{"id":13551158,"url":"https://github.com/NOXCIS/Wiregate","last_synced_at":"2025-04-03T01:31:34.144Z","repository":{"id":164550225,"uuid":"639725388","full_name":"NOXCIS/Wiregate","owner":"NOXCIS","description":"🥷🏼  WireGuard VPN Server with WGDashboard for UI + TOR + DnsCrypt + AmneziaWG","archived":false,"fork":false,"pushed_at":"2025-03-22T20:29:27.000Z","size":48732,"stargazers_count":458,"open_issues_count":7,"forks_count":13,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-03-27T04:14:52.567Z","etag":null,"topics":["adguard","amnezia-vpn","amneziawg","amneziawg-ui","dnscrypt","docker","obfs4proxy","pihole","proxy","snowflake","tor","unbound-server","user-interface","wireguard","wireguard-installer","wireguard-peer-access-control","wireguard-ui","wireguard-user-restrictions"],"latest_commit_sha":null,"homepage":"","language":"Vue","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NOXCIS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"Docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-12T04:59:34.000Z","updated_at":"2025-03-23T07:23:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"c7c48460-1f01-4611-b823-a590e1761986","html_url":"https://github.com/NOXCIS/Wiregate","commit_stats":{"total_commits":609,"total_committers":3,"mean_commits":203.0,"dds":0.003284072249589487,"last_synced_commit":"22f7995eccad48115995aac936ff248995553b5d"},"previous_names":["noxcis/wirehole","noxcis/wiregate"],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NOXCIS%2FWiregate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NOXCIS%2FWiregate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NOXCIS%2FWiregate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NOXCIS%2FWiregate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NOXCIS","download_url":"https://codeload.github.com/NOXCIS/Wiregate/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246922067,"owners_count":20855341,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adguard","amnezia-vpn","amneziawg","amneziawg-ui","dnscrypt","docker","obfs4proxy","pihole","proxy","snowflake","tor","unbound-server","user-interface","wireguard","wireguard-installer","wireguard-peer-access-control","wireguard-ui","wireguard-user-restrictions"],"created_at":"2024-08-01T12:01:43.404Z","updated_at":"2025-04-03T01:31:29.127Z","avatar_url":"https://github.com/NOXCIS.png","language":"Vue","funding_links":[],"categories":["Vue","python","Community Project Highlights:"],"sub_categories":[],"readme":"  \n\n\n# WireGate\n\n  \n\n![GitHub Repo stars](https://img.shields.io/github/stars/NOXCIS/WireGate?style=social) ![Docker Pulls](https://img.shields.io/docker/pulls/noxcis/wg-dashboard.svg?style=flat\u0026label=pulls\u0026logo=docker) ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/noxcis/wg-dashboard.svg?style=flat\u0026label=image\u0026logo=docker) ![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https://github.com/NOXCIS/WireGate\u0026icon=github.svg\u0026icon_color=%23FFFFFF\u0026title=hits\u0026edge_flat=false) ![GitHub Clones](https://img.shields.io/badge/dynamic/json?color=success\u0026label=Clone\u0026query=count\u0026url=https://gist.githubusercontent.com/NOXCIS/a08fe945ac095cea4f3cc21178ee43fb/raw/clone.json\u0026logo=github)\n\n  \n\n  \n\n  \n\n### What Is WireGate?\n\n  \n\nWireGate is a fully automated Docker Based **intranet deployment** that allows users to host web other applications on their existing server and be able to securely connect to said web applications without exposing them to the open internet. This is done by utilizing the **WireGuard protocol** in conjunction with **Docker Networks and Containers**. Hence applications hosted behind the WireGate private network *`need not expose any ports`* and can only be accessed via a *WireGuard* connection already registered to to an existing server interface on the deployed WireGate instance. Secure by Design, the WireGuard Dashboard \u0026 other services are only accessible on first deployment via the **master configuration** that is generated at install and `encrypted after being outputted to the console.` Wiregate also acts as a ISP DNS query logging bypass. Wiregate by default is configured to have minimal logging.\n\n\n\n  ___\n### Wiregate vs Wirehole vs WG-Easy\n| Project |  Easy Setup | Production Ready | Client Firewall Rules | GUI | DNS Filtering | Multi Interface | Built in Security |\n|--|--|--|--|--|--|--|--|\n|\tWiregate |✅|✅|✅|✅|✅|✅|✅|\n|\tWirehole |✅|:x:|:x:|:x:|✅|:x:|:x:|\n|\tWG-Easy  |✅|:x:|:x:|✅|:x:|:x:|:x:|\n\n\n\n\n\n\n\n\n___\n### Zone Permissions\nWiregate is configured with 4 zones that peers can be added to. The zone a peer belongs to dictates the network access permissions of said peer. **Wiregate** supports the `x86-64` and `arm64` CPU architectures . Tested on **Ubuntu LTS \u0026 Debian 12**\n\n| Zone  | Internet Access | WireGuard Dashboard Access  | Docker Network Access  | Peer to Peer Access | \n|--|--|--|--|--|\n|  **Admin** |✅| ✅ | ✅ | ✅ |\n| **Members**|✅|:x:|✅|✅|\n| **LAN Users**|:x:|:x:|:x:|✅|\n| **Guest**|✅|:x:|:x:|:x:|\n---\nNetwork Map\n![enter image description here](https://mermaid.ink/img/pako:eNrFV21v4jgQ_isjVj0-bKGQ0m3hdtGWt7ZSd8uVdu9DWZ1MYsBqiCPb6YtK__uO856QNHuVThcQyeDH43l5Zhy_1Exu0Vqvtrf3MncAmMNUD_xHgLpa0w2t96C-IJLW99P__iCCkYVNZT2G45Ar2IaI5yG3udDzPnRIq9vqRlMTxA19UglquVzuQgZcWFQkoONhC68UzmYOTYYnJwPDSK8kqckdK2uNoT8pjKJCsQxEmxIMv-ob_rzu7c0d_Vna_NFcE6Hg8jqAnEKj0d_-zQQ984iw4EaQ5ZKZWxgE44Oy8WEwLr3FShB3DcyiLbg751LBN2Ku0TG4aI7hx3QGXMA531CYUfFAxc_diW24G3Hzngr4TtUjF_fwFdqtptFsNVsHRqeH8Ee0YEUU_QdD-6DvToAs0GbAnW8vomDIHUXQFpFoPERdag0asvJduh1N4ZJJRR2YcqEkjJ9cLqn1U0dMKx8CfPnSx4dRII8BGs1GH7Y2N4kNNufugpj34FKxYYpacXBGoKOHE7LiJCueJaLWeh6I1LGS1TRsZATyJCefh_J29H0WpQe9PToEz3K3MImmGeFqoTwK5fFhTu7k1o8fIsR2pohmZYoM45zSjC0IhlMriPWIyPWA6ydimlTKxL6z9NS_PCoYlYni2Mkrx36Gc6Vc-MO_yV0jxoehJ5Hcycoh8e_mtc8WewCpnm36BevoSTWIzVZOz6ZLVe9PKRUB9PMB4vrzWsi1QdXMkPOXPjsC0mNCLqY72kJ6vZTqM6mD9V3vF_CZqnUrReqoHwBwB7C9lRZMM0HeICzWbGFmFn5mmIQ1ljG1YE0FxTVcrAo4aaVmpv14DVP_8mZU_qz3L6Y3p4PL8Qyub_E3G4xUv9IsqtRV5h1kbUw1kZL1QnpVpfQx6hYNpjOyJCbtwcqjUmUXnHkLtKQH7a7RbH86aRqtZttfPAs79ckPisM0sB_ZgTUi9J_XxFlRCQNbd0QrO09fDe2V_zk4KRw91kv7422jEBDa5iM-FVI8LMl3RcUmjsz7m7OsHecjCxgSB-mLBY7bnkNNpQPkYhnKiNSS4DYSr1Wk4kIPYgrCEPdgQmxZiMztOJX4uFJGcaUUzNmp7jOjKoq3zoJ72COT2g5pa7RagY6Kko6WCgK48LvEkq08gSWMEcSvJ6mvgUXRub66ugHptyapexVxOI4LuHWlEpRsAoV6Ax85ciieXZUyD_FDm3vWxCaizO3Ju7izoZsFWpSnT8LZdkAeyI_vpP1GeDQPKsn4LlRfHyHKSwUzPmLhBu9GlcDhmiCvbYkUUkS_kL415XcZF11F0m5aKtkYObPDxva_ZeOtxDYWBZHImFugd_iAeyVWju9-q__n2UOsDdvtPY2wXRbyxn-dCFvMEt3CvU8r1PoAyQ36fKALKHhb8XfCuBn5b396pwympvbSOHb_B03LcHmWluHKSVpk7BscTeC7Ca7e4aNQvblvjw8rmTJ-IhvXTuWk0c768BVW7AHf_YkV7L-V9E5PnmAvpOEKYZ10Sotv3HmHtcZ_a-1RgbX-gUpbGJzNlsy2ex-6tGt1LciNGuHo8dFx5zh-zYnutf3aBs9EhFl4PPeP2POaf_Se13r4iGeIe53SV8QRT_HZs2PWegpps1_zXAvdGDGCx7pN9Ce1mOLiW3Dc90_9r78ANbm5eA?type=png)\n---\n### Wiregate Use Cases\n\n  \n|Use Cases | Description |\n|--|--|\n| **Authentication** | Access to service can be limited by requiring a WireGuard client config as well as a registered account on said service |\n|**Secure Self Hosted VPN**| Self Explanatory\t|\n|**Adblock \u0026 DNS Filtering** | Self Explanatory |\n|**Local Network Filter Proxy** | By using a raspberry Pi ruining on the same local network your able to pre proxy all network traffic through your desired device using adguard/pihole \u0026 unbound. The unbound config will need to be modified to use an upstream DNS server for this to work, unless a cloud based Wiregate Node is used in conjunction with the Raspeberry Pi. |\n|**Secure Invite Only Messaging Service** | This is done via channels and allows all members of the Wiregate Private Network to communicate under the same secure umbrella.|\n**VPN Splitter** | Wiregate can be used to extend the number of clients allowed by any VPN service provider by using your Wiregate machine as a hub|\n\n---\n\n### Docker Image Information\n|Container| Vulnerability Status |Know Image CVE's|Tag|\n|--|--|--|--|\n| WG-Dashboard | ✅ None | 0 | noxcis/wg-dashboard:mantis-shrimp\n|Pihole|:x: Vulnerable|30|pihole/pihole:latest|\n|AdGuard|✅ None|0|adguard/adguardhome:latest |\n|Channels|✅ None|0|noxcis/channels:orca |\n|Unbound|✅ None|0| klutchell/unbound:latest |\n|Postgres|✅ None|0|postgres:13-alpine|\n___\n\n\n### Global Configs\nAll Wiregate supporting configurations can be found in the Global Configs Folder.\n\n  \n  \n\n### Show your support\n\n  \n  \n\nGive a ⭐ if this project helped you!\nIf your feeling generous? **Cashapp**: $N0XCIS\n  \n\n\n  \n\n  \n\n  \n\n  \n\n  \n\n## Installation Instructions\n\nRun these commands to install Wiregate.\n\n```bash\n\n#!/bin/bash\n\ngit  clone  https://github.com/NOXCIS/Wiregate.git\n\ncd  Wiregate\n\nchmod  +x  install.sh\n\nsudo  ./install.sh\n\n```\n\n  \n\n  \n\n## Install Options\n\n  \n\n  \n  \n  \n\n### Installer Menu\n\n  \n\n  \n\n- ./install.sh -Starts the setup script menu.\n\n![enter image description here](https://i.imgur.com/9pSj9R1.png)\n\n  \n\n  \n\n\n\n  \n\n## Other Install Options\n\n  \n\n### Express Install\n\n  \n\n**For Pihole Setup**\n\n- ./install.sh **pi-exp** - Starts the setup script and automatically configures the compose file with following environment variables:.\n\n  \n\n**For AdGuard Setup**\n\n  \n\n- ./install.sh **pi-adv** - Starts the setup script and automatically configures the compose file with following environment variables.\n  \n\n### Advanced Install\n\n  \n\n**For Pihole Setup**\n\n- ./install.sh **pi-adv** - Start the setup script allowing the user to manually configure the compose file environment variables.\n\n  \n\n**For AdGuard Setup**\n\n- ./install.sh **ad-adv** - Start the setup script allowing the user to manually configure the compose file environment variables.\n\n  \n\n  \n  \n\n### Custom PreConfigured Install\n\n  \n\n**For AdGuard Setup**\n\n  \n\n- ./install.sh **ad-predef** - Set your Desired Environment Variables in the environment files located in **Global-Configs/ENV-FILES**\n\n  \n\n**For Pihole Setup**\n\n  \n\n- ./install.sh **pi-predef** - Set your Desired Environment Variables in the environment files located in **Global-Configs/ENV-FILES**\n\n  \n  \n  \n\n### Reset WireGate Deployment\n\n  \n\n  \n\n- ./install.sh **fresh** - Reset WireGuard Dashboard\n\n![enter image description here](https://i.imgur.com/JYITQiu.png)\n\n  \n  \n\n  \n\n  \n\n## Connecting to WireGuard \u0026 Accessing Dashboard\n\n  \n\n  \n\nThe installer will output a master client config similar to the one below. The master key file is automatically encrypted after the final output. To decrypt the Master Key use the Master Key decryption key.\n\n  \n\n  \n\n![enter image description here](https://i.imgur.com/yJk4Eeu.png)\n\n  \n\n  \n\n## Access Channels Messenger\n\n  \n\nWhile connected to WireGate, navigate to http://channels.msg/\n\n  \n\nWireGate has a updated version of Channels messenger by [dzionek](https://github.com/dzionek) built in, to felicitate secure encrypted communication via the WireGate network.\n\n  \n\n![enter image description here](https://github.com/dzionek/channels/raw/master/readme_screenshots/screenshot-1.png)\n\n  \n\n  \n\nFlask web-application where you can create own channels, manage them, and chat with your friends/colleagues.\n\n  \n\nInspired by the Project 2 of Harvard's [CS50’s Web Programming with Python and JavaScript](https://cs50.harvard.edu/web/2018/).\n\n  \n\n  \n\n  \n\n## Access WG-DashBoard\n\nWhile connected to WireGate, navigate to http://wire.gate/  \n*The **password** \u0026 **username** are randomly generated and **provided in the final output** if not set manually.*\n\nWireGate uses a modified version of WG-Dashboard by [Donald Zou](https://github.com/donaldzou), with the following modifications.\n\n- **Dockerized** (For isolation from the main host and easy deployment)\n- **User Interface Modification** (for readability)\n- **Auto Generate and Start Wireguard Configs**\n-  **Added Postup and Postdown Firewall Rules** for  generated wireguard configs (ZONES)\n- **Flask App Secret Key** passed as shell generated environment variable (because flask-key relied on the website URL to be generated)\n- **Username \u0026 Password** passed as shell generated environment variable (because of hard coded admin defaults)\n- **UWSGI** instead of Gunicorn\n- **Refactored Code based** (For UWSGI compatibility)\n- **Bcrypt** instead of SHA256 (because of hard coded password)\n- **Removed Update checks** to [Donald Zou](https://github.com/donaldzou) WG-Dashboard repo (because of \ncybersecurity paranoia)  \n\n\n\n  \n\n\n\n  \n\n  \n\n![enter image description here](https://github.com/donaldzou/WGDashboard/raw/main/img/PWA.gif)\n\n  \n\n  \n\n![enter image description here](https://github.com/donaldzou/WGDashboard/raw/main/img/HomePage.png)\n\n  \n\n  \n\n  \n\n![enter image description here](https://github.com/donaldzou/WGDashboard/raw/main/img/AddPeer.png)\n\n  \n\n  \n  \n  \n\n  \n\n## Access Adguard (If Selected)\n\nWhile connected to WireGate, navigate to http://ad.guard/\n\n*The **password** \u0026 **username** are randomly generated and **provided in the final output** if not set manually.*\n\n  \n\n![enter image description here](https://i.postimg.cc/4y7SKQ9s/Screenshot-2023-10-18-at-10-37-21-AM.png)\n\n  \n\n## Access PiHole (If Selected)\n\n  \n\nWhile connected to WireGate, navigate to http://pi.hole/\n\n  \n\n*The **password** is randomly generated and **provided in the final output** if not set manually.*\n\n  \n\n  \n\n![enter image description here](https://camo.githubusercontent.com/dea9baf54793ba7a4c38b5f36f624790116fa5d11f971efa0fd1f8fad98904e9/68747470733a2f2f692e696d6775722e636f6d2f686c484c3656412e706e67)\n\n  \n\n  \n  \n  \n\n  \n\n## Custom Unbound Configuration\n\n  \n\nCustom unbound confurations can be done by modifying the file **unbound.conf** located in the **Unbound** folder inside **Global-Configs**  folder before stack deployment.\n\n  \n\n### Modifying the upstream DNS provider for Unbound\n\n  \n\nIf you choose to not use Cloudflare any reason you are able to modify the upstream DNS provider in `unbound.conf`.\n\n  \n\nSearch for `forward-zone` and modify the IP addresses for your chosen DNS provider.\n\n  \n\n\u003e**NOTE:** The anything after `#` is a comment on the line.\n\n  \n\nWhat this means is it is just there to tell you which DNS provider you put there. It is for you to be able to reference later. I recommend updating this if you change your DNS provider from the default values.\n\n  \n\n  \n\n  \n\n```yaml\n\nforward-zone:\n\nname: \".\"\n\nforward-addr: 1.1.1.1@853#cloudflare-dns.com\n\nforward-addr: 1.0.0.1@853#cloudflare-dns.com\n\nforward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com\n\nforward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com\n\nforward-tls-upstream: yes\n\n```\n\n  \n\n  \n  \n  \n\n  \n  \n\n  \n\n## Acknowledgements\n\nThe code in this repo is influenced by [IAmStoxe's WireGate](https://github.com/IAmStoxe/WireGate) project.\n\nWireGate lacked the ability to easily generate new users and has recenlty stopped working due to updates to the parent project of Unbound-Docker, [Unbound-Docker by MatthewVance](https://github.com/MatthewVance/unbound-docker) .\n\nTherefore with the help of klutchell's unbound-docker Docker image \u0026 donaldzou's WGDashboard Dockerized by Noxcis, WireGate was recreated as WireGate.\n\nHowever, the upstream projects and their authors most certainly also deserve credit for making this all possible.\n\n  \n\n- [AdGuard](https://github.com/AdguardTeam/AdGuardHome) -AdGuard\n\n- [Pihole](https://github.com/pi-hole). - Pihole\n\n- [NLnetLabs](https://github.com/NLnetLabs). -Unbound\n\n- [Kyle Harding](https://github.com/klutchell). -Distroless Unbound Docker Image\n\n- [Donald Zou](https://github.com/donaldzou). -WG Dashboard (WireGuard UI)\n\n- [Bartosz Dzionek](https://github.com/dzionek) -Channels Messenger\n\n  \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNOXCIS%2FWiregate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNOXCIS%2FWiregate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNOXCIS%2FWiregate/lists"}