Wireguard + Wireguard UI all in one setup

[snax44]

Hi,

It's not an issue but I just would like to share my script to setup easily Wireguard and Wireguard-UI quickly. You can find it here https://gitlab.com/snax44/wireguard-ui-setup If it can be useful for someone I will be happy.

Feel free to close this post if you want.

[xxtecraxx]

hey thanks for your script, bro! running it on buster as root and it's throwing errors. `### Installing Wireguard-UI

Enable ipv4 Forwarding

/dev/fd/63: line 152: sysctl: command not found

Firewall configuration

[ INFO ] iptables is required. Let's install it. iptables is already the newest version (1.8.2-4). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

[ INFO ] ifupdown is required. Let's install it. ifupdown is already the newest version (0.8.35). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. /dev/fd/63: line 238: iptables: command not found /dev/fd/63: line 238: iptables: command not found /dev/fd/63: line 238: iptables: command not found /dev/fd/63: line 238: iptables: command not found /dev/fd/63: line 238: iptables: command not found

Making default Wireguard conf

Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.

Wiregard-ui Services

Created symlink /etc/systemd/system/multi-user.target.wants/wgui_http.service → /etc/systemd/system/wgui_http.service. Created symlink /etc/systemd/system/multi-user.target.wants/wgui.path → /etc/systemd/system/wgui.path.

################################################################################## Setup done.

• Your iptables rules was saved just in case in:

  • /etc/iptables/rules.v4.bak
  • /etc/iptables/rules.v6.bak

• To access your wireguard-ui please open a new ssh connexion

  • ssh -L 5000:localhost:5000 user@myserver.domain.tld
  • And browse to http://localhost:5000

##################################################################################"

root@traefizero:/home/tecra/github/wireguard-ui-setup# iptables bash: iptables: command not found root@traefizero:/home/tecra/github/wireguard-ui-setup# nano /etc/apt/sources.list root@traefizero:/home/tecra/github/wireguard-ui-setup# sudo apt install iptables ifupdown Reading package lists... Done Building dependency tree Reading state information... Done ifupdown is already the newest version (0.8.35). iptables is already the newest version (1.8.2-4). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@traefizero:/home/tecra/github/wireguard-ui-setup# iptables -L bash: iptables: command not found root@traefizero:/home/tecra/github/wireguard-ui-setup# sudo iptables -l iptables v1.8.2 (nf_tables): unknown option "-l" Try `iptables -h' or 'iptables --help' for more information. root@traefizero:/home/tecra/github/wireguard-ui-setup# sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:https ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere root@traefizero:/home/tecra/github/wireguard-ui-setup# `

[snax44]

Hi,

What return (as root without sudo): which sysctl which iptables wich ifupdown echo $PATH

[xxtecraxx]

ya the pathing is wrong from script i scrapped it

[xxtecraxx]

to answer your questions though: tecra@traefizero:~$ su Password: root@traefizero:/home/tecra# which systemctl /usr/bin/systemctl root@traefizero:/home/tecra# which iptables root@traefizero:/home/tecra# which ifupdown root@traefizero:/home/tecra# echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games root@traefizero:/home/tecra# apt install iptables ifupdown Reading package lists... Done Building dependency tree Reading state information... Done ifupdown is already the newest version (0.8.35). iptables is already the newest version (1.8.2-4). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

[snax44]

Be careful systemctl is not sysctl.

what answer: ls -al /usr/sbin/if* ls -al /usr/sbin/iptables

if they are really there you can adjust your path

export PATH=/usr/sbin:$PATH

[xxtecraxx]

root@traefizero:/home/tecra# which sysctl root@traefizero:/home/tecra# ls -al /usr/sbin/if* -rwxr-xr-x 1 root root 83768 Sep 24 2018 /usr/sbin/ifconfig lrwxrwxrwx 1 root root 4 Jan 28 2019 /usr/sbin/ifdown -> ifup lrwxrwxrwx 1 root root 4 Jan 28 2019 /usr/sbin/ifquery -> ifup -rwxr-xr-x 1 root root 88144 Jan 28 2019 /usr/sbin/ifup root@traefizero:/home/tecra# ls -al /usr/sbin/iptables lrwxrwxrwx 1 root root 26 Jun 24 11:47 /usr/sbin/iptables -> /etc/alternatives/iptables

[xxtecraxx]

Be careful systemctl is not sysctl.

what answer: ls -al /usr/sbin/if* ls -al /usr/sbin/iptables

if they are really there you can adjust your path

export PATH=/usr/sbin:$PATH

did the trick, thanks bro!

[zGansalloz]

the script works fine. But if you download it via CURL, it drags an HTML page with it and therefore does not start. Copy the text manually, paste into the file. Then run.

[paklids]

If you want to avoid all that and just use terraform - pull from my project https://github.com/paklids/flexiwire and modify it to meet your needs.

[zGansalloz]

Thank you for updating the version

[jpatje]

Is this for Docker? Been trying to set it up next to my existing Wireguard docker container but so far no luck. Either there is no port assigned and I have to edit it. Or when I assign port 5000, I get the webpage but it says 'invalid credentials'. I had it working once (don't remember how I did it) but in that case creating a new client didn't connect to my existing Wireguard container. Wireguard-ui looks like a great addition but setting it up is quite tedious and the instructions aren't very clear.

[snax44]

Is this for Docker?

No

Been trying to set it up next to my existing Wireguard docker container but so far no luck.

Because this script is not made for this use case.

[jpatje]

I realise I wrote this in the wrong section of the forum. I meant not the All-In-One setup that snax44 made, but the regular Wireguard-UI instructions. The readme document isn't clear enough as how to set this up properly. For example there is a reference to a wireguard-ui script (binary file) from the release that is nowhere to be found.

[snax44]

For example there is a reference to a wireguard-ui script (binary file) from the release that is nowhere to be found.

This one ? https://github.com/ngoduykhanh/wireguard-ui/releases/tag/v0.3.5

[jpatje]

Omg am I really blind? Thanks snax44, I will give that script a try later 👍

[nigelfer2020]

Hello,

First of all, thank you for great script to run everything with one click.

I just tried https://gitlab.com/snax44/wireguard-ui-setup/ and installed by: bash <(curl -s https://gitlab.com/snax44/wireguard-ui-setup/-/raw/master/install.sh)

everything installed without any error and status of wireguard is active. But to access from web, I still not able to get access via SERVERIP:5000

Could you please exactly explain, how I can get access to web UI from PUBLIC IP (not 127.0.0.1 or localhost).

Please list all commands or steps after installation.

Thank you.

[snax44]

Hi @nigelfer2020,

As explain (maybe not well :)) in the readme.md by default the script bind wireguard-ui on localhost interface. For me there is no reason to expose the app on public interfaces.

So you have to options:

1. Wireguard-UI bind to localhost only (Default): As explain, use ssh tunnel to access Wireguard-UI.

ssh -L 5000:localhost:5000 user@vpn_server_ip

Then Browse http://localhost:5000/ (username/password = admin)

2. Bind Wireguard-UI to all interfaces: Modify the file /etc/systemd/system/wgui_http.service and remove the parameter -bind-address 127.0.0.1:5000.
You should then have this line:
ExecStart=/usr/local/bin/wireguard-ui instead of ExecStart=/usr/local/bin/wireguard-ui -bind-address 127.0.0.1:5000

[nigelfer2020]

Hello,

Thanks for your response,

I modified /etc/systemd/system/wgui_http.service and saved.

` [Unit] Description=Wireguard UI After=network.target

[Service] Type=simple WorkingDirectory=/opt/wgui ExecStart=/usr/local/bin/wireguard-ui

[Install] WantedBy=multi-user.target `

Then reboot system, But still not able to access UI via web by entering http://SEVER_PUBLIC_IP or http://SEVER_PUBLIC_IP:5000

Is there any other changes needed?

Thank you.

[snax44]

Hi @nigelfer2020,

Yes, you probably need to open the firewall. Can you paste here the result of the command iptables -L -n

[nigelfer2020]

@snax44

iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 / wireguard-network / ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:51825 / external-port-wireguard / ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 / localhost-network / ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 / Allow-ping /

Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 192.168.200.0/24 0.0.0.0/0 / Wireguard-traffic-from-wg0-to-eth0 / ACCEPT all -- 0.0.0.0/0 192.168.200.0/24 / Wireguard-traffic-from-eth0-to-wg0 / ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 / Flood-&-DoS / ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 / Flood-&-DoS / ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 / Flood-&-DoS / ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 / Port-Scan /

Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 / localhost-network / ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8

Chain DOCKER (1 references) target prot opt source destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0

[nigelfer2020]

@snax44

Worked after firewall changes.

Thanks!

[nigelfer2020]

@snax44

It will be great if it is in the next versions, Ask about this options in installation question in your install.sh script. Example: You want access to web UI from PUBLIC or LOCAL only? Answers: Public=pub or Local= loc

I enabled by sudo ufw enable and then added ports

[Bavaria2333]

ssh -L 5000:localhost:5000 user@vpn_server_ip

I don't understand what this line means, I also faced the problem of accessing the web interface. Explain what the word "localhost" means in this command? Is 5000 a port? what does user@vpn_server_ip mean? user stands for which admin account ? Can my line look like this? assumed the external ip of my server is 182.12.155.19 "ssh -L 5000:182.12.155.19:5000 admin@182.12.155.19" ?

By entering this command, should I proceed to step 2 ?

[Bavaria2333]

@snax44

Заработало после смены брандмауэра.

Спасибо!

tell me how did you do it

[snax44]

ssh -L 5000:localhost:5000 user@vpn_server_ip

I don't understand what this line means, I also faced the problem of accessing the web interface. Explain what the word "localhost" means in this command? Is 5000 a port? what does user@vpn_server_ip mean? user stands for which admin account ? Can my line look like this? assumed the external ip of my server is 182.12.155.19 "ssh -L 5000:182.12.155.19:5000 admin@182.12.155.19" ?

By entering this command, should I proceed to step 2 ?

This is a tunnel SSH. Basically used in this case to access the webUI through SSH and so not having to expose the webUI directly on the network.

In your case use ssh -L 5000:localhost:5000 admin@182.12.155.19 and browse http://localhost:5000

Google "SSH port forward" for more info about it.

[snax44]

@snax44

It will be great if it is in the next versions, Ask about this options in installation question in your install.sh script. Example: You want access to web UI from PUBLIC or LOCAL only? Answers: Public=pub or Local= loc

I enabled by sudo ufw enable and then added ports

Yes I could but honestly it is for me not really relevant because if you really want to expose it you must use at least a reverse proxy and even better with TLS certificates.

But feel free to make a pull request on my gitlab ;)

[Bavaria2333]

after i typed "ssh -L 5000:localhost:5000 admin@182.12.155.19" i got

admin@182.12.155.19: Permission denied (publickey,password).

i open http://localhost:5000/ but the web is not available =(

[Bavaria2333]

if i use any password i get "Permission denied, please try again."

[snax44]

after i typed "ssh -L 5000:localhost:5000 admin@182.12.155.19" i got

admin@182.12.155.19: Permission denied (publickey,password).

i open http://localhost:5000/ but the web is not available =(

Yes Permission denied (publickey,password). is pretty explicit....

• Is it even your server ?
• SSH is enable ?
• The user admin even exist ?
• Password authentication is enable ?

[Bavaria2333]

• Is it even your server ?

yes

• SSH is enable ?

I am using ssh connection from putty port 22

• The user admin even exist ?

As I understand it, the admin user is created by your script

• Password authentication is enable ?

I didn't understand this question.

[snax44]

Where do you type the command ? In the shell already logged in with putty ? Google putty ssh port forwarding example The user "admin" created is only for the web UI.

[Bavaria2333]

Where do you type the command ? I enter the command in the same window as "bash <(curl -s https://gitlab.com/snax44/wireguard-ui-setup/-/raw/master/install.sh)" Am I setting it up correctly? https://ltdfoto.ru/image/XPeL5R

[snax44]

Where do you type the command ? I enter the command in the same window as "bash <(curl -s https://gitlab.com/snax44/wireguard-ui-setup/-/raw/master/install.sh)" Am I setting it up correctly? https://ltdfoto.ru/image/XPeL5R

This is why it doesn't work... This command has to be run on YOUR side not on the server. Since you are using windows and putty you have to translate ssh -L 5000:localhost:5000 admin@182.12.155.19 into putty shit.

Sorry I can't help you more with this. As I said above, google "putty ssh port forwarding example"

[Bavaria2333]

Thank you it worked. Could you please make it as it was before, so that the web interface is accessible from any ip and from any network? Your tool is just a treasure that has no analogues, but the fact that you have to perform and study a lot of information is very upsetting. Please, I beg you to make your tool convenient for everyone, I'm sure that not only one faced the problem. Your tool will help 100, 1000 people if it is convenient.

I suggest doing: 1) choosing the publicity of the web interface 2) choice of dns during installation.

Thanks

[nigelfer2020]

Easy fix: Connect to SSH: Following Command: nano /etc/systemd/system/wgui_http.service

and then remove this part from text: "-bind-address 127.0.0.1:5000" and save it.

also make sure 5000 port is open in firewall sudo ufw allow 5000/udp sudo ufw allow 5000/tcp

Reboot server (Maybe required)

Then try to open control panel via http://YOUR_VPS_IP:5000 (from mobile or any device, without SSH)

Let me know if its worked?

[snax44]

Easy fix: Connect to SSH: Following Command: nano /etc/systemd/system/wgui_http.service

and then remove this part from text: "-bind-address 127.0.0.1:5000" and save it.

also make sure 5000 port is open in firewall sudo ufw allow 5000/udp sudo ufw allow 5000/tcp

Reboot server (Maybe required)

Then try to open control panel via http://YOUR_VPS_IP:5000 (from mobile or any device, without SSH)

Let me know if its worked?

Very bad idea but yes it will work ;)

[nigelfer2020]

Many users are not expert to know about how to login via 127.0.0.1:5000 and May I know exact reason, Why its bad idea? If just for security, There is password for admin panel, So why bad idea if there is complex admin password?

Also, its hard to login to 127.0.0.1:5000 via mobile.

[snax44]

By doing this all the traffic between you and the server is done in clear text. Anyone in between can see your very complicated password, the wireguard file you generate etc...

Using TLS certificates would be the minimum.

Or you configure yoir first device as wireguard client and then make wireguard-ui listening only on wireguard interface.

So then you can acces the ui only through the vpn. Just an idea.

[Bavaria2333]

Is it possible to somehow limit the speed for a specific config through the web interface? Or maybe this feature can be added?

[PizzaProgram]

Hi,

The script looks great, but If I try to open localhost:5000 via Webmin's tunnel, it shows only 1 line: Bad PATH_INFO : /login

Any idea?

PS: How do I prevent users going to the internet through my server? I just want them to see each other through WG!

[PizzaProgram]

Is it normal that after successful installation the /etc/wireguard/wg3.conf file is emtpy? (0byte) Maybe that's why the Bad PATH_INFO ?

[snax44]

Hi,

The script looks great, but If I try to open localhost:5000 via Webmin's tunnel, it shows only 1 line: Bad PATH_INFO : /login

Is your SSH tunnel correctly setup?

Any idea?

PS: How do I prevent users going to the internet through my server? I just want them to see each other through WG!

On client side, define onlythe wireguard network instead of 0.0.0.0/0

[snax44]

Is it normal that after successful installation the /etc/wireguard/wg3.conf file is emtpy? (0byte) Maybe that's why the Bad PATH_INFO ?

If I remember well, that file is being filled by wireguard-ui itself after the first applied config.

[PizzaProgram]

Thanks for the answers!

1. Bad PATH_INFO : /login occurred only when I've tried to reach http://localhost:5000 through webmin's tunnel. After I've changed to the recommended ssh ... everything worked!

2. Yes, .conf files got filled after first login

3. The only problem left:

   • if trying to import any auto-generated .conf file of a client, it can not be imported on windows 7 or 11 because of this error:

     Unable to import configuration: Invalid key for [Interface] section: "fwmark"

[snax44]

3. The only problem left:
   • if trying to import any auto-generated .conf file of a client, it can not be imported on windows 7 or 11 because of this error:

     Unable to import configuration: Invalid key for [Interface] section: "fwmark"

Please post the file content in a new issue because this is WGUI related. As a quick fix, I guess you could remove the lines about the firewall they won't work on winshit anyway.

[zaknick]

Magnificent, professional teamwork.

@snax44 rocks. Viva la France! :)