed_ips": [
    "10.10.1.2/32"
  ],
  "last_handshake_time": "0001-01-01T00:00:00Z",
  "persistent_keepalive_interval": "0s",
  "endpoint": "",
  "receive_bytes": 0,
  "transmit_bytes": 0
}

Get peers

curl -v -g \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer secret" \
    -X GET \
    http://127.0.0.1:8000/v1/devices/wg0/peers/

[
  {
    "public_key": "zTCuhw7g4Q7YVH6xpCjrz48UJ7qqJBwrXUpuofUTzD8=",
    "url_safe_public_key": "zTCuhw7g4Q7YVH6xpCjrz48UJ7qqJBwrXUpuofUTzD8=",
    "preshared_key": "uhFI9c9rInyxqgZfeejte6apHWbewoiy32+Bo34xRFs=",
    "allowed_ips": [
      "10.10.1.2/32"
    ],
    "last_handshake_time": "0001-01-01T00:00:00Z",
    "persistent_keepalive_interval": "0s",
    "endpoint": "",
    "receive_bytes": 0,
    "transmit_bytes": 0
  }
]

Get peer's quick config QR code

curl -v -g \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer secret" \
    -X GET \
    http://127.0.0.1:8000/v1/devices/wg0/peers/zTCuhw7g4Q7YVH6xpCjrz48UJ7qqJBwrXUpuofUTzD8=/quick.conf.png?width=256

Delete peer

Since the wireguard public key is the standard base64 encoded string, it is not safe to use in URI schema, is that reason peer_id contains the same public key of the peer but encoded with URL safe base64 encoder.

peer_id can be retrieved either by peer_id field from peer list endpoint or by this rule

python3 -c "import base64; \
    print(\
        base64.urlsafe_b64encode(\
            base64.b64decode('hQ1yeyFy+bZn/5jpQNNrZ8MTIGaimZxT6LbWAkvmKjA=')\
        ).decode()\
    )"

delete peer request

curl -v -g \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer secret" \
    -X DELETE \
    http://127.0.0.1:8000/v1/devices/wg0/peers/

Credits:

ForestVPN.com Free VPN for all
SpaceV.net VPN for teams

wgrest's People

Contributors

Stargazers

Watchers

wgrest's Issues

Help me please to understand WGREST

Step 1. I install wireguard to my VPS. Now i have main config /etc/wireguard/wg0.conf

Step 2. I configurate this config by CLI and add some pears

Note. Some information has been changed for security(i got this config for example).

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 50669
PrivateKey = rD2wvvYrwc5Ywh+QwUERa2dMVOKMsXIJwIbiTwSex2E=
DNS = 8.8.8.8

[Peer]
PublicKey = tw6VLKNoabFQJ41jggyB7ByVpehzExE0F9hqFv1Zqhw=
PresharedKey = EtRj7RIwwM2jamT1zTNXjKE8hxMvTHrXjvrTEt3YbC1=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

Step 3. Then I install https://github.com/suquant/wgrest (only rest api)

Step 4. When I go here http://127.0.0.1:8000/v1/devices/wg0/peers/ I got all my pears from this config /etc/wireguard/wg0.conf (its work good!)

Step 5. When I go here http://127.0.0.1:8000/v1/devices/wg0/peers/some-key-for-example=/quick.conf.png?width=256

I got Error:

{ "code":"request_params_error", "message":"open /var/lib/wgrest/v1/some-key-for-example=.conf: no such file or directory" }

I see this topic: #30

But I can't understand some things:

When I go http://127.0.0.1:8000/v1/devices/ a got other config! Not this content: /etc/wireguard/wg0.conf

Question 1: Why WGREST not see default config and [Interface]? He show other listen_port, public_key, networks, but peers_count (is true)

Question 2: Where WGREST storage oun config and [Interface] with pears config?

Question 3: How to make that WGREST to see the default config /etc/wireguard/wg0.conf (because i want to manage this pears also from WGREST)

Question 4: What I need add here that working QR code generation?


 {
"allowed_ips":["0.0.0.0/0","::0/0"],
"dns_servers":
["8.8.8.8","1.1.1.1",
"2001:4860:4860::8888",
"2606:4700:4700::1111"
],
"host":"my IP"
}

DNS and host also here, but QR code generation not working

Thanks!

Creating a new Pear error

Hello. When i send POST /v1/devices/wg0/peers/ I got:

{"code":"wireguard_config_error","message":"open /var/lib/wgrest/v1/f-xqbQdiR7FvM9t5bcxxczRMoqi2YGGs9Jh_Oh8Pc28=3909412520: permission denied"}

UI for Wireguard Options

Hi,
Use this for your UI if you wish. It is good.

https://github.com/vx3r/wg-gen-web

Help: Qrcode and config are not generating

curl -X 'GET' \

'http://..*.66:8000/v1/devices/wg0/peers/79jSrt00g3CPENX-9UY60XoGTrcGZvRd3Hd0tPIlmUA%3D/quick.conf.png?width=500'
-H 'accept: image/jpeg'
-H 'Authorization: Bearer 436254'

{"code":"request_params_error","message":"open /var/lib/wgrest/v1/79jSrt00g3CPENX-9UY60XoGTrcGZvRd3Hd0tPIlmUA=.conf: no such file or directory"}

How/Where to setup Wireguard itself ?

I'm unable to figure out where this nice package expects Wireguard. In a seperate container or locally installed ? Does it use the kernelmodule with wgctrl ?

Maybe some additional information in the Readme would be nice.

Thanks for the nice work!

Build nonolithic version

Hi,

Is there a way to build a monolithic version of this app so you simply can copy over the binary instead of all your code like it's done now in the Dockerfile ?

Would be great to know what can be excluded from /app in that case.

Thanks!

Too many open files

I am running wgrest on my Unifi UDM Pro (compiled it arm64) and after a while the error Too many open files pops up (after many calls to the REST endpoint).
It seems like the connections arent closed as a simple ls -al /proc/10484/fd shows:

lr-x------    1 root     root            64 Jul 18 15:08 990 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 991 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 992 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 993 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 994 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 995 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 996 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 997 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 998 -> net:[4026531905]
lr-x------    1 root     root            64 Jul 18 15:08 999 -> net:[4026531905]

Are sockets not closed after a request?
My Golang knowledge is limited, I managed to add some extra information to the devices resultset (see my fork) but I am unable to pinpoint where this issue is coming from.

Lost peer after restart wireguard

Hello, is it a problem ?

root@gw1-test:~# wg show
interface: wg0
public key: 6AHHHURSwlvjScldZz6x45BZ0K9dENpRlfe8UD+Q10U=
private key: (hidden)
listening port: 41194

peer: vzw9HxgRYDHV8oYfIzVaRAp7IDa1C6DVhB53jznmciQ=
preshared key: (hidden)
allowed ips: 192.168.6.11/32
root@gw1-test:#
root@gw1-test:#
root@gw1-test:# systemctl restart [email protected]
root@gw1-test:#
root@gw1-test:#
root@gw1-test:# wg show
interface: wg0
public key: 6AHHHURSwlvjScldZz6x45BZ0K9dENpRlfe8UD+Q10U=
private key: (hidden)
listening port: 41194
root@gw1-test:# systemctl restart wgrest.service
root@gw1-test:#
root@gw1-test:#
root@gw1-test:# wg show
interface: wg0
public key: 6AHHHURSwlvjScldZz6x45BZ0K9dENpRlfe8UD+Q10U=
private key: (hidden)
listening port: 41194

TLS certs

How does the TLS function work ?

It seems it does something with a cache directory but I don't think wgrest requests for a certificate at ACME itself ?

Remove peers

What is the correct way to invoke a peer removal using this API?

Thank you.

Make wg0 API changes persistent

Hi,

Using this great API I see everything for wg0 is in-mem, is it possible to let Wireguard make it persistent in it's wg0.conf ?

Thanks again!

Create new Device This api returns a 501 error (501 Not Implemented )

Create new Device This api returns a 501 error (501 Not Implemented)，other api tests are correct

restore peers

hey... I backup the peers by ready api and stored into a file. he shows:

analpflaster:~/vpn/backup# cat interfaces/peers_150.json
[
{
"public_key": "HiCUb0B3yDHIl+0uI+2QhtOaWnLO3ld1CI3xINDcZEc=",
"url_safe_public_key": "HiCUb0B3yDHIl-0uI-2QhtOaWnLO3ld1CI3xINDcZEc=",
"allowed_ips": [
"172.1.4.1/32"
],
"last_handshake_time": "0001-01-01T00:00:00Z",
"persistent_keepalive_interval": "25s",
"endpoint": "146.60.226.118:64096",
"receive_bytes": 0,
"transmit_bytes": 3996
}
{
"public_key": "5zaLcXXvX1zRD25jjwv0rNCcKqu6QocYuul5vUjkhFk=",
"url_safe_public_key": "5zaLcXXvX1zRD25jjwv0rNCcKqu6QocYuul5vUjkhFk=",
"allowed_ips": [
"172.1.4.2/32"
],
"last_handshake_time": "0001-01-01T00:00:00Z",
"persistent_keepalive_interval": "25s",
"endpoint": "",
"receive_bytes": 0,
"transmit_bytes": 0
}
]

if I will restore it by using this json file I got an error:

{"message":"Syntax error: offset=350, error=invalid character '{' after array element"}

I used for restore:
curl -iv POST -H 'Content-Type: application/json' -H "Authorization: Bearer $_key" -d @interfaces/peers_150.json $_api/$_interface1/peers/

Endpoint not working ?

Hi,

I'm trying to add an Endpoint to the the peer but it seems to error 500.

Is this not fully implemented yet ?

Thanks!

Mobile Apps

Hi all,

We plan to develop a mobile client app (Android & iOS) that will work with WGRest. The app will work directly with WGRest. It aims to be easy to use for the end-user as well as for admins.

For updates, you can follow this repo https://github.com/forestvpn/wgrest-mobile

Initial user interface

Hi all,

Finally, we decided to initiate UI for wireguard and wgrest.

Some features that will be covered in UI:

Manage wireguard device(s) (create, delete, and update some parameters)
List of wireguard devices with some stats (peers count, data usage)
Manage wireguard device's peer(s) (create, delete, and update some parameters)
List of peers with quick actions [delete selected peers]
Search peer by pub, priv keys, and by IP addresses

Here is our Figma page for tracking.

Manage peers by name?

Would be a pretty cool feature, especially if your not the only one using it.

Connecting to a new peer

Hi. I'm having some trouble connecting to the new peer. After creating a new peer, I can't connect to it until I restart the docker container or use the route add command. Can you help?
An example of my config:

[Interface]
Address = 10.13.13.1/32
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
ListenPort = 51820
PrivateKey = 

[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.13.13.2/32

internal ip-addresses

hey,

its able to autogenerate peer client addresses by using the api?
also automatic use next free peer address

suquant / wgrest Goto Github PK

wgrest's Introduction

WGRest

Features:

Install

On Debian / Ubuntu

WGRest server

WGRest Web App

Manual

Run WireGuard REST API Server

Update wg0 device

Get devices

Add peer

Get peers

Get peer's quick config QR code

Delete peer

wgrest's People

Contributors

Stargazers

Watchers

Forkers

wgrest's Issues

Note. Some information has been changed for security(i got this config for example).

Recommend Projects

Recommend Topics

Recommend Org