Add and delete peers from the wireguard network
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
Keith Irwin d8d41b2088
Added mkosi files
3 months ago
admin Added hook to create/delete ssl certs for each device (sold seperately) 11 months ago
app Fixed #17 10 months ago
includes Added logging (silenced in script) 11 months ago
mkosi.extra Added mkosi files 3 months ago
systemd Fixed systemd unit files 1 year ago
.dockerignore Seperated environment, fixed bugs 1 year ago
.gitignore Seperated environment, fixed bugs 1 year ago
Dockerfile Improved dockerfile speed, better docker-compose.yml.sample, debugging nsupdate 1 year ago
LICENSE.md Must be GPLv2 1 year ago
README.md #9 Improved README 1 year ago
docker-compose.yml.sample Improved dockerfile speed, better docker-compose.yml.sample, debugging nsupdate 1 year ago
env.json.sample Probably need all the subdomains 11 months ago
index.js Major upgrades, made API more RESTful 12 months ago
mkosi.build Added mkosi files 3 months ago
mkosi.default Added mkosi files 3 months ago
mkosi.nspawn Added mkosi files 3 months ago
package-lock.json npm audit fix 5 months ago
package.json Updated version 1 year ago

README.md

wgapi

NodeJS server to add and remove wireguard configs

Installation

with Docker

Install docker and docker-compose. Then create a project directory and pull the sample environment files.

sudo mkdir /srv/wgapi
cd /srv/wgapi
sudo wget 'https://gitea.gf4.pw/gf4/wgapi/raw/branch/master/docker-compose.yml.sample'
sudo wget 'https://gitea.gf4.pw/gf4/wgapi/raw/branch/master/env.json.sample'
sudo cp docker-compose.yml.sample docker-compose.yml
sudo cp env.json.sample env.json

Edit docker-compose.yml and env.json files according to their comments. Then you can start the service:

docker-compose up -d

The API will modify your wireguard configuration file. Changes will not take effect unless the interface is restarted periodically. One way of doing this is with a systemd timer.

systemd

The API edits the wireguard config in the background but doesn't restart the service. To have changes take effect every 10 minutes, you can use this repo's systemd unit files:

cd /etc/systemd/system
sudo wget 'https://gitea.gf4.pw/gf4/wgapi/raw/branch/master/systemd/restart-wg-quick@.service'
sudo wget 'https://gitea.gf4.pw/gf4/wgapi/raw/branch/master/systemd/restart-wg-quick@.timer'
sudo systemctl daemon-reload
# Replace this with your interface
sudo systemctl start restart-wg-quick@wg0.timer

If that works, make it run on boot:

sudo systemctl enable restart-wg-quick@wg0.timer

Usage

Once the server is listening, there are three endpoints that clients can direct requests to.

List (/list)

This endpoint returns a user's user object, including an auth token, containing all the peer information in user.peers.

Request

Just GET /list and this endpoint will detect who you are based on your IP and return your user object.

Response

Returns the user object and peers as json.

{
	"name": myusername,
	"token": longsecrettokenhere,
	"subnet": "8",
	"peers": [
		{
			"name": "host1",
			"ipv4": "10.5.8.1"
			"ipv6": "fd69:1337:0:420:f4:f5:8:1"
		},
		{
			"name": "host2",
			"ipv4": "10.5.8.2"
			"ipv6": "fd69:1337:0:420:f4:f5:8:2"
		}
	]
}

...

Add

This endpoint adds a peer to the wireguard servers and adds its IP address to the nameserver. To guard against IP spoofing, it requires a token from a /list request.

Request

Simply GET /add?token=MYTOKEN&name=host3 where MYTOKEN is the secret token from the /list request and host3 is the new hostname. The backend will add your new peer to its wireguard config and inform other servers of the new peer. Then it will modify the nameserver to add your peer's IP addresses under the domain host3.myusername.tld.

Response

A successful /add request will return the new peer's wireguard configuration as plaintext. Copy and paste it to your client machine's /etc/wireguard/wg0.conf file.

A failed requst will return an error code. 5XX HTTP codes provide have errors in the log.

Delete

This endpoint deletes a peer from the wireguard servers and removes its domain from the nameserver. To guard against IP spoofing, it requires a token from a /list request.

Request

After getting a token from a /list request, a peer can be identified and deleted using any of these requests:

  • GET /del?token=MYTOKEN&name=host3 using the hostname
  • GET /del?token=MYTOKEN&pubkey=PUBKEY using a wireguard public key
  • GET /del?token=MYTOKEN&privkey=PRIVKEY using a wireguard private key
  • GET /del?token=MYTOKEN&psk=PSK using the wireguard preshared key
  • GET /del?token=MYTOKEN&ip=IP using an IPv4 or IPv6 address

Response

It will simply return 200 OK in case of success. 5XX HTTP codes provide have errors in the log.

License (GPLv2)

Copyright © 2021 Keith Irwin

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.