search

NHAS / wag

Simple Wireguard 2FA
BSD 3-Clause "New" or "Revised" License
499 stars 27 forks source link

Example for Traefik #59

Closed bvanwiggen closed 1 year ago

bvanwiggen commented 1 year ago

Hi,

Can you provide an example on how to run the VPN via Traefik? Goal is to make the 2FA portal and Management UI available via SSL:

I've added the following labels:

    labels:
      traefik.enable: "1"
      traefik.http.routers.wireguard-token.rule: "Host(`vpn.<URL>.com`) && Path(`/token`)"
      traefik.http.routers.wireguard-token.service: wireguard-token
      traefik.http.services.wireguard-token.loadbalancer.server.port: "8081"        

      traefik.http.routers.wireguard-admin.rule: "Host(`vpn.<URL>.com`) && Path(`/admin`)"
      traefik.http.routers.wireguard-admin.service: wireguard-admin      
      traefik.http.services.wireguard-admin.loadbalancer.server.port: "8082"

Relevant pieces of config.json:

   "Proxied": true,
    "ExposePorts": [
         "443/tcp"
    ],
    "NAT": true,
    "ManagementUI": {
        "ListenAddress": ":8082",
        "Enabled": true
    },
    "Webserver": {
        "Public": {
            "ListenAddress": ":8081"
        },
        "Tunnel": {
            "Port": "8080"
        }
    },

However, I keep getting a Gateway Timeout error from Traefik

NHAS commented 1 year ago

If your goal is only to use ssl for the management ui.

You can use the CertPath and KeyPath to provide a tls key pair.

The Proxied option is only for when you've put a reverse proxy in front of the Mfa sign in portal as it makes wag respect the x-forwarded-for directive which can be dangerous if you're not running a reverse proxy in front of it (otherwise the client can pretend to be another client).

All Web server options take a key and cert pair.

bvanwiggen commented 1 year ago

Well I want to use the auto renew function traefik offers, and make sure both the management portal and token endpoint don't require an additional port forwarding

Van: NHAS @.> Verzonden: Monday, August 28, 2023 8:47:39 PM Aan: NHAS/wag @.> CC: Bart van Wiggen @.>; Author @.> Onderwerp: Re: [NHAS/wag] Example for Traefik (Issue #59)

If your goal is only to use ssl for the management ui.

You can use the CertPath and KeyPath to provide a tls certificate path.

The Proxied option is only for when you've put a reverse proxy in front of the Mfa sign in portal as it makes wag respect the x-forwarded-for directive which can be dangerous if you're not running a reverse proxy in front of it (otherwise the client can pretend to be another client).

All Web server options take a key and cert pair.

— Reply to this email directly, view it on GitHubhttps://github.com/NHAS/wag/issues/59#issuecomment-1696194308, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AXIEF2NXLVSOR3Y3X6UVKNLXXTRUXANCNFSM6AAAAAA4BHF6SA. You are receiving this because you authored the thread.Message ID: @.***>

NHAS commented 1 year ago

Yep! That makes sense.

I unfortunately haven't used Traefik so I don't have an example on hand to do this.

But your config for wag looks fine to me. It's worth noting that the Mfa portal only listens on the wireguard interface, so you might need to specify an ip address in your reverse proxy config.

Side note. Not sure if it's a good idea to allow your vpn clients to always be able to hit your management login page.