Linguard
Linguard aims to provide an easy way to manage your WireGuard server, and it's written in Python3 and powered by Flask.
Screenshots
Installation
Git
- Install dependencies:
sudo apt update sudo apt install wireguard iptables uwsgi uwsgi-plugin-python3 libpcre3 libpcre3-dev
- Download any release (or clone the repository) and put the files somewhere you will remember later, such as
/var/www/linguard
. - Edit the configuration files to fit your needs.
- Add a
linguard
user and group to your computer:groupadd linguard useradd -g linguard linguard
- Add the following lines to the file
etc/sudoers
so that linguard may execute WireGuard commands.linguard ALL=(ALL) NOPASSWD: /usr/bin/wg linguard ALL=(ALL) NOPASSWD: /usr/bin/wg-quick
- Start linguard:
sudo -u linguard uwsgi --yaml /var/www/linguard/uwsgi.yaml
Debian package
Docker
Docs
Arguments
The following table describes every argument accepted by Linguard:
Argument | Type | Explanation | Notes |
---|---|---|---|
config | Positional | Path to the Linguard's configuration file | Must be a YAML file |
-h | --help | Optional | Display Linguard's CLI help and exit | |
--debug | Optional | Start the Flask backend in debug mode | Default value is False |
Configuration
Two sample configuration files are provided, uwsgi.sample.yaml
and linguard.sample.yaml
, although the most interesting one is the second, since the first only contains options for a third party software,
UWSGI.
Nonetheless, it is worth noting that the path to the Linguard's configuration file needs to be provided through uwsgi's configuration, using the field pyargv
.
For now on, we will only discuss Linguard's configuration values. Although the file linguard.sample.yaml
contains every possible option, the following tables explain each one of them and detail
all possible values.
Logging configuration
These options must be specified inside a logger
node.
Option | Explanation | Values | Default |
---|---|---|---|
level | Set the minimum level of messages to be logged | debug , info , warning , error , fatal |
info |
logfile | Path to the file used to write log messages | null , path/to/logfile |
null |
overwrite | Whether to overwrite the log file when the application starts or not | true , false |
false |
Web configuration
These options must be specified inside a web
node.
Option | Explanation | Values | Default |
---|---|---|---|
bindport | Port to be used by Flask to deploy the application | 1-65535 |
8080 |
login_attempts | Maximum number of login attempts within 5 minutes | (almost) Any integer | 0 (unlimited attempts) |
Linguard configuration
These options must be specified inside a linguard
node.
Global options
Option | Explanation | Values | Notes |
---|---|---|---|
endpoint | Endpoint for all peers | Should be something like vpn.example.com , though it may also be an IP address |
Default value is your computer's public IP (if it can be obtained) |
gw_iface | Default gateway for all WireGuard interfaces. | Should be something like vpn.example.com , though it may also be an IP address |
Default value will be your computer's default gateway |
wg_bin | Path to the WireGuard binary file (wg ) |
path/to/file |
If not specified, it will be retrieved using the whereis command |
wg_quick_bin | Path to the WireGuard quick binary file (wg-quick ) |
path/to/file |
If not specified, it will be retrieved using the whereis command |
interfaces | Dictionary containing all interfaces of the server | A number of interface nodes whose keys are their own UUIDs |
|
interfaces_folder | Path to the directory where the interfaces' configuration files will be placed. | path/to/folder |
It should be somewhere you will remember, like /var/www/linguard/interfaces |
iptables_bin | Path to the iptables binary file (iptables ) |
path/to/file |
If not specified, it will be retrieved using the whereis command |
Interface configuration
These options must be specified inside an interface
node.
Option | Explanation | Values | Notes |
---|---|---|---|
auto | Whether the interface will be automatically brought up when the server starts or not | true , false |
Default value is true |
description | A description of the interface | A character string | |
gw_iface | Gateway used by the interface | Should be something like vpn.example.com , though it may also be an IP address. |
Default value will be your computer's default gateway |
ipv4_address | IPv4 address assigned to the interface | A valid IPv4 address | |
listen_port | UDP port used by WireGuard to communicate with peers | 1-65535 |
|
name | The interface's name | A character string | It may only contain alphanumeric characters, underscores and hyphens. It must also begin with a letter and cannot be more than 15 characters long |
on_up | Linux commands to be executed when the interface is going to be brought up | Any linux command in path | By default, it will add FORWARD and POSTROUTING rules related to the interface |
on_down | Linux commands to be executed when the interface is going to be brought down | Any linux command in path | By default, it will remove FORWARD and POSTROUTING rules related to the interface |
peers | Dictionary containing all peers of the interface | A number of peer nodes whose keys are their own UUIDs |
|
private_key | Private key used to authenticate the interface | A valid private key generated via wg |
|
public_key | Public key used to authenticate the interface | A valid private key generated via wg |
|
uuid | Unique identifier | A valid Version 4 UUID |
Peer configuration
These options must be specified inside a peer
node.
Option | Explanation | Values | Notes |
---|---|---|---|
dns1 | Main DNS used by the peer | A valid IPv4 address | |
dns2 | Secondary DNS used by the peer | A valid IPv4 address | |
endpoint | URL/IPv4 and port used by the peer to communicate with the WireGuard server | A valid URL/IPv4 followed by a UDP port: vpn.example.com:50000 |
|
ipv4_address | IPv4 address assigned to the peer | A valid IPv4 address | |
name | The peer's name. | A character string | |
nat | Whether the peer is behind a NAT or not | true , false |
Default value is false . If true , this option will enable the PersistentKeepalive WireGuard flag |
private_key | Private key used to authenticate the peer | A valid private key generated via wg |
|
public_key | Public key used to authenticate the peer | A valid private key generated via wg |
|
uuid | Unique identifier. | A valid Version 4 UUID |