WireGuard, the VPN server incorporated into the Linux kernel, has been available for some time and is becoming increasingly popular, replacing large VPN environments by traditional manufacturers on corporate networks. The main focus of WireGuard's development was to reduce the number of optional connection, encryption, and authentication parameters to the required minimum and to achieve a very small codebase as a result. What WireGuard lacks to support professional use is a management interface that handles the major share of the integration work for admins and clients.

The developers of the open source WireGuard Portal (wg-portal) [1] have set out to address exactly this problem. They are developing a web portal that supports admins, starting with creating the key material, through endpoint address management and routing configuration, to automatic access scheduling. Users can manage access independently through the self-service portal. In this article, I look at wg-portal installation and configuration and reveal the drawbacks involved in daily VPN use.

Docker Image

You need a WireGuard installation in place to try out the Docker image, although the installation does not have to be fully configured. The image provided by the developers [2] is useful for trying out wg-portal without too much overhead. Because you can modify the configuration by setting environment variables and because you need to integrate some volumes into the container, you will want to use the Docker compose function. The side effect is that it also makes it easier for you to try out different configurations. To get started, run the file shown in Listing 1.

services:
  wg-portal:
    image: wgportal/wg-portal:v2
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: "host"
    ports:
      - "8888:8888"
    volumes:
      - /etc/wireguard:/etc/wireguard
      - ./data:/app/data
      - ./config:/app/config

At the time of writing, wg-portal had reached version 2. You might want to change the image label to the latest version, if the number has increased. The container requires NET_ADMIN authorizations to control the WireGuard network interfaces. If you now type

docker compose up

to launch the portal, you will notice that the image has not yet been pre-configured to the extent that you could simply start it out of the box.

WireGuard Portal requires a configuration in config/config.yml at start-up according to the log output. You might need root authorizations to create this file, because the config folder was created with root authorizations when the container was started for the first time. Add the following content to your config.yml:

core:
    admin_user:
      admin@admin-magazine.com
    admin_password: security-tip
    self_provisioning_allowed: true
web:
    external_url: http://localhost:8888
    request_logging: true

The self-provisioning line lets users create their own VPN connections, in contrast to the default configuration.

After restarting the container, the message about a missing configuration no longer appears, and you can open http://localhost:8888 in your browser to access the web interface, which takes you to the login page or an overview page with general information about WireGuard and wg-portal (select Login ). Now enter the access data from the config.yml file in the login box and click Sign In .

After logging in, open your profile, where you can manage the VPN profiles for your current user account. Of course, you will not want to save any information there at this point. When you press the button to add a connection, you are taken to an input dialog where you can configure your connection with the parameters that you are already familiar with from the classic WireGuard configuration.

Managing Interfaces

Selecting the Interfaces item in the top bar takes you to the overview of existing WireGuard endpoints; wg-portal also recognizes and lists endpoints that you created manually. If you select the small eye symbol in the titlebar, wg-portal shows the text configuration for the interface. You can also download this configuration directly or edit it in a dialog after clicking on the settings icon. If you have not yet configured an interface or would like to create another, simply press the + button to create the configuration in the dialog.

The current endpoints are the connections that exist for the endpoints and their current statuses. You can also change these configurations. When it displays the connection configuration, wg-portal also displays a QR code that can be used on a smartphone with WireGuard as a convenient way of transferring the configuration to the device. Of course, this only works if the private key for the connection is also stored in wg-portal; otherwise, you need to add it on the device later.

User Management and SSO

After familiarizing yourself with the interface and connection configurations, you can start to manage users under the Users item in the menubar; wg-portal has its own user management feature. To add new users, press the + button in the overview. In contrast to admin users, normal users can only view their own profiles and, if they modified their configurations, also configure their own connections.

Besides local users, wg-portal also lets single sign-on (SSO) services connect with, for example, OpenID Connect (OIDC), OAuth2, or LDAP, which allows you to integrate WireGuard and wg-portal seamlessly with your existing infrastructure in terms of user management. To connect an LDAP server, simply extend the configuration as shown in Listing 2.

[...]
auth:
  ldap:
    - id: LDAP01
    url: ldap://ldap.admin-magazine.com
    start_tls: true
    base_dn: "DC=admin-magazine, DC=com"
    bind_user: wgportal
    bind_pass: secret
    admin_group: dc=WG-ADMINS
    synchronize: true

Adjust the settings to match your infrastructure and then restart the container. In the user overview, you will now see the users from your LDAP in the Source column. Connecting to OIDC or OAuth2 is equally easy, and you can even configure the use of multiple authentication back ends.