wg-easy

Commit Graph

Author	SHA1	Message	Date
Daniel Molenda	925d961fed	🔧 Add login via google	1 month ago
Ian Foster	47f81dd66a	Feature/client firewall filtering (#2418 ) * Add per-client firewall filtering Implement server-side firewall rules to restrict client network access, allowing administrators to enforce security policies that cannot be bypassed by clients modifying their local configuration. This feature addresses the limitation where "Allowed IPs" only controls client-side routing but doesn't prevent clients from accessing networks they shouldn't reach. The firewall rules are enforced on the server using iptables/ip6tables and provide true access control. Features: - Opt-in via "Enable Per-Client Firewall" toggle in admin interface - Per-client "Firewall Allowed IPs" field for granular control - Support for IPs, CIDRs, and port-based filtering - Protocol specification: TCP, UDP, or both (default) - IPv4 and IPv6 dual-stack support - Falls back to client's allowedIps when firewallIps is empty - Clean separation of routing (allowedIps) from security (firewallIps) Supported formats: - 10.10.0.3 (single IP) - 10.10.0.0/24 (CIDR range) - 192.168.1.5:443 (IP with port, both TCP+UDP) - 192.168.1.5:443/tcp (IP with specific protocol) - [2001:db8::1]:443 (IPv6 with port) Implementation: - New database columns: firewall_enabled (interfaces), firewall_ips (clients) - Migration 0003_add_firewall_filtering for schema updates - firewall.ts utility for iptables chain management (WG_CLIENTS chain) - Integration into WireGuard.ts for automatic rule application - UI components with conditional rendering based on firewall toggle Technical details: - Uses custom WG_CLIENTS iptables chain for isolation - Rebuild strategy: flush and recreate all rules on config save - Mutex protection via rebuildInProgress/rebuildQueued flags - Graceful cleanup when firewall is disabled - No new dependencies (uses existing is-ip, is-cidr packages) * added Comprehensive documentation in README and docs/ for firewall filtering * validate firewall IPs * check for iptables before enabling the firewall and inform the user if it is missing * updated firewall docs * fix imports * remove extra import * Document all allowed IP/cidr/port/proto combinations that are allowed and check on save * add note on firewall being experimental and how to opt a single client out of the firewall. * cleanup more imports * add tests * Fix firewall IPv6 validation and test expectations Updated validation to correctly handle plain and bracketed IPv6 addresses, and fixed test to expect string from schema instead of object. * added comments to firewall rules and updated tests * fix auto-import * fix typescript errors * recreate sql migrations and rebase * improve tests, typechecking, documentation * fix formatting, fix types * improve type * added note for including host's IP in client firewall * updated language to include cidr and protocol options * another language update * refer to docs for firewall allowed IPs --------- Co-authored-by: Bernd Storath <[email protected]>	4 months ago
CthulhuVRN	a469ac6897	AmneziaWG 2.0: support for H1-H4 ranges (#2480 ) * AmneziaWG 2.0: support for H1-H4 ranges ## Changes: ``` - [+] Added support for H1-H4 ranges - [!] Fixed interface fields order (H1-H4 goes before I1-I5) ``` ## Known issues: ``` - [!] no check for unique/overlap of H1-H4 values on settings apply: settings will be applied but wg interface will crash with "Invalid argument" error ``` * AmneziaWG 2.0: support for H1-H4 ranges ## Changes: ``` - [+] Added support for H1-H4 ranges - [!] Fixed interface fields order (H1-H4 goes before I1-I5) ``` ## Known issues: ``` - [!] no check for unique/overlap of H1-H4 values on settings apply: settings will be applied but wg interface will crash with "Invalid argument" error ``` * AmneziaWG 2.0: support for H1-H4 ranges ## Changes: ``` - [+] Added support for H1-H4 ranges - [!] Fixed interface fields order (H1-H4 goes before I1-I5) ``` ## Known issues: ``` - [!] no check for unique/overlap of H1-H4 values on settings apply: settings will be applied but wg interface will crash with "Invalid argument" error ``` * Update types.ts Lint fixes --------- Co-authored-by: CthulhuVRN <[email protected]>	4 months ago
Alexander Chepurnoy	6a282e6ab9	AmneziaWG 2.0 (#2226 ) * feat!: awg * feat: add description to fields, add I5 * fix: awg i18n * fix: types * minor fixes * Remove TODO comment from types.ts Removed TODO comment for more validation. --------- Co-authored-by: Bernd Storath <[email protected]>	8 months ago
Bernd Storath	8c395ec275	fix pre-release	1 year ago
Bernd Storath	e92ee0464e	Feat: Server Endpoint (#1785 ) * add server endpoint to client * be able to update endpoint over api	1 year ago
Bernd Storath	32b73b850a	Feat: 2fa (#1783 ) * preplan otp, better qrcode library * add 2fa as feature * add totp generation * working totp lifecycle * don't allow disabled user to log in not a security issue as permission handler would fail anyway * require 2fa on login if enabled * update packages * fix typo * remove console.logs	1 year ago
Bernd Storath	159a51cff4	Feat: Global config override (#1720 ) * be able to change dns. implement global override * link donate to readme * implement global config for allowed ips * change translations, fix generation * improve docs	1 year ago
Bernd Storath	e5fb6ff3a6	Fix: OneTimeLinks (#1719 ) * fix otls * one otl per client * revert some code * revert some more code, add comments * adjust migration	1 year ago
杨黄林	fcb5049dab	Add PreUp, PostUp, PreDown, PostDown for client (#1714 ) * Fix create client popup background is not white * Fix no Add button when client Allowed Ips or Server Allowed Ips is empty * Add preUp preDown postUp postDown for client * Add description of hooks for client config * Move hooks's label text into 'hooks' in en.json --------- Co-authored-by: yanghuanglin <[email protected]> Co-authored-by: Bernd Storath <[email protected]>	1 year ago
Bernd Storath	9b29d72991	Version 15.0.0-beta.1: Rewrite in Nuxt and Typescript, Move to UI (#1333 ) * Add Nuxt, ESM, Typescript (#1244) * wip: add nuxt * basic implementation * add changes from `c9ff248` * update workflow, add eslint * add types, fix wrong error message * install correct bcrypt, move eslint to dev modules * add docker dev script * fix styling * add wireguard routes * typescript, vendors * fix lint workflow * lint fixes * add prettier, format * fix lint, add vscode settings * better typescript * use auto imports * add prettier eslint config * cache config * fix styling issue, fix formatting * fix tailwind problems * fix logout not showing * fix lint action * Fix session middleware * split files into correct methods * use type safe api, fix typescript errors * better return types not tested * change default working directory * update workflows * fix error * correct session middleware, type safe session * convert undefined to boolean * correct key for api errors * use zod to validate input * add more jobs to check for good code * add pinia Co-authored-by: Sergei Birukov <[email protected]> Co-authored-by: Bernd Storath <[email protected]> * use color mode plugin * !! use better storage key name Breaking as if old key exists it breaks as "auto" is not compatible with new "system" * better local dev while dev container is running use `docker compose -f docker-compose.dev.yml up` or after changing dockerfile `docker compose -f docker-compose.dev.yml up --build` * update translation to match new theme mode * improve dx new devs get extensions recommended to catch errors, etc directly in vscode * reduce errors, improve typing * Split components (#1) * update: introduce pages & components fix lint * update: starting split components * use auto imports * Improve workflows and docker workflow fix step naming simplify docker dev simplify docker prod revert to node 18 dockerfile naming scheme * Split components (#2) * update: starting split components * upd: rebase & continue splitting components - layouts: header & footer - components: basic buttton - pages: login page * update: login page * package.json: remove dev:pass script * Split into Components, migrate to nuxt fixup shutdown wireguard properly fix styling, fix store split even more clear interval split even more split even more handle auth middleware on server avoid flicker of login page * fix: buttons spaces & move layouts to components (#3) * update: icons into components - fix: header login page * fix: tailwind handle btn class * Split into icons fix avatar move class to view not icon itself fix icon format * invalidate cache to make restoreConfig work * fix apexchart * use different color mode module other one resulted in hydration mismatch * fix dialog * fix bad i18n merge * use nuxt 4 * fix typing, fix redirect, latest release on server * start wireguard on start * wait for shutdown * improve zod errors, consistent server errors * migrate to useFetch this makes sure that there is no double fetching * fix hydration issues, remove unnecessary state, rename function * fetch globalstore globally otherwise this will load on login to homepage * migrate to useFetch no javascript support TODO: not properly tested * update backend * wip: frontend * update frontend * update pnpm lock --------- Co-authored-by: Sergei Birukov <[email protected]> Co-authored-by: Bernd Storath <[email protected]> Co-authored-by: tetuaoro <[email protected]> * Fix various issues fix router param fix max age unit is seconds not ms fix regressions fix missing expire date in client create dialog fix wrong type rules fix wrong api endpoint properly catch error running cron job fix type issues * add database (#1330) * add: database abstraction * update: get lang from database * udpate: with repositories * add: interfaces to connect a database provider - easy swapping between database provider * add: setup page - add: in-memory database provider - create a new account (signup) - login with username and password - first setup page to create an account - PASSWORD_HASH was removed from environment and files was updated/removed due to that change * update: Dockerfile * fix: review done - remove: REQUIRES_PASSWORD & RELEASE environment variables * fix: i18n translation - rename directories * update: use database * fix: typecheck * fix: review * rebase & add: persistent lowdb provider * update: french translation * revert: due to rebase * remove & document * Refactor New UI (#1342) * refactor code * refactor code * add some todos * update pnpm, start migrating to database * add missing i18n key * add todo * basic setup styling * nuxt 4 folder structure, update packages * Feat: Migrations (#1344) * add migrations * improve migration runner * improve migration runner * document what each migration does * Feat: Rewrite Wireguard to use Database (#1345) * update wireguard * update * update * remove all config * move all features into one route * improve code * fix some issues add wg_path, update documentation * Feat: Cidr Support (#1347) * cidr support * add cidr * fix some errors fix server config missing cidr block in server config * Fix: Database Date type (#1349) * Feat: IPv6 (#1354) * start supporting ipv6 * add ipv6 support * build server with es2020 es2019 doesn't support bigint * fix issues, better naming * Fix: Security (#1355) * separate route for onboarding * zse zod for validation * use argon2id * add build tools * Feat: Server AllowedIPs, MTU (#1356) * add wireguard helpers * improve wireguard helpers * add server mtu * fix wg0.conf formatting * add ipv6 support to docker compose and readme * Feat: Docs (#1361) * basic docs * use semver versioning * Feat: Migration (#1363) * start migration * improve migration * remove endpoint from client * improve docker * Chore: Deprecate Dockerless (#1377) * deprecate dockerless * Feat: Improve Repository pattern (#1380) * improve repository pattern * fix errors * Feat: Improve Database Handling (#1383) * improve docker build * build doc workflow * Feat: Changelog, Release Notes (#1385) * add changelog, use semver for update message * use first line of release for short changelog * load ipv6 iptables module * Feat: Show Version in Footer (#1389) update ui logic, always store release in global store. new release logic uses rate limited github api, avoid using cache * use i18n ally (#1391) * improve gh actions * Setup UI (#1392) * update: setup ui page * rebase * remove script addition * Fixed usage of Ukrainian instead of Russian in ru.json (#1414) * Added translations for the Belarusian language (#1472) * Install kmod from alpine repository (#1553) Because the busybox modprobe utility is unable to load zstd compressed modules. Co-authored-by: Matt <[email protected]> * WIP: Feat: UI, General Improvements (#1397) * update: setup ui page * remove script addition * add admin panel * basic user menu and admin page * make usable admin panel * add radix vue, improve ui * fix features, add toast * rewrite middleware logic, support basic auth * add todo marker * active tailwind forms * remove some console.logs * check if user is enabled frontend doesn't handle this state yet, nothing will work as api routes will fail * add email to user, basic account page * better group database * group even more * basic statistics page * update: admin ui - add: common panel components to get same UI - i18n: french * update: setup page error handle - use fetch error data to provide error message - use translation to provider error message * update: me page * fix: :text props * update: login page * update: i18n french support * fix: use radix toast duration * update: reduce templates - remake: setup page to add others step configuration (host/port/migration) * udpate: setup page use wizard form step * update: ui * update: step page - first step to choose a language - use red color in light mode - validate step before move toward * update: setup page - use radix select component to reduce boilerplate * update: setup page - add: database langugage method - update: api lang & export supported languages * update: setup page - update ui select language - change lang on selection * fix: use global store * fix: initial value - update: sort langs by value * fix: ui center paragraph * fix: remove file extension & some revert - add: script to run checks script * update: setup page - add: host/port section - i18n: french - fix: fallback translation * refactor: split setup into files * update: setup page - redirect to login when the setup is done - allow user to return to previous steps - prompt error message - i18n french * add: migration UI step - rename: components - fix: label for & form child id - i18n french sup * add: migration server * fix: use string instead of File * improve: with zod validation * restore: clients * rework setup * add client page, move api routes * improve setup * switch to agpl * add step back * update licensed under texts cc -> agpl * make db results readonly avoid weird side effects, when modifying the db object as its only allowed inside e.g. lowdb.ts * update footer links * improve client edit page, add mtu * reorder tailwind classes * update packages * update comments * better toast, better avatar * delete feature toggle * remove chart, statistics from server let user decide what he wants to display * move into own components * switch from AGPL-3.0-or-later to AGPL-3.0-only AGPL-3.0-or-later is not OSI approved * fix building source fixes https://github.com/wg-easy/wg-easy/issues/1563 * update packages --------- Co-authored-by: tetuaoro <[email protected]> * update readme * Feat: Settings, UI, General Improvements (#1572) * deprecate other languages new ui has too many new strings * fix wrong license in readme * properly fetch release * order safe data structure for migrations * empty server allowed ips by default * show userconfig in admin panel * remove routes, fix config * add ability to update clients * handle form submit using js avoid weird behavior with FormData * global toast, be able to update client * update packages * fix date field * delete client using radix dialog * remove lang from backend, let users decide * be able to change interface and general * be able to update user config * consistent allowedips * fix array field * improve avatar, code cleanup * basic metrics support * remove dateTime helper * be able to change hooks * start cidr update * be able to update cidr * Feat: SQLite (#1619) * start drizzle migration * split schema * improve schema * improve schema, cascade, unique * improve structure, start migration * migrate to sqlite * work in prod docker * start adding a better permission handler * permission matrix, permission handler * update packages * move session timeout to session config, use new permission handler * improve docker dev only install dependencies if changed * implement setup * migrate to sqlite * improve debug, fix custom migration * migrate to sqlite * regenerate migrations * ignore autogenerated migrations from prettier * migrate to sqlite * migrate to sqlite * Migrate to sqlite * fix prod error * move nuxt middleware from server to nuxt * update corepack in prod dockerfile * use correct branch for workflow * make docker file build on armv6/v7 * fix client update * update zod locales * cancel pr workflow if new commit * test concurrency * Feat: Account (#1645) * be able to change name, email * be able to change password * consistent naming zod is a schema not a type * use transaction instance * add zod strings * Feat: Prometheus (#1655) * check metrics password * rewrite prometheus and json metric endpoints * move metrics to general metrics is not per interface * change metrics settings in admin panel * add i18n keys * Chore: Remove multi interface support (#1657) * streamline references to wg0 database wg0 name makes no sense anymore wg0 only in database, could be easily replaced, or support for custom name added * fix default key gen * Feat: Permission System (#1660) * wip: add abac * wip: add admin abac * add me abac * fix type issue * move from role check avoid authStore.userData?.role === roles.ADMIN * Feat: Zod Generic String (#1661) * start improving zod translations * update zod translations * Feat: Migration (#1663) * show error for old env vars * reorder setup, be able to migrate * fix type issue * footer and header in setup, remove lang setup step * remove backup / restore * refactor dialog (#1665) * fixed Dockerfile HEALTHCHECK syntax (#1686) HEALTHCHECK options should always come before the CMD instruction * Feat: Info (#1666) * add tooltip info, extract strings * multi type toast * improve useSubmit, i18n * better login screen * improve * consistent folder casing * consistent casing * fix even more stuff * temp * fix type errors * remove armv6/7 support for now * add information to client page * optimize dockerfile * update base image in Dockerfile to use node:lts-alpine * fix build stage * Chore: TODOs (#1695) * verify setup step * improve readme * format todos * move id * remove objectMessage * style array field * Chore: TODOs (#1696) * fix chart * replace localstorage with cookies * Chore: Improvments (#1697) * update packages * fix tab issues * consistent imports * use eslint module * update date * improve docs * update docs * format * fix docs, fix cookie * recognize timing attack potential * improve gh actions, issue templates (#1700) * Feat improv (#1702) * add insecure option, link readme to docs * improve docs * update version * add warning to readme --------- Co-authored-by: Sergei Birukov <[email protected]> Co-authored-by: Bernd Storath <[email protected]> Co-authored-by: tetuaoro <[email protected]> Co-authored-by: laperuz92 <[email protected]> Co-authored-by: Siomkin Alexander <[email protected]> Co-authored-by: Matt <[email protected]> Co-authored-by: Matt <[email protected]> Co-authored-by: Denis Kazimirov <[email protected]>	1 year ago

11 Commits (d7af4bb57ed510d7fadad6e99a4d261cb8633d11)