search

ngoduykhanh / wireguard-ui

Wireguard web interface
MIT License
3.79k stars 465 forks source link

Webui not working #473

Open ali6043 opened 8 months ago

ali6043 commented 8 months ago

Hello I install this using docker.but lately webui doesnt work at all.

paulbrause commented 8 months ago

Same problem here.

My docker-compose.yaml:

`version: "3"

services: wireguard: image: linuxserver/wireguard:latest container_name: wireguard cap_add:

Docker log of Wireguard:

`usermod: no changes

───────────────────────────────────────

  ██╗     ███████╗██╗ ██████╗ 

  ██║     ██╔════╝██║██╔═══██╗

  ██║     ███████╗██║██║   ██║

  ██║     ╚════██║██║██║   ██║

  ███████╗███████║██║╚██████╔╝

  ╚══════╝╚══════╝╚═╝ ╚═════╝

Brought to you by linuxserver.io

───────────────────────────────────────

To support the app dev(s) visit:

WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:

https://www.linuxserver.io/donate/

───────────────────────────────────────

GID/UID

───────────────────────────────────────

User UID: 911

User GID: 911

───────────────────────────────────────

Uname info: Linux 05baa72cf85c 6.1.57-1-lts #1 SMP PREEMPT_DYNAMIC Wed, 11 Oct 2023 05:10:50 +0000 x86_64 GNU/Linux

It seems the wireguard module is already active. Skipping kernel header install and module compilation.

Client mode selected.

[custom-init] No custom files found, skipping...

Disabling CoreDNS

Found WG conf /config/wg_confs/wg0.conf, but it doesn't seem to be valid, skipping.

No valid tunnel config found. Please create a valid config and restart the container

[ls.io-init] done.`

Docker log of Wireguard-UI:

Warning:/etc/wireguard/wg0.conf' is world accessible

[#] ip link delete dev wg0

[#]

Warning: `/etc/wireguard/wg0.conf' is world accessible

[#] ip link add wg0 type wireguard

[#] wg setconf wg0 /dev/fd/63

[#] ip -4 address add 10.252.1.0/24 dev wg0

[#] ip link set mtu 1450 up dev wg0

[#]

Wireguard UI

App Version : dev

Git Commit : b55543f

Git Ref : N/A

Build Time : 10-26-2023 10:58:16

Git Repo : https://github.com/ngoduykhanh/wireguard-ui

Authentication : true

Bind address : 0.0.0.0:5000

Email from :

Email from name : WireGuard UI

Custom wg.conf :

Base path : /

⇨ http server started on [::]:5000`

I've mapped the port to 1003, because 5000 is already taken, but even remapping to port 5000 doesn't work.

WSjunior commented 8 months ago

Same here

WSjunior commented 8 months ago

Manage to fix, in my case the problem was the volume

ali6043 commented 8 months ago

Manage to fix, in my case the problem was the volume

Can you explain more?

alek4 commented 8 months ago

updates? I have the same problem

WSjunior commented 8 months ago

Manage to fix, in my case the problem was the volume

Can you explain more?

i can't tell exatcly what i did (i try a lot..) but this is my docker compose (i need to use the port 51820, or i had to restart ui when server start, not sure why )


version: "3"

services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional      
    volumes:
      - /[HOST_FOLDER]/wireguard:/config
    environment:        
      - PUID=1000
      - PGID=1000      
      - SERVERURL= MY_EXTERNAL_DNS
      - SERVERPORT=51820 #optional      
      - PEERDNS= [MY_INTERNAL_DNS_IP_OUTSIDE_DOCKER],1.1.1.1
      - INTERNAL_SUBNET=10.8.8.0 #optional
      - ALLOWEDIPS=192.168.77.0/24 #optional
      - PERSISTENTKEEPALIVE_PEERS=30 #optional
      - LOG_CONFS=true #optional   
      - PEERS=1 #NEED THIS TO ENABLE SERVER MODE
    ports:
      # port for wireguard-ui. this must be set here as the `wireguard-ui` container joins the network of this container and hasn't its own network over which it could publish the ports
      - "5000:5000"
      # port of the wireguard server
      - "51820:51820/udp"
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1   

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    # use the network of the 'wireguard' service. this enables to show active clients in the status page
    network_mode: service:wireguard
    environment:     
      - BIND_ADDRESS=0.0.0.0:5000
      - SESSION_SECRET=SESSION_SECRET_RANDOM
      - WGUI_DNS=[MY_INTERNAL_DNS_IP_OUTSIDE_DOCKER],1.1.1.1
      - WGUI_USERNAME=[MY_USER_ADMIN]
      - WGUI_PASSWORD=[MY_PASSWORD]
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
      - WGUI_PERSISTENT_KEEPALIVE=15      
      - EMAIL_FROM_ADDRESS=MY_EMAIL
      - EMAIL_FROM_NAME=MY_NAME
      - SMTP_HOSTNAME=MY_SMTP
      - SMTP_PORT=[MY_SMTP_PORT]
      - SMTP_AUTH_TYPE=[MY_SMTP_AUTT]
      - SMTP_ENCRYPTION=[MY_SMTP_ENCY]
      - WGUI_DEFAULT_CLIENT_ALLOWED_IPS=192.168.77.0/24 
      #NEED THIS TO ACCESS LOCAL IP
      - WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE 
      - WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
    logging:
      driver: json-file
      options:
        max-size: 51m
    volumes:
      - /[HOST_FOLDER]/wireguard/ui/db:/app/db
      - /[HOST_FOLDER]/wireguard:/etc/wireguard
ProfessorCha0s commented 8 months ago

Having the same problem. Wireguard is up and working just fine (tunnels up, etc.) running the linuxserver.io docker image. I have wireguard-ui installed via docker as well and pointing to the config directory of the wireguard service. The logs show both are up and running and no errors. I've tried bringing up the UI on port 5000 with no success. Have tried from my workstation, as well as directly from the host running docker (localhost:5000).

killmasta93 commented 8 months ago

change the wireguard image to image: linuxserver/wireguard:v1.0.20210914-ls6

ali6043 commented 8 months ago

change the wireguard image to image: linuxserver/wireguard:v1.0.20210914-ls6

This worked for me. Thanks

sjpatel21 commented 8 months ago

change the wireguard image to image: linuxserver/wireguard:v1.0.20210914-ls6

This worked for me too. :+1:

Isn't this a very old 2021 image. Will this cause any security concerns?

ProfessorCha0s commented 8 months ago

I'm concerned about the age of that image.

I'm sure there is something in one of the later updates that maybe broke things, but still strange that the web interface won't come up as a result.

Would think the best option would be to identify the compatibility issue with the latest wireguard image and resolve that. Though I suppose running an older image is an option if you absolutely need to use it, but I would also advise to check on potential security issues with an older image.

adammsmith commented 8 months ago

I had same problem. Similar yaml file as paulbrause. I fixed this issue by adding the environment section in wireguard config as follows:

environment:
  - PUID=1000
  - PGID=1000      
  - PEERS=1

after this everything worked great. I had to remove and create wireguard-ui again after server appeared to be running successfully

dirad commented 6 months ago

change the wireguard image to image: linuxserver/wireguard:v1.0.20210914-ls6

This worked for me too. 👍

Isn't this a very old 2021 image. Will this cause any security concerns?

Not sure what the 20210914 is referencing, but this seems to have been released yesterday.

karoolpl commented 4 months ago

All right i figured it out, we need 2 things. First, mount your config dir like this:

    volumes:
      - /etc/wireguard:/config
      - /etc/wireguard:/config/wg_confs

/etc/wireguard depends of your conf, i putted it on root volume in /etc/wireguard, second mount is very important, cuz in never image, they changed path from /config/wg0.conf to /config/wg_confs/wg0.conf

on wireguard-ui you need to mount then:

    volumes:
      - /db:/app/db
      - /etc/wireguard:/etc/wireguard

and now we need to make some tricks, cuz wireguard-ui depends on wireguard, but it start instantly, and trys to implement new config ofr server, faster than wireguard itself, and wireguard itself don't apply config and not work as haelthy container, and don't forward traffic, so wireguard must start 1st. We need to add some magic into docker-compose, we need to delay wireguard-ui startup, we can do it by simple haelthcheck in docker compose startup:

    healthcheck:
            test: stat /etc/passwd || exit 1
            interval: 20s
            timeout: 60s
            start_period: 15s

and in wireguard-ui we need to modify depends_on directive for:

    depends_on:
      wireguard:
        condition: service_healthy

So whole docker-compose:

---
version: "3"

services:

  # WireGuard VPN service
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE ## NOT NEEDED IN MY CASE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERURL= opt #optional
      - SERVERPORT=opt #optional
#      - PEERS=1 #optional
#      - PEERDNS=auto
#      - ALLOWEDIPS=0.0.0.0/0
      - LOG_CONFS=true
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    volumes:
      - /etc/wireguard:/config
      - /etc/wireguard:/config/wg_confs
    ports:
      # Port for WireGuard-UI
      - "5000:5000/tcp"
      # Port of the WireGuard VPN server
      - "51820:51820/udp"
    restart: unless-stopped
    healthcheck:
            test: stat /etc/passwd || exit 1
            interval: 20s
            timeout: 60s
            start_period: 15s

  # WireGuard-UI service
  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      wireguard:
        condition: service_healthy
    cap_add:
      - NET_ADMIN
    # Use the network of the 'wireguard' service
    # This enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=yours
      - WGUI_PASSWORD=also your
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
      - WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE ### This is for Amazon EC2 2023 ami
      - WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE ### This is for Amazon EC2 2023 ami
    restart: unless-stopped
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - /db:/app/db
      - /etc/wireguard:/etc/wireguard

Now everythings work perfectly

jr-air commented 4 months ago

Didn't work for me. Thought PEERS=1 is required for the wireguard container to run in server mode so i did leave this line enabled instead of commented out.

karoolpl commented 4 months ago

PEERS=1 set server mode, so required starting wg0.conf is created, i tested on clean install, and when not in server mode, wg wasnt able to startup and i wasn't able to connect to webui panel. So it need a little tweak, cuz after there is starting wg0.conf we don't need peers=1 and wireguard can run in client mode. Maybe there should be initilaiazation process, based on container run once, I will look forward to it, and implement evrything in ansible playbook

thornleywalker commented 4 months ago

Changing the volumes and adding the healthcheck delay worked wonders for me, thank you karoolpl

karoolpl commented 4 months ago

Here's ultimate version, which setups everything from 0, PEERS=1 sets wireguard in server mode, so it generates wg0.conf, which then can be also managed by wiregiard-ui. If you already have wg0.conf you can comment PEERS=1. In my case, i'm setting up machine using aws ec2, and wanted fully automated process, so adding peers=1 create 1st wg0.conf. Nginx also adds possibility to manage SSL or set allowed IP address on which you can access webui :) for simplicity, nginx attach to host network. 

---
version: "3"

services:
  nginx:
    image: nginx:latest
#    network_mode: service:wireguard
    network_mode: host
#    ports:
#      - "80:80"
    volumes:
      - /etc/nginx.conf:/etc/nginx/nginx.conf
    restart: always
  # WireGuard VPN service
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERURL={{ wg_server_url }}
      - SERVERPORT={{ wg_server_port }} #optional
      - PEERS=1 #optional
      - PEERDNS=1.1.1.1
#      - ALLOWEDIPS=0.0.0.0/0
      - LOG_CONFS=true
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    volumes:
      - /etc/wireguard:/config
      - /etc/wireguard:/config/wg_confs
    ports:
      - "5000:5000/tcp"
      # Port of the WireGuard VPN server
      - "51820:51820/udp"
    restart: unless-stopped
    healthcheck:
            test: stat /etc/passwd || exit 1
            interval: 20s
            timeout: 60s
            start_period: 60s

  # WireGuard-UI service
  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      wireguard:
        condition: service_healthy
    cap_add:
      - NET_ADMIN
    # Use the network of the 'wireguard' service
    # This enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME={{ WGUI_USERNAME }}
      - WGUI_PASSWORD={{ WGUI_PASSWORD }}
      - WGUI_ENDPOINT_ADDRESS={{ wg_server_url }}
      - WGUI_DNS=1.1.1.1
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
      - WGUI_SERVER_POST_UP_SCRIPT=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
      - WGUI_SERVER_POST_DOWN_SCRIPT=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
    restart: unless-stopped
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - /db:/app/db
      - /etc/wireguard:/etc/wireguard

If you want never image, change something in containers settigns, remember to use docker-compose down and docker-compose up -d, cuz otherwise if you restart wireguard container wireguard-ui is unable to connect to wireguard network, you can also split wireguard-ui for own or host netowkr but you wan't see network statistics

Here's also my nginx config setup by ansible:


- name: create nginx entry
  copy:
    content: |
        user  nginx;
        worker_processes  auto;

        error_log  /var/log/nginx/error.log notice;
        pid        /var/run/nginx.pid;

        events {
            worker_connections  1024;
        }

        http {
            include       /etc/nginx/mime.types;
            default_type  application/octet-stream;

            log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                              '$status $body_bytes_sent "$http_referer" '
                              '"$http_user_agent" "$http_x_forwarded_for"';

            access_log  /var/log/nginx/access.log  main;

            sendfile        on;
            #tcp_nopush     on;

            keepalive_timeout  65;

            #gzip  on;
          {% for ip in allowed_ips %}
          allow {{ ip }};
          {% endfor %}

            deny all;

            server {
            listen 80;
            server_name {{ wg_server_url }};
            location / {
              add_header Cache-Control no-cache;

              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header Host $http_host;
              proxy_pass http://127.0.0.1:5000/;
              }
            }
            include /etc/nginx/conf.d/*.conf;
        }
    dest: "/etc/nginx.conf"
    mode: 0644

if you don't want restrict access to webui based on IP, just remove this section:

          {% for ip in allowed_ips %}
          allow {{ ip }};
          {% endfor %}

            deny all;
karoolpl commented 4 months ago

Also if on some servers you get slow vpn speed, you can try to use everywhere network: host, in my case if i have 2 vpn in india and korea, i faced some slow up/down bandwitch, recreated services using everywhere network_mode_host, without specyfing ports so it bind to host ports directly i get far better performance, also in postup/postdown check your interface names, if theres eth use eth if ens use ens etc.

lacrimal commented 2 months ago

The problem appears with some version of wireguard i believe. You are using same network for ui and for wireguard itself but there is the problem - everything is going over wg0 so you need to add rules to exclude ui traffic from wg0. Or - if you not need live info about client - you can run ui on different network. There is also option to switch to host mode but then in crowded server you must deal with busy ports and other mess. I do not have rule for it neither https://hub.docker.com/r/linuxserver/wireguard section helped much.

enriluis commented 1 month ago

same today in 2024