- REST API for manage WireGuard server
- Easy installation, simple to use.
- List, create, edit, delete, enable & disable clients.
- Statistics for which clients are connected
- Good test coverage
- Notifications about connections and disconnections via webhooks (beta)
- A host with a kernel that supports WireGuard (all modern kernels).
- A host with Docker installed.
If you haven't installed Docker yet, install it by running:
curl -sSL https://get.docker.com | sh
sudo usermod -aG docker $(whoami)
exit
To run just run the command:
docker run -d \
-e WG_HOST=<🚨YOUR_SERVER_IP> \
-e AUTH_TOKEN=<🚨YOUR_ADMIN_API_TOKEN> \
-e ENVIRONMENT=production \
-v ~/.wg-rest:/etc/wireguard \
-p 51820:51820/udp \
-p 3000:3000 \
--cap-add=NET_ADMIN \
--restart unless-stopped \
leonovk/wg-rest-api
If you can't start the container, try entering the command in one line
By setting environment variables when starting a container, you can configure application settings. Here is a list of environment variables that you can set. It is important to note that you can override the values ​​of these variables as they already have default values.
Environment variable | Description | Note |
---|---|---|
WG_PATH | directory where the main configuration for your wireguard server will be located | I strongly advise you not to change it |
WG_DEVICE | name for network interface for wireguard | I strongly advise you not to change it |
WG_DEFAULT_ADDRESS | default address for your clients | It should be specified in the format -> 10.8.0.x |
WG_ALLOWED_IPS | allowed ip address | |
WG_HOST | IP address of your server | This environment variable must be specified when starting the application |
WG_PORT | udp port for wireguard | |
WG_DEFAULT_DNS | dns server | |
WG_PRE_UP | special setting is triggered before starting the wireguard server | |
WG_PRE_DOWN | special setting is triggered before stopping the wireguard server | |
WG_POST_UP | special setting is triggered after starting the wireguard server | |
WG_POST_DOWN | special setting is triggered after stopping the wireguard server | |
WG_PERSISTENT_KEEPALIVE | node keepalive parameter | |
AUTH_TOKEN | authorization token for API | You can specify absolutely any string that will be used to authenticate your requests |
AUTH_DIGEST_TOKEN | password hash for request authorization | You can set this variable to the hash of your password. In this case, your requests will be authorized through it. |
WEBHOOKS_URL | url for webhooks |
You can generate a SHA256 hash token from your password and set it to a variable for authorization. This is more secure and will be useful, for example, if you are deploying a project not on your own servers.
Generate hash:
docker run --rm leonovk/wg-rest-api bin/wgpass password
After that, you start the container as usual, but instead of AUTH_TOKEN, you set AUTH_DIGEST_TOKEN to the value you were given.
For example:
docker run -d \
...
-e AUTH_DIGEST_TOKEN=your_hash \
...
As usual, you authorize all your requests by indicating your password in the corresponding request header. not hash
Make a request to the healthz
care api point in any way convenient for you. For example:
curl http://YOUR_SERVER_IP:3000/healthz
If you received something similar in response, then everything is fine.
{
"status": "ok",
"version": "1.8.11"
}
By default, the application runs in single-threaded mode. This is not a solution for heavy loads. You can change this behavior by setting the appropriate environment variables "PUMA_THREADS" and "WORKERS". However, we do not recommend doing this. The application is not thread safe. If you need large loads, it is better to raise several application instances and set up load balancing between them.
All requests are authorized using the bearer token that you specified in variable AUTH_TOKEN!
Returns an array with all clients on the server
Example response:
[
{
"id": 15,
"server_public_key": "server_public_key",
"address": "10.8.0.16/24",
"private_key": "private_key",
"preshared_key": "preshared_key",
"enable": true,
"allowed_ips": "0.0.0.0/0, ::/0",
"dns": "1.1.1.1",
"persistent_keepalive": 0,
"endpoint": "0.0.0.0:51820",
"last_online": "58 seconds ago",
"traffic": {
"received": "90.26 MiB",
"sent": "1000.53 MiB"
},
"data": {
"params1": "value1"
}
}
]
Creates a new client. The response will be the new client created. You can pass your parameters in the request parameters. They will be in the data field.
Example response:
{
"id": 15,
"server_public_key": "server_public_key",
"address": "10.8.0.16/24",
"private_key": "private_key",
"preshared_key": "preshared_key",
"enable": true,
"allowed_ips": "0.0.0.0/0, ::/0",
"dns": "1.1.1.1",
"persistent_keepalive": 0,
"endpoint": "0.0.0.0:51820",
"last_online": "58 seconds ago",
"traffic": {
"received": "90.26 MiB",
"sent": "1000.53 MiB"
},
"data": {
"params1": "value1"
}
}
Returns a specific client by his ID. The answer will be similar to the previous one. If the client is not found, a 404 error will be returned. You can also request a QR code or a user-ready config in the form of text
GET /api/clients/:id?format=qr
The QR code will be returned as a PNG image.
content_type => image/png
GET /api/clients/:id?format=conf
A text with the config for the client will be returned. This config can already be written to a file and used in wireguard.
For example:
[Interface]
PrivateKey = private_key
Address = address
DNS = dns
[Peer]
PublicKey = server_public_key
PresharedKey = preshared_key
AllowedIPs = allowed_ips
PersistentKeepalive = persistent_keepalive
Endpoint = endpoint
content_type => text/plain
Deletes a specific one client. If the client is not found, a 404 error will be returned.
Allows you to update specific clients by assigning them new fields. Returns the updated client in response.
Example request:
{
"address": "string",
"private_key": "string",
"public_key": "string",
"preshared_key": "string",
"enable": false, // bool
"data": {} // object
}
The enable parameter allows you to enable or disable the client without removing it from the server.
You can set up webhooks to receive notifications when your clients connect to the VPN and when they disconnect from it. In order to set up webhooks you need to set up a cron task scheduler on your server. The cron task scheduler should run the following command:
docker exec -it <YOUR_CONTAINER_NAME> rake send_events
This command will launch a task to send events. The more often it is triggered, the more accurate the events will be, but I do not recommend doing it more often than once a minute.
Also, in order for everything to work, when launching a container with an application, you need to specify an additional environment variable -> WEBHOOKS_URL
docker run -d \
...
-e WEBHOOKS_URL=https://your_url.api/event \
...
The application will send post requests to the specified address.
content_type => application/json
example body:
{
"peer": "this is public key of your client",
"event": "connected"
}
- wireguard + wireguard-tools
- ruby 3.3.5
$ bundle install
Run app:
$ puma config.ru
Or:
$ rake start
Build image:
$ docker build . -t wg-rest-api
Run app:
$ docker run -d -v /your_app_path:/app wg-rest-api
If you would like to contribute to the development, submit a pull request with your changes. We welcome any contributions that improve the service. You can also view the current project board here. You can also contribute by reporting bugs or suggesting new features. Please use the GitHub issues for that.