Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/whyvra/tunnel

The secure manager for your WireGuard clients
https://github.com/whyvra/tunnel

blazor clients docker dotnet manager ui vpn web web-ui wireguard

Last synced: about 2 months ago
JSON representation

The secure manager for your WireGuard clients

Host: GitHub
URL: https://github.com/whyvra/tunnel
Owner: whyvra
License: mit
Created: 2021-01-05T23:21:16.000Z (over 3 years ago)
Default Branch: master
Last Pushed: 2023-12-26T19:22:25.000Z (9 months ago)
Last Synced: 2024-05-28T02:16:15.735Z (4 months ago)
Topics: blazor, clients, docker, dotnet, manager, ui, vpn, web, web-ui, wireguard
Language: C#
Homepage:
Size: 1.09 MB
Stars: 28
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# tunnel

[![Tunnel Build](https://img.shields.io/github/workflow/status/whyvra/tunnel/Tunnel?style=flat-square)](https://github.com/whyvra/tunnel/actions)
[![Docker Pulls](https://img.shields.io/docker/pulls/whyvra/tunnel?style=flat-square)](https://hub.docker.com/r/whyvra/tunnel)
[![LICENSE](https://img.shields.io/badge/license-MIT-blue?style=flat-square)](https://github.com/whyvra/tunnel/blob/master/LICENSE)
[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)

The secure manager for your WireGuard clients

## Table of contents

* [Purpose](#purpose)
* [Usage](#usage)
* [Configuration](#configuration)
* [API settings](#api-settings)
* [Blazor settings](#blazor-settings)
* [SSL](#ssl)
* [Database](#database)
* [Authentication](#authentication)
* [docker-compose](#docker-compose)
* [License](#license)

## Purpose

Tunnel is a secure manager for your WireGuard clients' configuration. It is not meant to manage your server's and your clients' private keys. Your server's private key should be stored securely on your server and your clients' private keys should be stored on their devices only. Tunnel does not automatically update your WireGuard configuration on the file system nor does it manage the WireGuard services.

Tunnel offers an easy way to add new clients. Their keys are generated in the browser (using C# running on WebAssembly) and only the public key is sent to the server. Your private key is never sent. The relevant peer section can then be copied from the server configuration and added to your WireGuard config file on your server.

The QR Code and WireGuard config file are only available when you first add the client. They are gone after you close the dialog and can never be generated by Tunnel again (again the private key is not stored). You can always revoke an exisiting client and generate a new key pair by creating a new client.

## Usage

The simplest way to get started is to use the docker image.

```bash
docker run -it --rm -p "5800:5800" whyvra/tunnel
```

You should now be able to access tunnel via `http://localhost:5800/`

By default, the docker image exposes port 5800 where it serves its content using HTTP. The data is stored in a SQLite database saved in `/data`. A 7-day rotating log is also kept under `/data/logs`.

## Configuration

The docker image configuration can be tweaked in a number of different ways using `appsettings.json` files and/or environment variables.

The `appsettings.json` files hold all the base settings for the Tunnel app. There's one for the API and one for Blazor frontend located in `/srv/dotnet` and `/srv/www` respectively.

## API settings

The default API settings can be overwritten by mounting a custom `appsettings.json` file and pointing the `DOTNET_CUSTOM_APPSETTINGS` environment variable to it. Please note if a setting is not overwritten in the custom `appsettings.json` file, the base setting will still be read.

```bash
docker run -it --rm -p "5800:5800" \
-e "DOTNET_CUSTOM_APPSETTINGS=/run/secrets/appsettings.json" \
--mount type=bind,source="$(pwd)",target=/run/secrets \
whyvra/tunnel
```

The API settings can also be overwritten using environment variables. Each element in the hierarchy is separated by a double underscore.

For example, if you wanted to override the `TunnelContext` connection string, the environment variable would be called `ConnectionStrings__TunnelContext`.

```bash
docker run -it --rm -p "5800:5800" \
-e "ConnectionStrings__TunnelContext=Data Source=/data/tunnel_db.sqlite3;" \
whyvra/tunnel
```

## Blazor settings

The Blazor frontend settings can only be modified by overwriting the `appsetting.json` file in `/srv/www` as shown below.

```bash
docker run -it --rm -p "5800:5800" \
-v "$(pwd)/appsettings.json":/srv/www/appsettings.json \
whyvra/tunnel
```

The default Blazor frontend settings are shown below. These are the minimal required settings for the frontend. If you overwrite the Blazor `appsettings.json` file, you should at least include those.

```json
{
"api": {
"url": "/api"
},
"auth": {
"enabled": false
}
}
```

See the Authentication section below for more info on the `auth` parameters.

## SSL

To use HTTPS instead of HTTP, use the `SSL_CERT` and `SSL_KEY` environment variables to point to the location of the mounted certificate and key files.

```bash
docker run -it --rm -p "5800:5800" \
-e "SSL_CERT=/run/secrets/cert.pem" \
-e "SSL_KEY=/run/secrets/key.pem" \
--mount type=bind,source="$(pwd)"/ssl,target=/run/secrets \
whyvra/tunnel
```

Please note that `SSL_CERT` should point to the chained version of your SSL certificate.

## Database

Tunnel supports SQLite and PostgreSQL. The relevant settings in the API `appsettings.json` are as follows:

```json
{
...
"database": {
"type": "sqlite",
"automaticMigrations": true
},
"ConnectionStrings": {
"TunnelContext": "Data Source=/data/tunnel.sqlite3;"
}
}
```
For PostgreSQL, set `database.type` to `postgres` and update the `TunnelContext` connection string.

You can also use the following environment variables:
* `database__type`
* `database__automaticMigrations`
* `ConnectionStrings__TunnelContext`

## Authentication

Authentication can be added by using an OpenID Connect server like Keycloak. In order to configure authentication, you'll need to update both the API and Blazor settings. The API settings can be tweaked using environment variables but you will need to update the `/srv/www/appsettings.json` file for the Blazor settings.

Add the following `auth` parameters to `appsettings.json`
```json
{
...
"auth": {
"authority": "https://example.keycloak.com/auth/realms/apps",
"clientId": "wg.tunnel",
"enabled": true,
"requiredRole": "wg_admin",
"responseType": "code"
}
}
```

The `requiredRole` parameter is optional. If provided, it will require the logged-in user to have the provided role under the `roles` claim in the JWT issued by the Open ID Connect server.

The `responseType` parameter is only required for the Blazor settings. It will default to `code` if omitted. Should it be provided to the API settings, it will just be ignored.

Please note that if you have an SSL certificate issued by a custom or internal CA on your Open ID connect server, you will need to add or mount the root CA certificate under `/etc/ssl/certs`.

## docker-compose

Detailed below is a docker-compose example making use of PostgreSQL as the backend database and Keycloak (Open ID Connect server) for authentication. This example has been tested using `docker stack`.

### Folder structure:
```
.
├── appsettings.json
├── data (data folder for tunnel)
├── docker-compose.yml
├── init_script.sql
├── pgdata (folder for postgres data)
└── ssl
├── tls.crt
└── tls.key
```

The `tls.crt` and `tls.key` can be generated with the following commands. Please note that the certificate should answer to `keycloak.lan` or whatever hostname you choose to replace it with.

```bash
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out tls.key
$ openssl req -key tls.key -x509 -new -days 720 -out tls.crt
```

```yaml
# docker-compose.yml
version: '3.5'

services:

postgres:
image: postgres:13-alpine
hostname: postgres
environment:
- POSTGRES_PASSWORD=postgres
- PGDATA=/var/lib/postgresql/data/pgdata
volumes:
- ./pgdata:/var/lib/postgresql/data/pgdata
- ./init_script.sql:/docker-entrypoint-initdb.d/init_script.sql

keycloak:
image: jboss/keycloak:latest
hostname: keycloak
depends_on:
- postgres
environment:
- DB_VENDOR=postgres
- DB_ADDR=postgres
- DB_PORT=5432
- DB_USER=postgres
- DB_PASSWORD=postgres
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- KEYCLOAK_LOGLEVEL=WARN
- ROOT_LOGLEVEL=WARN
volumes:
- ./ssl:/etc/x509/https
ports:
- "8443:8443"

tunnel:
image: whyvra/tunnel:0.1
hostname: wg-tunnel
depends_on:
- postgres
- keycloak
environment:
- database__type=postgres
- ConnectionStrings__TunnelContext=Host=postgres;Database=tunnel;Username=postgres;Password=postgres;
- auth__enabled=true
- auth__authority=https://keycloak.lan:8443/auth/realms/apps
- auth__clientId=wg_tunnel
- auth__requiredRole=wg_admin
volumes:
- ./data:/data:rw
- ./appsettings.json:/srv/www/appsettings.json
- ./ssl/tls.crt:/etc/ssl/certs/tls.crt
ports:
- "5800:5800"
```

```json
// appsettings.json
{
"api": {
"url": "/api"
},
"auth": {
"authority": "https://keycloak.lan:8443/auth/realms/apps",
"clientId": "wg_tunnel",
"enabled": true,
"requiredRole": "wg_admin"
}
}
```

```sql
# init_script.sql
CREATE DATABASE keycloak;
CREATE DATABASE tunnel;
```

## License

Released under the [MIT License](https://github.com/whyvra/tunnel/blob/master/LICENSE).