github.com/asiffer/wg-easy-vpn

wg-easy-vpn

Setup a Wireguard VPN simply

wg-easy-vpn is a tool designed to ease the set-up of a WireGuard VPN. In particular you can easily create a server and then add clients. You can also export the clients configurations through QR codes. When your vpn is set up, you just have to invoke wg-quick for instance.

This tool does not aim to be used neither at large scale nor in critical/sensitive infrastructures.

Current problems

[Issue] In the last version (1.0b), a problem occurs if a DNS IP is not provided when the server is created: new client configuration will have an empty DNS field.

[Solution] You can use one of the following solutions:

• Provide a DNS IP when creating the server: wg-easy-vpn create --dns 1.1.1.1 ...
• Remove manually the DNS field in the client configurations
• Use the master branch which is patched (See Go tools section to install the latest version)

Contents

• Installation
  • Debian package
  • Go tools
  • Binaries
• Usage
• Advanced usage
  • Server
  • DNS
  • Network
  • Routes
  • Export
  • Custom file location
• Crypto
• Changelog
• Next

Installation

Debian package

Debian packages are available for several architectures (amd64, arm64 and armhf). You can add the following repository:

curl 'https://deb.nabla.ovh/gpg.pub' | sudo apt-key add -
sudo add-apt-repository 'https://deb.nabla.ovh/wg-easy-vpn/ main'

and install wg-easy-vpn:

apt-get install wg-easy-vpn

Go tools

Basically you can download the sources from this repo and install it with go tools:

go get -u github.com/asiffer/wg-easy-vpn
go install github.com/asiffer/wg-easy-vpn

The advantages are that you have the latest version (master branch) and the tool is built according to your architecture. The drawback is the need to have Go installed on your host.

Binaries

If you don't have a Go compiler, you can directly download the final binaries.

Version	amd64	arm64	armhf
1.0b
1.0a

Usage

We suppose you have a server with a public address (reachable through the following domain name: wg.example.net), and you want to connect some clients to it. By default server files are located in /etc/wireguard and clients files are located in /etc/wireguard/clients, therefore the following commands are likely to be run as root.

First, let us create the server (wg0 is the name of the connection):

wg-easy-vpn create --endpoint wg.example.net wg0

Then you probably need to add several clients:

wg-easy-vpn add -c iphone -c myDesktop wg0

Now you can transfer the clients' configuration files to the right locations. You can also add the --export flag to print QR code to the cli (android app can notably take this QR code as input).

Finally you can remove some clients:

wg-easy-vpn rm -c iphone wg0

Advanced usage

Server

By default wg-easy-vpn makes the server listen on port 52820, but this can be changed with the --port option:

wg-easy-vpn create --endpoint wg.example.net --port 10000 wg0

DNS

When you create a server, you can define a custom DNS (even several). This can be added to your configuration through the --dns option.

wg-easy-vpn create --endpoint wg.example.net --dns 1.1.1.1 wg0

Network

The VPN created by wg-easy-vpn uses the network 192.168.0.0/24. It can be modified with the --net option:

wg-easy-vpn create --endpoint wg.example.net --net 10.10.10.0/16 wg0

Routes

By default wg-easy-vpn creates VPN where all the clients' trafic is routed through (0.0.0.0/0 and ::/0). You can restrict theses routes:

wg-easy-vpn add -c newDevice --route "10.0.0.0/8" wg0

Export

You can export clients config through QR code with the --export flag. In this case the QR code is printed to the terminal but you can saved it to an image file instead by setting --export-format (jpg, png and txt are recognized). The image file is saved to the clients directory.

wg-easy-vpn add -c newDevice --export --export-format png wg0

Custom file location

As previously said, the server configuration is saved to /etc/wireguard (plus some metadata saved in the .wg-easy-vpn file). The parameter --server-dir can be used to customize the location of these files.

The clients configurations are saved to /etc/wireguard/clients. The parameter --client-dir can be used to change it.

Crypto

Obviously I did not reinvent the wheel: cryptographic stuff relies exclusively on the crypto packages of the Go standard library.

Random keys (PSK and private keys) are generated with crypto/rand and public keys are generated with the X25519 function from the package golang.org/x/crypto/curve25519.

Changelog

1.0b

• Better IP provisionning
• automatic doc generation
• manpages in debian package
• some fixes around DNS override

1.0a

For this early release, the tool does not manage very well IP of clients when the number of clients is high or when the specified mask size is greater that 24 (/30 may not be well supported for instance).

Moreover, the IP (re-)assignement is likely to fail after a client has been removed. I will try to fix it firstly.

Next

• Support PostUp and PostDown options
• Manage server-dir and client-dir directly in the .wg-easy-vpn.conf file
• I think that many bugs are likely to occur, so I will probably spend time to test and fix.