47f81dd66a
* Add per-client firewall filtering Implement server-side firewall rules to restrict client network access, allowing administrators to enforce security policies that cannot be bypassed by clients modifying their local configuration. This feature addresses the limitation where "Allowed IPs" only controls client-side routing but doesn't prevent clients from accessing networks they shouldn't reach. The firewall rules are enforced on the server using iptables/ip6tables and provide true access control. Features: - Opt-in via "Enable Per-Client Firewall" toggle in admin interface - Per-client "Firewall Allowed IPs" field for granular control - Support for IPs, CIDRs, and port-based filtering - Protocol specification: TCP, UDP, or both (default) - IPv4 and IPv6 dual-stack support - Falls back to client's allowedIps when firewallIps is empty - Clean separation of routing (allowedIps) from security (firewallIps) Supported formats: - 10.10.0.3 (single IP) - 10.10.0.0/24 (CIDR range) - 192.168.1.5:443 (IP with port, both TCP+UDP) - 192.168.1.5:443/tcp (IP with specific protocol) - [2001:db8::1]:443 (IPv6 with port) Implementation: - New database columns: firewall_enabled (interfaces), firewall_ips (clients) - Migration 0003_add_firewall_filtering for schema updates - firewall.ts utility for iptables chain management (WG_CLIENTS chain) - Integration into WireGuard.ts for automatic rule application - UI components with conditional rendering based on firewall toggle Technical details: - Uses custom WG_CLIENTS iptables chain for isolation - Rebuild strategy: flush and recreate all rules on config save - Mutex protection via rebuildInProgress/rebuildQueued flags - Graceful cleanup when firewall is disabled - No new dependencies (uses existing is-ip, is-cidr packages) * added Comprehensive documentation in README and docs/ for firewall filtering * validate firewall IPs * check for iptables before enabling the firewall and inform the user if it is missing * updated firewall docs * fix imports * remove extra import * Document all allowed IP/cidr/port/proto combinations that are allowed and check on save * add note on firewall being experimental and how to opt a single client out of the firewall. * cleanup more imports * add tests * Fix firewall IPv6 validation and test expectations Updated validation to correctly handle plain and bracketed IPv6 addresses, and fixed test to expect string from schema instead of object. * added comments to firewall rules and updated tests * fix auto-import * fix typescript errors * recreate sql migrations and rebase * improve tests, typechecking, documentation * fix formatting, fix types * improve type * added note for including host's IP in client firewall * updated language to include cidr and protocol options * another language update * refer to docs for firewall allowed IPs --------- Co-authored-by: Bernd Storath <999999bst@gmail.com>
4.5 KiB
WireGuard Easy
You have found the easiest way to install & manage WireGuard on any Linux host!
Features
- All-in-one: WireGuard + Web UI.
- Easy installation, simple to use.
- List, create, edit, delete, enable & disable clients.
- Show a client's QR code.
- Download a client's configuration file.
- Statistics for which clients are connected.
- Tx/Rx charts for each connected client.
- Gravatar support.
- Automatic Light / Dark Mode
- Multilanguage Support
- One Time Links
- Client Expiration
- Prometheus metrics support
- IPv6 support
- CIDR support
- 2FA support
- Per-client firewall filtering (requires iptables)
Note
To better manage documentation for this project, it has its own site here: https://wg-easy.github.io/wg-easy/latest
Note
If you want to migrate from the old version to the new version, you can find the migration guide here: Migration Guide
Installation
This is a quick start guide to get you up and running with WireGuard Easy.
For a more detailed installation guide, please refer to the Getting Started page.
1. Install Docker
If you haven't installed Docker yet, install it by running as root:
curl -sSL https://get.docker.com | sh
exit
And log in again.
2. Run WireGuard Easy
The easiest way to run WireGuard Easy is with Docker Compose.
Just follow these steps in the detailed documentation.
You can also install WireGuard Easy with the docker run command or via podman.
Now setup a reverse proxy to be able to access the Web UI securely from the internet. This step is optional, just make sure to follow the guide here if you decide not to do it.
Donate
Are you enjoying this project? Consider donating.
Founder: Buy Emile a beer! 🍻
Maintainer: Buy kaaax0815 a coffee! ☕
Development
Prerequisites
- Docker
- Node LTS & corepack enabled
- Visual Studio Code
Dev Server
This starts the development server with docker
pnpm dev
Update Auto Imports
If you add something that should be auto-importable and VSCode complains, run:
cd src
pnpm install
cd ..
Test Cli
This starts the cli with docker
pnpm cli:dev
License
This project is licensed under the AGPL-3.0-only License - see the LICENSE file for details
This project is not affiliated, associated, authorized, endorsed by, or in any way officially connected with Jason A. Donenfeld, ZX2C4 or Edge Security
"WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld