Linguard

Linguard aims to provide an easy way to manage your WireGuard server, and it's written in Python3 and powered by Flask.

Screenshots

network-section-1

network-section-2

wireguard-section-1

wireguard-section-2

wireguard-edit-1

wireguard-edit-2

peer-edit-1

Installation

Git

  1. Install dependencies:
    sudo apt update
    sudo apt install wireguard iptables uwsgi uwsgi-plugin-python3 libpcre3 libpcre3-dev
    
  2. Download any release (or clone the repository) and put the files somewhere you will remember later, such as /var/www/linguard.
  3. Edit the configuration files to fit your needs.
  4. Add a linguard user and group to your computer:
    groupadd linguard
    useradd -g linguard linguard
    
  5. Add the following lines to the file etc/sudoers so that linguard may execute WireGuard commands.
    linguard ALL=(ALL) NOPASSWD: /usr/bin/wg
    linguard ALL=(ALL) NOPASSWD: /usr/bin/wg-quick
    
  6. Start linguard:
    sudo -u linguard uwsgi --yaml /var/www/linguard/uwsgi.yaml
    

Debian package

Docker

Docs

Arguments

The following table describes every argument accepted by Linguard:

Argument Type Explanation Notes
config Positional Path to the Linguard's configuration file Must be a YAML file
-h | --help Optional Display Linguard's CLI help and exit
--debug Optional Start the Flask backend in debug mode Default value is False

Configuration

Two sample configuration files are provided, uwsgi.sample.yaml and linguard.sample.yaml, although the most interesting one is the second, since the first only contains options for a third party software,
UWSGI.

Nonetheless, it is worth noting that the path to the Linguard's configuration file needs to be provided through uwsgi's configuration, using the field pyargv.

For now on, we will only discuss Linguard's configuration values. Although the file linguard.sample.yaml
contains every possible option, the following tables explain each one of them and detail
all possible values.

Logging configuration

These options must be specified inside a logger node.

Option Explanation Values Default
level Set the minimum level of messages to be logged debug, info, warning, error, fatal info
logfile Path to the file used to write log messages null, path/to/logfile null
overwrite Whether to overwrite the log file when the application starts or not true, false false

Web configuration

These options must be specified inside a web node.

Option Explanation Values Default
bindport Port to be used by Flask to deploy the application 1-65535 8080
login_attempts Maximum number of login attempts within 5 minutes (almost) Any integer 0 (unlimited attempts)

Linguard configuration

These options must be specified inside a linguard node.

Global options
Option Explanation Values Notes
endpoint Endpoint for all peers Should be something like vpn.example.com, though it may also be an IP address Default value is your computer's public IP (if it can be obtained)
gw_iface Default gateway for all WireGuard interfaces. Should be something like vpn.example.com, though it may also be an IP address Default value will be your computer's default gateway
wg_bin Path to the WireGuard binary file (wg) path/to/file If not specified, it will be retrieved using the whereis command
wg_quick_bin Path to the WireGuard quick binary file (wg-quick) path/to/file If not specified, it will be retrieved using the whereis command
interfaces Dictionary containing all interfaces of the server A number of interface nodes whose keys are their own UUIDs
interfaces_folder Path to the directory where the interfaces' configuration files will be placed. path/to/folder It should be somewhere you will remember, like /var/www/linguard/interfaces
iptables_bin Path to the iptables binary file (iptables) path/to/file If not specified, it will be retrieved using the whereis command
Interface configuration

These options must be specified inside an interface node.

Option Explanation Values Notes
auto Whether the interface will be automatically brought up when the server starts or not true, false Default value is true
description A description of the interface A character string
gw_iface Gateway used by the interface Should be something like vpn.example.com, though it may also be an IP address. Default value will be your computer's default gateway
ipv4_address IPv4 address assigned to the interface A valid IPv4 address
listen_port UDP port used by WireGuard to communicate with peers 1-65535
name The interface's name A character string It may only contain alphanumeric characters, underscores and hyphens. It must also begin with a letter and cannot be more than 15 characters long
on_up Linux commands to be executed when the interface is going to be brought up Any linux command in path By default, it will add FORWARD and POSTROUTING rules related to the interface
on_down Linux commands to be executed when the interface is going to be brought down Any linux command in path By default, it will remove FORWARD and POSTROUTING rules related to the interface
peers Dictionary containing all peers of the interface A number of peer nodes whose keys are their own UUIDs
private_key Private key used to authenticate the interface A valid private key generated via wg
public_key Public key used to authenticate the interface A valid private key generated via wg
uuid Unique identifier A valid Version 4 UUID
Peer configuration

These options must be specified inside a peer node.

Option Explanation Values Notes
dns1 Main DNS used by the peer A valid IPv4 address
dns2 Secondary DNS used by the peer A valid IPv4 address
endpoint URL/IPv4 and port used by the peer to communicate with the WireGuard server A valid URL/IPv4 followed by a UDP port: vpn.example.com:50000
ipv4_address IPv4 address assigned to the peer A valid IPv4 address
name The peer's name. A character string
nat Whether the peer is behind a NAT or not true, false Default value is false. If true, this option will enable the PersistentKeepalive WireGuard flag
private_key Private key used to authenticate the peer A valid private key generated via wg
public_key Public key used to authenticate the peer A valid private key generated via wg
uuid Unique identifier. A valid Version 4 UUID

GitHub

https://github.com/joseantmazonsb/linguard