{"id":48393514,"url":"https://github.com/drudge/wgrift","last_synced_at":"2026-04-14T18:00:30.527Z","repository":{"id":349441277,"uuid":"1188706218","full_name":"drudge/wgrift","owner":"drudge","description":"A self-hosted WireGuard VPN management platform. Single binary with embedded web UI, full CLI, and REST API.","archived":false,"fork":false,"pushed_at":"2026-04-13T16:30:20.000Z","size":3001,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T18:25:41.246Z","etag":null,"topics":["site-to-site-vpn","vpn","vpn-manager","wireguard","wireguard-ui","wireguard-vpn"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/drudge.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-22T13:26:04.000Z","updated_at":"2026-04-13T15:57:52.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/drudge/wgrift","commit_stats":null,"previous_names":["drudge/wgrift"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/drudge/wgrift","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drudge%2Fwgrift","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drudge%2Fwgrift/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drudge%2Fwgrift/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drudge%2Fwgrift/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/drudge","download_url":"https://codeload.github.com/drudge/wgrift/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drudge%2Fwgrift/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31808518,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T11:13:53.975Z","status":"ssl_error","status_checked_at":"2026-04-14T11:13:53.299Z","response_time":153,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["site-to-site-vpn","vpn","vpn-manager","wireguard","wireguard-ui","wireguard-vpn"],"created_at":"2026-04-06T01:12:42.697Z","updated_at":"2026-04-14T18:00:30.502Z","avatar_url":"https://github.com/drudge.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# wgRift\n\nA self-hosted WireGuard VPN management platform. Single binary with embedded web UI, full CLI, and REST API.\n\n## Screenshots\n\n| Dashboard | Interface Detail |\n|:---:|:---:|\n| ![Dashboard](docs/screenshots/dashboard.png) | ![Interface Detail](docs/screenshots/interface-detail.png) |\n\n| Peer Config \u0026 QR | Settings |\n|:---:|:---:|\n| ![Peer Config](docs/screenshots/peer-config.png) | ![Settings](docs/screenshots/settings.png) |\n\n| Edit Peer \u0026 Email Alerts | Connection Logs |\n|:---:|:---:|\n| ![Edit Peer](docs/screenshots/edit-peer.png) | ![Connection Logs](docs/screenshots/logs.png) |\n\n| Login | Mobile |\n|:---:|:---:|\n| ![Login](docs/screenshots/login.png) | ![Mobile](docs/screenshots/mobile.png) |\n\n## Features\n\n### Web UI\n- **Dashboard** — Overview of all interfaces with peer counts, transfer stats, and quick actions\n- **Interface Management** — Create, import, or adopt existing WireGuard interfaces\n- **Peer Management** — Add/edit/enable/disable peers with auto-generated keys and next available IP\n- **Peer Config \u0026 QR** — View, copy, or download client configs; scan QR codes for mobile setup\n- **Connection Logs** — Real-time connection/disconnection tracking per interface\n- **Connection Uptime** — Live per-peer uptime counters on dashboard and interface views\n- **Email Alerts** — Per-peer connect/disconnect email notifications with configurable recipients\n- **SMTP Configuration** — Built-in SMTP settings management with test email support\n- **SSO / OIDC** — OpenID Connect authentication with multi-provider support, JIT user provisioning, and role mapping\n- **User Management** — Multi-user with admin/viewer roles\n- **Mobile Responsive** — Slide-out nav, responsive layouts for all views\n- **Session Auth** — Local login and OIDC with CSRF protection, idle timeout, and max session age\n\n### CLI\n- `wgrift interface create` — Create a new WireGuard interface\n- `wgrift interface list` — List all managed interfaces\n- `wgrift interface delete` — Remove an interface\n- `wgrift interface sync` — Sync interface config to the kernel\n- `wgrift peer add` — Add a peer to an interface\n- `wgrift peer list` — List peers (optionally filtered by interface)\n- `wgrift peer remove` — Remove a peer\n- `wgrift peer enable/disable` — Toggle peer state\n- `wgrift peer config` — Display client WireGuard config (with `--qr` for terminal QR code)\n- `wgrift peer set-key` — Set a peer's private key\n- `wgrift adopt \u003cname\u003e` — Import an existing running WireGuard interface\n- `wgrift status` — Live status of all interfaces and peers\n- `wgrift serve` — Start the web server\n- `wgrift version` — Show version info\n\n### API\nFull REST API at `/api/v1/` — interface CRUD, peer CRUD, start/stop/restart, config generation, QR codes, connection logs, user management, and dashboard stats. See `internal/server/routes.go` for the complete endpoint list.\n\n## Quick Start\n\n### Build\n\nRequires Go 1.26+, [Mage](https://magefile.org), and optionally [Air](https://github.com/air-verse/air) for live reload.\n\n```bash\ngo install github.com/magefile/mage@latest          # Build tool\ngo install github.com/air-verse/air@latest           # Live reload (optional)\n```\n\n```bash\n# Development\nmage dev            # Live reload — watches files, rebuilds WASM+binary, restarts server\nmage serve          # Build WASM + binary, start server (no live reload)\n\n# Production build (linux/amd64)\nmage dist           # Output: dist/wgrift (single binary with embedded UI)\n```\n\n### Install\n\n```bash\n# On the target host (Debian/Ubuntu):\nbash deploy/install.sh\n\n# Or manually:\ncp dist/wgrift /usr/local/bin/wgrift\ncp deploy/config.yaml /etc/wgrift/config.yaml\ncp deploy/wgrift.service /etc/systemd/system/\nsystemctl enable --now wgrift\n```\n\n### Docker\n\n```bash\n# Generate a master encryption key\nhead -c 32 /dev/urandom | base64 \u003e master.key\n\n# Run with Docker\ndocker run -d \\\n  --name wgrift \\\n  --network host \\\n  --cap-add NET_ADMIN \\\n  --cap-add NET_RAW \\\n  --sysctl net.ipv4.ip_forward=1 \\\n  -v wgrift-config:/etc/wgrift \\\n  -v wgrift-data:/var/lib/wgrift \\\n  -v wireguard:/etc/wireguard \\\n  -v $(pwd)/master.key:/etc/wgrift/master.key:ro \\\n  ghcr.io/drudge/wgrift:latest\n```\n\nOr with Docker Compose (see [`docker-compose.yml`](docker-compose.yml)):\n\n```bash\ndocker compose up -d\n```\n\n\u003e **Note:** The host must have the WireGuard kernel module loaded (`modprobe wireguard`). The container requires host networking for WireGuard interface management.\n\n### Proxmox LXC\n\n```bash\n# Create a dedicated LXC container:\nbash deploy/ct/wgrift.sh\n```\n\n### First Run\n\n1. Navigate to `http://your-host:8080`\n2. Create the initial admin account on the setup screen\n3. Create or adopt a WireGuard interface\n4. Add peers and distribute configs\n\n## Configuration\n\nDefault config at `/etc/wgrift/config.yaml`:\n\n```yaml\nserver:\n  listen: \"0.0.0.0:8080\"\n  external_url: \"\"              # Public IP/hostname for peer configs\n  tls:\n    mode: none                  # \"none\", \"acme\", or \"manual\"\n\ndatabase:\n  path: /var/lib/wgrift/wgrift.db\n\nencryption:\n  master_key_file: /etc/wgrift/master.key\n\nauth:\n  session_timeout: 30m\n  max_session_age: 24h\n  local:\n    enabled: true\n    min_password_length: 16\n  oidc:\n    - name: \"Authentik\"\n      issuer: \"https://auth.example.com/application/o/wgrift/\"\n      client_id: \"wgrift\"\n      client_secret_file: /etc/wgrift/oidc-secret\n      scopes: [\"openid\", \"profile\", \"email\"]\n      admin_claim: \"groups\"\n      admin_value: \"wgrift-admins\"\n\nlogging:\n  connection_poll_interval: 30s\n  connection_timeout: 180s\n  retention_days: 90\n```\n\nThe master key encrypts peer private keys and OIDC client secrets at rest. It's generated automatically by the installer or can be set via the `WGRIFT_MASTER_KEY` environment variable.\n\nOIDC providers can also be configured through the web UI under **Settings → OIDC Providers**. Users are provisioned automatically on first login, and the `admin_claim`/`admin_value` fields control which claim value grants the admin role.\n\n## Architecture\n\n```\ncmd/wgrift/          Cobra CLI — all commands\ninternal/\n  auth/              Session auth, bcrypt, CSRF, OIDC\n  config/            YAML config with env var overrides\n  confgen/           WireGuard .conf generation \u0026 parsing\n  models/            Interface, Peer, User, Session, ConnectionLog\n  server/            HTTP handlers, middleware, SPA serving\n  store/             SQLite database with auto-migrations\n  wg/                WireGuard kernel control (wgctrl + netlink)\nui/\n  embed.go           go:embed — single binary includes all web assets\n  web/               WASM web UI (Loom reactive framework)\ndeploy/              systemd service, config, installer, Proxmox script\n```\n\nThe web UI compiles from Go to WebAssembly using the [Loom](https://github.com/loom-go/loom) reactive framework. All assets (HTML, WASM, JS) are embedded in the binary via `go:embed` — no external file serving required.\n\n## Requirements\n\n- Linux with WireGuard kernel module\n- `wg` and `wg-quick` (from `wireguard-tools`)\n- `CAP_NET_ADMIN` and `CAP_NET_RAW` capabilities (granted via systemd)\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrudge%2Fwgrift","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdrudge%2Fwgrift","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrudge%2Fwgrift/lists"}