Linguard aims to provide an easy way to manage your WireGuard server, and it's written in Python3 and powered by Flask.
- Download any release (or clone the repository) and put the files somewhere you will remember later, such as
/var/www/linguard. - Install dependencies:
If you install the python requirements using a virtual environment, you'll need to specify the path to the
sudo apt update sudo apt install python3 python3-pip wireguard iptables uwsgi uwsgi-plugin-python3 libpcre3 libpcre3-dev pip3 install -r /var/www/linguard/requirements.txt
venvfolder in the uwsgi configuration file through the fieldvenv. - Edit the configuration files to fit your needs.
- Add a
linguarduser and group to your computer:groupadd linguard useradd -g linguard linguard
- Add the following lines to the file
etc/sudoersso that linguard may execute WireGuard commands.linguard ALL=(ALL) NOPASSWD: /usr/bin/wg linguard ALL=(ALL) NOPASSWD: /usr/bin/wg-quick
- Start linguard:
sudo -u linguard uwsgi --yaml /var/www/linguard/config/uwsgi.sample.yaml
The following table describes every argument accepted by Linguard:
| Argument | Type | Explanation | Notes |
|---|---|---|---|
| config | Positional | Path to the Linguard's configuration file | Must be a YAML file |
| -h | --help | Optional | Display Linguard's CLI help and exit | |
| --debug | Optional | Start the Flask backend in debug mode | Default value is False |
Two sample configuration files are provided, uwsgi.sample.yaml and linguard.sample.yaml, although the most interesting one is the second, since the first only contains options for a third party software,
UWSGI.
Nonetheless, it is worth noting that the path to the Linguard's configuration file needs to be provided through uwsgi's configuration, using the field pyargv.
For now on, we will only discuss Linguard's configuration values. Although the file linguard.sample.yaml
contains every possible option, the following tables explain each one of them and detail
all possible values.
These options must be specified inside a logger node.
| Option | Explanation | Values | Default |
|---|---|---|---|
| level | Set the minimum level of messages to be logged | debug, info, warning, error, fatal |
info |
| logfile | Path to the file used to write log messages | null, path/to/logfile |
null |
| overwrite | Whether to overwrite the log file when the application starts or not | true, false |
false |
These options must be specified inside a web node.
| Option | Explanation | Values | Default |
|---|---|---|---|
| bindport | Port to be used by Flask to deploy the application | 1-65535 |
8080 |
| login_attempts | Maximum number of login attempts within 2 minutes | (almost) Any integer | 0 (unlimited attempts) |
| secret_key | Key used to secure the authentication process | A 32 characters long string | A random 32 characters long string |
| credentials_file | Encrypted file containing the administrator's credentials | path/to/file |
A credentials.yaml file located in the directory from which Linguard was launched |
These options must be specified inside a linguard node.
| Option | Explanation | Values | Notes |
|---|---|---|---|
| endpoint | Endpoint for all peers | Should be something like vpn.example.com, though it may also be an IP address |
Default value is your computer's public IP (if it can be obtained) |
| wg_bin | Path to the WireGuard binary file (wg) |
path/to/file |
If not specified, it will be retrieved using the whereis command |
| wg_quick_bin | Path to the WireGuard quick binary file (wg-quick) |
path/to/file |
If not specified, it will be retrieved using the whereis command |
| interfaces | Dictionary containing all interfaces of the server | A number of interface nodes whose keys are their own UUIDs |
|
| interfaces_folder | Path to the directory where the interfaces' configuration files will be placed. | path/to/folder |
It should be somewhere you will remember, like /var/www/linguard/interfaces |
| iptables_bin | Path to the iptables binary file (iptables) |
path/to/file |
If not specified, it will be retrieved using the whereis command |
These options must be specified inside an interface node.
| Option | Explanation | Values | Notes |
|---|---|---|---|
| auto | Whether the interface will be automatically brought up when the server starts or not | true, false |
Default value is true |
| description | A description of the interface | A character string | |
| gw_iface | Gateway used by the interface | Physical interface used to connect the WireGuard interface to your network | Default value will be your computer's default gateway |
| ipv4_address | IPv4 address assigned to the interface | A valid IPv4 address | |
| listen_port | UDP port used by WireGuard to communicate with peers | 1-65535 |
|
| name | The interface's name | A character string | It may only contain alphanumeric characters, underscores and hyphens. It must also begin with a letter and cannot be more than 15 characters long |
| on_up | Linux commands to be executed when the interface is going to be brought up | Any linux command in path | By default, it will add FORWARD and POSTROUTING rules related to the interface |
| on_down | Linux commands to be executed when the interface is going to be brought down | Any linux command in path | By default, it will remove FORWARD and POSTROUTING rules related to the interface |
| peers | Dictionary containing all peers of the interface | A number of peer nodes whose keys are their own UUIDs |
|
| private_key | Private key used to authenticate the interface | A valid private key generated via wg |
|
| public_key | Public key used to authenticate the interface | A valid private key generated via wg |
|
| uuid | Unique identifier | A valid Version 4 UUID |
These options must be specified inside a peer node.
| Option | Explanation | Values | Notes |
|---|---|---|---|
| dns1 | Main DNS used by the peer | A valid IPv4 address | |
| dns2 | Secondary DNS used by the peer | A valid IPv4 address | |
| ipv4_address | IPv4 address assigned to the peer | A valid IPv4 address | |
| name | The peer's name. | A character string | |
| nat | Whether the peer is behind a NAT or not | true, false |
Default value is false. If true, this option will enable the PersistentKeepalive WireGuard flag |
| private_key | Private key used to authenticate the peer | A valid private key generated via wg |
|
| public_key | Public key used to authenticate the peer | A valid private key generated via wg |
|
| uuid | Unique identifier. | A valid Version 4 UUID |
You may contribute by opening new issues, commenting on existent ones and creating pull requests with new features and bugfixes. Any help is welcome :)