I am running wg-easy and there is a way to passport protect the GUI used for creating Wireguard connections. Is there a way to prohibit connection to be made if not a password is entered? I don’t want someone to be able to access my VPN if for example my phone would be stolen unlocked. I don’t mind if it is client side only
Password protect your phone?
When a private key gets compromised just delete the public one from the allow list?
Simply put:No.
You need to make sure none accesses your phone even when stolen (for a myriad of other reasons as well) so passwort protect it.
This has nothing to do with WG-easy or any wireguard implementation itself-it’s simply part of Wireguard. What you could do to at least discourage an attack is to save parts of the secrets (Preshared key, public key of your network) in a password manager like bitwarden and copy and paste it into the client every time you connect - and remove it from there after you’re done. But be aware that this will only discourage a technically inept attacker - the WG client and the OS,etc. will keep enough of data of these transactions around to easily find out this information and for a good attacker you actually make it easier this way. So I would clearly not recommend it. Password protect your phone.
WAG and other solutions put another layer between your network and WG. Basically they add a captive portal and only “unlock” it once you authorised yourself there. It is not a pretty solution and you need to be aware that it easily locks you out of your own network.
Another solution could be that you build two WG connections - one that is limited to your firewall and can exclusively connect to that device. And one that has broader access. Use the first one to enable access, the later one for actual access. Then the first one to disable access again.
The WG easy container should always be run behind an authentication layer,even in LAN as it enables an attacker (who might be already in the LAN) establish full outside connections. This can easily be achieved with a reverse proxy like Caddy/nginx proxy manager. The container then needs to be behind the proxy in it’s own network with only the WG port exposed. Requires a bit of work but is easily doable…And Portainer is your friend in that regard.
If it’s something you’re really worried about, maybe something like https://github.com/NHAS/wag will help along with your secure totp app.
Thanks, will look into it
Yo - absolutely!
WG easy posts the GUI on a separate port than the primary Wireguard port you’d need to open in the firewall. I think it’s 51821 - but this can easily be changed depending on if you’re using docker-compose files or a gui like portainer to manage this.
In my case - I am using Nginx Proxy Manager - and it even has it’s own basic password requirement “Access List” availability. With NPM I’m routing that gui over vpn (local dns) but you could put it behind a password with limite security via Access List, or the step beyond look into “middleware” like Keycloak.
Hi, I’m not talking about the GUI. It is already behind a password and it is fine. I’m also using nginx for setting my the certs when connecting to nextcloud. What you are saying with Access List sounds very interesting but how does it work? How do you enter the password when you access nginx? Thanks for your reply
wg-easy has this option wwhen you run the docker:
-e PASSWORD=YOUR_ADMIN_PASSWORD
which set an admin password when deploying the container.
If you didn’t put a password I guess you can add one in the admin settings
from https://github.com/wg-easy/wg-easy?tab=readme-ov-file#2-run-wireguard-easy
That’s for logging into the web GUI IIRC, not for authorizing a connection from wg client to wg server.