h44z / wg-portal

WireGuard Configuration Portal with LDAP connection
https://wgportal.org/
MIT License
967 stars 128 forks source link

Add mapping of wg interfaces to users group #136

Open krom opened 1 year ago

krom commented 1 year ago

I don't know how to implement it but I have my own congiguration:

My rouge idea: add configuration like

WG_DEVICE_WG0_GROUP=CN=WireGuardProfile1,OU=Users,DC=COMPANY,DC=LOCAL
WG_DEVICE_WG1_GROUP=CN=WireGuardProfile2,OU=Users,DC=COMPANY,DC=LOCAL

And if user is member of WG_DEVICE_WG1_GROUP wg_portal will create peer for WG1 and user can create peer for himself only for `WG1 device.

It's looks like 2 different portals, for now I can create sample configuration

version: '3.6'
services:
  wg-portal1:
    image: h44z/wg-portal:latest
    container_name: wg-portal1
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: "host"
    volumes:
      - /etc/wireguard:/etc/wireguard
      - ./data1:/app/data
    ports:
      - '8123:8123'
    environment:
      # WireGuard Settings
      - WG_DEVICES=wg0
      - WG_DEFAULT_DEVICE=wg0
      - WG_CONFIG_PATH=/etc/wireguard
      # Core Settings
      - EXTERNAL_URL=https://vpn1.company.com
      - LDAP_ENABLED=true
      - LDAP_URL=ldap://srv-ad01.company.local:389
      - LDAP_BASEDN=DC=COMPANY,DC=LOCAL
      - LDAP_USER=ldap_wireguard@company.local
      - LDAP_PASSWORD=supersecretldappassword
      - LDAP_ADMIN_GROUP=CN=WireGuardAdmins,OU=Users,DC=COMPANY,DC=LOCAL
      - LDAP_LOGIN_FILTER=(&(objectClass=organizationalPerson)(uid={{login_identifier}})(memberOf=cn=vpn_group1,cn=groups,cn=accounts,dc=company,dc=local))
      - LDAP_SYNC_FILTER=(&(memberOf=cn=vpn_group1,cn=groups,cn=accounts,dc=company,dc=local)(!(nsaccountlock=TRUE)))
      - LDAP_TYPE=OpenLDAP

  wg-portal2:
    image: h44z/wg-portal:latest
    container_name: wg-portal2
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: "host"
    volumes:
      - /etc/wireguard:/etc/wireguard
      - ./data2:/app/data
    ports:
      - '8124:8123'
    environment:
      # WireGuard Settings
      - WG_DEVICES=wg1
      - WG_DEFAULT_DEVICE=wg1
      - WG_CONFIG_PATH=/etc/wireguard
      # Core Settings
      - EXTERNAL_URL=https://vpn2.company.com
      - LDAP_ENABLED=true
      - LDAP_URL=ldap://srv-ad01.company.local:389
      - LDAP_BASEDN=DC=COMPANY,DC=LOCAL
      - LDAP_USER=ldap_wireguard@company.local
      - LDAP_PASSWORD=supersecretldappassword
      - LDAP_ADMIN_GROUP=CN=WireGuardAdmins,OU=Users,DC=COMPANY,DC=LOCAL
      - LDAP_LOGIN_FILTER=(&(objectClass=organizationalPerson)(uid={{login_identifier}})(memberOf=cn=vpn_group2,cn=groups,cn=accounts,dc=company,dc=local))
      - LDAP_SYNC_FILTER=(&(memberOf=cn=vpn_group2,cn=groups,cn=accounts,dc=company,dc=local)(!(nsaccountlock=TRUE)))
      - LDAP_TYPE=OpenLDAP

But i'd like to create only one instance of wg-portal with 2 groups, each group for each wg device

krom commented 1 year ago

It's for v2 of course, because current version works fine