Need a little help with setup (as a user)

[Wyk72]

I tried your package (binary) and it seems to work i.e. webui (admin) opens, I can add devices and I get the wireguard config via curl, and the remote peer connects.

But I fail to understand how to enter MFA.

In the docs is written:

Entering MFA

"To authenticate the user should browse to the servers vpn address, in the example, case 192.168.1.1:8080, where they will be prompted for their 2fa code. The configuration file specifies how long a session can live for, before expiring."

I have no idea to WHICH server vpn address to call: is it the external IP VPN address or internal (vpn) one ?

I get a 404/not found error in http://externalipaddress:8080 and a SSL error with https://externalvnpaddress:8080

Management interface works.

There is a working example...somewhere ? Docs are quite confusing on many subjects.

Thanks a lot.

[NHAS]

Howdy. The Mfa is entered within the vpn tunnel itself. So it isn't the external server address it's the Internal server address. That depends on how you've configured your wireguard device in config.json.

So as a client you should browse to whatever your internal server address is (and whatever port youve configured).

If you want you can provide your config file and I can be more specific. Please don't share your private key.

[Wyk72]

Thanks for the quick reply.

I just need a dumb step-by-step sample configuration, I am just testing your software.

I managed to run it, but I am lost in the details of Authentication/MFA, totp....

The binary is running into Alpine Linux 3.18 (w glibc binaries), kernel is 6.1.34.

Once I generated a vanilla config file, what are the next steps for a totp login ?

Il giorno dom 16 lug 2023 alle ore 23:44 NHAS @.***> ha scritto:

Howdy. The Mfa is entered within the vpn tunnel itself. So it isn't the external server address it's the Internal server address. That depends on how you've configured your wireguard device in config.json.

So as a client you should browse to whatever your internal server address is (and whatever port youve configured).

If you want you can provide your config file and I can be more specific. Please don't share your private key.

— Reply to this email directly, view it on GitHub https://github.com/NHAS/wag/issues/46#issuecomment-1637196515, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL33K2JQQP6LUXNBBNVMK6TXQROCDANCNFSM6AAAAAA2MFYCEM . You are receiving this because you authored the thread.Message ID: @.***>

[Wyk72]

This is the config file I created:

{ "Proxied": false, "NAT": null, "HelpMail": @.*", "Lockout": 5, "ExternalAddress": "futro.vmtec.top", "MaxSessionLifetimeMinutes": 1440, "SessionInactivityTimeoutMinutes": 60, "ManagementUI": { "ListenAddress": ":4433", "Enabled": true }, "Webserver": { "Public": { "ListenAddress": ":8080" }, "Tunnel": { "Port": "443" } }, "Authenticators": { "Issuer": "WAG", "Methods": [ "totp" ], "DomainURL": "", "OIDC": { "IssuerURL": "", "ClientSecret": "", "ClientID": "" } }, "Wireguard": { "DevName": "wg0", "ListenPort": 5920, "PrivateKey": "***EDITED**", "Address": "10.1.2.1/24", "MTU": 1420, "PersistentKeepAlive": 25 }, "DatabaseLocation": "devices.db", "Acls": { "Policies": {} } }

For example what is the "tunnel" 443 port for ? Needs to be open on the server ?

Il giorno dom 16 lug 2023 alle ore 23:55 Vittorio Mori < @.***> ha scritto:

Thanks for the quick reply.

I just need a dumb step-by-step sample configuration, I am just testing your software.

I managed to run it, but I am lost in the details of Authentication/MFA, totp....

The binary is running into Alpine Linux 3.18 (w glibc binaries), kernel is 6.1.34.

Once I generated a vanilla config file, what are the next steps for a totp login ?

Il giorno dom 16 lug 2023 alle ore 23:44 NHAS @.***> ha scritto:

Howdy. The Mfa is entered within the vpn tunnel itself. So it isn't the external server address it's the Internal server address. That depends on how you've configured your wireguard device in config.json.

So as a client you should browse to whatever your internal server address is (and whatever port youve configured).

If you want you can provide your config file and I can be more specific. Please don't share your private key.

— Reply to this email directly, view it on GitHub https://github.com/NHAS/wag/issues/46#issuecomment-1637196515, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL33K2JQQP6LUXNBBNVMK6TXQROCDANCNFSM6AAAAAA2MFYCEM . You are receiving this because you authored the thread.Message ID: @.***>

[NHAS]

So the tunnel port is automatically opened on the wag server.

In this instance you would need to visit: http://10.1.2.1:443

From your client that is using the wireguard profile.

I would recommend changing the port to 80 as you haven't enabled tls so having it on the https port is confusing.

[Wyk72]

I did it but nothing happened...I just get a timeout error. The tunnel is alive and I can ping 10.1.2.1

Il giorno lun 17 lug 2023 alle ore 00:01 NHAS @.***> ha scritto:

So the tunnel port is automatically opened on the wag server.

In this instance you would need to visit: http://10.1.2.1:443

From your client that is using the wireguard profile.

I would recommend changing the port to 80 as you haven't enabled tls so having it on the https port is confusing.

— Reply to this email directly, view it on GitHub https://github.com/NHAS/wag/issues/46#issuecomment-1637199475, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL33K2PIJOGXO7ELVUOQTELXQRQE5ANCNFSM6AAAAAA2MFYCEM . You are receiving this because you authored the thread.Message ID: @.***>

[NHAS]

Hm.

Okay first please change the port to 80.

Restart wag and then could you give me the output of:

wag firewall -list

And the output of sudo wg on your client machine thanks.

[Wyk72]

futro-s720:~# ./wag firewall -list {"testa":{"Policies":["10.1.2.1/32 policy [mfa(16) 22/tcp public(20) any/any]","10.7.7.7/32 policy [public(20) any/any]"],"Devices":[{"LastPacketTimestamp":0,"Expiry":0,"IP":"10.1.2.4","Authorized":false}],"AccountLocked":0},"tester":{"Policies":[" 10.1.2.1/32 policy [mfa(16) 22/tcp public(20) any/any]","10.7.7.7/32 policy [public(20) any/any]"],"Devices":[{"LastPacketTimestamp":0,"Expiry":0,"IP":"10.1.2.3","Authorized":false},{"LastPacketTimestamp":0,"Expiry":0,"IP":"10.1.2.2","Authorized":false}],"AccountLocked":0}}

:\Users\Admin>wg

interface: WAG public key: jFfWDJJINM/Z3SY41w04zj2hmZhMgOKb6vedv6qVzyE= private key: (hidden) listening port: 64666

peer: 6yQnVq94/dkXyjF1X/2p4xbSeZJYm8GstgxmUMAX1EU= preshared key: (hidden) endpoint: 31.189.59.109:5920 allowed ips: 10.0.0.2/32, 10.1.2.1/32, 10.7.7.7/32 transfer: 0 B received, 3.18 KiB sent persistent keepalive: every 10 seconds

Il giorno lun 17 lug 2023 alle ore 00:32 NHAS @.***> ha scritto:

Hm.

Okay first please change the port to 80.

Restart wag and then could you give me the output of:

wag firewall -list

And the output of sudo wg on your client machine thanks.

— Reply to this email directly, view it on GitHub https://github.com/NHAS/wag/issues/46#issuecomment-1637205739, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL33K2PXJCPAVKWT5T533DLXQRTYHANCNFSM6AAAAAA2MFYCEM . You are receiving this because you authored the thread.Message ID: @.***>

[NHAS]

That looks correct to me.

What are your firewall rules on your wag server?

Please use:

iptables -L -n

Also can you put your results in code blocks? It's quite difficult to read your output presented this way.

[Wyk72]

`futro-s720:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:65522 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:65522 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:65522 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:65522 ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DROP 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DROP 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DROP 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DROP 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DROP 0 -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT) target prot opt source destination `

[NHAS]

Hrm.

That's a bug. You are going to need to flush your iptables rules or reboot your machine.

For some reason wag is not removing the firewall rules it added. How are you restarting wag?

[Wyk72]

Thanks a million.

After a reboot, it worked flawlessly (I re-built the config file and dev/tokens, starting from a clean config).

I guess my previous attempts at running it messed up iptables.

It runs on a tiny ancient Thin Client machine (repurposed as a tiny wireguard "server" on a 1Gbit fiber FTTH link) with Alpine Linux in run-from-ram mode, in a hacky way because Alpine uses MUSL instead of glibc, so I had to install 2.32 glibc via a script.

A very beautiful piece of software, this one of yours. Would be nice to have a MUSL version for tiny devices/Openwrt routers/Alpine Linux native support.

I'll study it better tomorrow: need time to understand the ACL logic behind it.

Thanks again.

[NHAS]

I'd be interested to know how you were restarting it as it should have removed the iptables rules and definitely should not have been keeping them there.

Unfortunately I will not be able. To provide MUSL at any point because the underlying sqlite3 driver requires glibc.

But otherwise thanks.

Feel free to close this issue.