wg-portal/master/documentation/usage/security/index.html

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><link href=https://wgportal.org/master/documentation/usage/security/ rel=canonical><link href=../ldap/ rel=prev><link href=../../rest-api/api-doc/ rel=next><link rel=icon href=../../../assets/images/favicon-large.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.6.14"><title>Security - WireGuard Portal</title><link rel=stylesheet href=../../../assets/stylesheets/main.342714a4.min.css><link rel=stylesheet href=../../../assets/stylesheets/palette.06af60db.min.css><link rel=stylesheet href=../../../stylesheets/extra.css><script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="Security - WireGuard Portal"><meta property=og:description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><meta property=og:image content=https://wgportal.org/master/assets/images/social/documentation/usage/security.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://wgportal.org/master/documentation/usage/security/ property=og:url><meta name=twitter:card content=summary_large_image><meta name=twitter:title content="Security - WireGuard Portal"><meta name=twitter:description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><meta name=twitter:image content=https://wgportal.org/master/assets/images/social/documentation/usage/security.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#authentication class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../../.. title="WireGuard Portal" class="md-header__button md-logo" aria-label="WireGuard Portal" data-md-component=logo> <img src=../../../assets/images/logo.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> WireGuard Portal </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> Security </span> </div> </div> </div> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search>
<span class=w>  </span><span class=nt>oidc</span><span class=p>:</span>
<span class=w>    </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>&quot;oidc1&quot;</span>
<span class=w>      </span><span class=c1># ... other settings</span>
<span class=w>      </span><span class=nt>allowed_domains</span><span class=p>:</span>
<span class=w>        </span><span class="p p-Indicator">-</span><span class=w> </span><span class=s>&quot;outlook.com&quot;</span>
</code></pre></div> <h4 id=limit-login-to-existing-users>Limit Login to Existing Users</h4> <p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for OAuth or OIDC providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p> <h4 id=admin-mapping>Admin Mapping</h4> <p>You can map users to admin roles based on their attributes in the OAuth or OIDC provider. To do this, set the <code>admin_mapping</code> property for the provider. Administrative access can either be mapped by a specific attribute or by group membership.</p> <p><strong>Attribute specific mapping</strong> can be achieved by setting the <code>admin_value_regex</code> and the <code>is_admin</code> property. The <code>admin_value_regex</code> property is a regular expression that is matched against the value of the <code>is_admin</code> attribute. The user is granted admin access if the regex matches the attribute value.</p> <p>Example: <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
<span class=w>  </span><span class=nt>oidc</span><span class=p>:</span>
<span class=w>    </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>&quot;oidc1&quot;</span>
<span class=w>      </span><span class=c1># ... other settings</span>
<span class=w>      </span><span class=nt>field_map</span><span class=p>:</span>
<span class=w>        </span><span class=nt>is_admin</span><span class=p>:</span><span class=w> </span><span class=s>&quot;wg_admin_prop&quot;</span>
<span class=w>      </span><span class=nt>admin_mapping</span><span class=p>:</span>
<span class=w>        </span><span class=nt>admin_value_regex</span><span class=p>:</span><span class=w> </span><span class=s>&quot;^true$&quot;</span>
</code></pre></div> The example above will grant admin access to users with the <code>wg_admin_prop</code> attribute set to <code>true</code>.</p> <p><strong>Group membership mapping</strong> can be achieved by setting the <code>admin_group_regex</code> and <code>user_groups</code> property. The <code>admin_group_regex</code> property is a regular expression that is matched against the group names of the user. The user is granted admin access if the regex matches any of the group names.</p> <p>Example: <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
<span class=w>  </span><span class=nt>oidc</span><span class=p>:</span>
<span class=w>    </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>&quot;oidc1&quot;</span>
<span class=w>      </span><span class=c1># ... other settings</span>
<span class=w>      </span><span class=nt>field_map</span><span class=p>:</span>
<span class=w>        </span><span class=nt>user_groups</span><span class=p>:</span><span class=w> </span><span class=s>&quot;groups&quot;</span>
<span class=w>      </span><span class=nt>admin_mapping</span><span class=p>:</span>
<span class=w>        </span><span class=nt>admin_group_regex</span><span class=p>:</span><span class=w> </span><span class=s>&quot;^the-admin-group$&quot;</span>
</code></pre></div> The example above will grant admin access to users who are members of the <code>the-admin-group</code> group.</p> <h3 id=ldap-authentication>LDAP Authentication</h3> <p>WireGuard Portal supports LDAP authentication. You can use any LDAP server that supports the LDAP protocol, such as Active Directory or OpenLDAP. Multiple LDAP servers can be configured in the <a href=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file. WireGuard Portal remembers the authentication provider of the user and therefore avoids conflicts between multiple LDAP providers.</p> <p>To configure LDAP authentication, create a new <a href=../../configuration/overview/#ldap><code>ldap</code></a> authentication provider in the <a href=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file.</p> <h4 id=limiting-login-to-specific-users>Limiting Login to Specific Users</h4> <p>You can limit the login to specific users by setting the <code>login_filter</code> property for LDAP provider. This filter uses the LDAP search filter syntax. The username can be inserted into the query by placing the <code>{{login_identifier}}</code> placeholder in the filter. This placeholder will then be replaced with the username entered by the user during login.</p> <p>For example, if you want to allow only users with the <code>objectClass</code> attribute set to <code>organizationalPerson</code> to log in, set the property as follows:</p> <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
<span class=w>  </span><span class=nt>ldap</span><span class=p>:</span>
<span class=w>    </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>&quot;ldap1&quot;</span>
<span class=w>      </span><span class=c1># ... other settings</span>
<span class=w>      </span><span class=nt>login_filter</span><span class=p>:</span><span class=w> </span><span class=s>&quot;(&amp;(objectClass=organizationalPerson)(uid={{login_identifier}}))&quot;</span>
</code></pre></div> <p>The <code>login_filter</code> should always be designed to return at most one user.</p> <h4 id=limit-login-to-existing-users_1>Limit Login to Existing Users</h4> <p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for LDAP providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p> <h4 id=admin-mapping_1>Admin Mapping</h4> <p>You can map users to admin roles based on their group membership in the LDAP server. To do this, set the <code>admin_group</code> and <code>memberof</code> property for the provider. The <code>admin_group</code> property defines the distinguished name of the group that is allowed to log in as admin. All groups that are listed in the <code>memberof</code> attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.</p> <h2 id=ui-and-api-access>UI and API Access</h2> <p>WireGuard Portal provides a web UI and a REST API for user interaction. It is important to secure these interfaces to prevent unauthorized access and data breaches.</p> <h3 id=https>HTTPS</h3> <p>It is recommended to use HTTPS for all communication with the portal to prevent eavesdropping. </p> <p>Event though, WireGuard Portal supports HTTPS out of the box, it is recommended to use a reverse proxy like Nginx or Traefik to handle SSL termination and other security features. A detailed explanation is available in the <a href=../../getting-started/reverse-proxy/ >Reverse Proxy</a> section.</p> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> </main> <!-- Application footer --> <footer class=md-footer> <!-- Further information --> <div class="md-footer-meta md-typeset" style="background-color: #fff;"> <div class="md-footer-meta__inner md-grid" style="background-color: #fff;"> <!-- Copyright and theme information --> <div class=md-footer-copyright> <div class=md-footer-copyright__highlight style="color: rgb(38, 38, 38);"> Copyright &copy; 2023-2025 WireGuard Portal Project </div> <div style="color: rgb(38, 38, 38);"> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener style="color: black;"> Material for MkDocs </a> </div> </div> <!-- Social links --> <div class=md-social> <a href=https://github.com/h44z/wg-portal target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 480 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1M480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2m-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3m-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1"/></svg> </a> <a href=https://hub.docker.com/r/wgportal/wg-portal target=_blank rel=noopener title=hub.docker.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M349.9 236.3h-66.1
Deployed 7fd2bba to master with MkDocs 1.6.1 and mike 2.1.3 2025-05-17 17:23:27 +00:00			<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><link href=https://wgportal.org/master/documentation/usage/security/ rel=canonical><link href=../ldap/ rel=prev><link href=../../rest-api/api-doc/ rel=next><link rel=icon href=../../../assets/images/favicon-large.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.6.14"><title>Security - WireGuard Portal</title><link rel=stylesheet href=../../../assets/stylesheets/main.342714a4.min.css><link rel=stylesheet href=../../../assets/stylesheets/palette.06af60db.min.css><link rel=stylesheet href=../../../stylesheets/extra.css><script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="Security - WireGuard Portal"><meta property=og:description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><meta property=og:image content=https://wgportal.org/master/assets/images/social/documentation/usage/security.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://wgportal.org/master/documentation/usage/security/ property=og:url><meta name=twitter:card content=summary_large_image><meta name=twitter:title content="Security - WireGuard Portal"><meta name=twitter:description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><meta name=twitter:image content=https://wgportal.org/master/assets/images/social/documentation/usage/security.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#authentication class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../../.. title="WireGuard Portal" class="md-header__button md-logo" aria-label="WireGuard Portal" data-md-component=logo> <img src=../../../assets/images/logo.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> WireGuard Portal </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> Security </span> </div> </div> </div> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search>
			`<span class=w> </span><span class=nt>oidc</span><span class=p>:</span>`
			`<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>"oidc1"</span>`
			`<span class=w> </span><span class=c1># ... other settings</span>`
			`<span class=w> </span><span class=nt>allowed_domains</span><span class=p>:</span>`
			`<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=s>"outlook.com"</span>`
			</code></pre></div> <h4 id=limit-login-to-existing-users>Limit Login to Existing Users</h4> <p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for OAuth or OIDC providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p> <h4 id=admin-mapping>Admin Mapping</h4> <p>You can map users to admin roles based on their attributes in the OAuth or OIDC provider. To do this, set the <code>admin_mapping</code> property for the provider. Administrative access can either be mapped by a specific attribute or by group membership.</p> <p><strong>Attribute specific mapping</strong> can be achieved by setting the <code>admin_value_regex</code> and the <code>is_admin</code> property. The <code>admin_value_regex</code> property is a regular expression that is matched against the value of the <code>is_admin</code> attribute. The user is granted admin access if the regex matches the attribute value.</p> <p>Example: <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
			`<span class=w> </span><span class=nt>oidc</span><span class=p>:</span>`
			`<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>"oidc1"</span>`
			`<span class=w> </span><span class=c1># ... other settings</span>`
			`<span class=w> </span><span class=nt>field_map</span><span class=p>:</span>`
			`<span class=w> </span><span class=nt>is_admin</span><span class=p>:</span><span class=w> </span><span class=s>"wg_admin_prop"</span>`
			`<span class=w> </span><span class=nt>admin_mapping</span><span class=p>:</span>`
			`<span class=w> </span><span class=nt>admin_value_regex</span><span class=p>:</span><span class=w> </span><span class=s>"^true$"</span>`
			</code></pre></div> The example above will grant admin access to users with the <code>wg_admin_prop</code> attribute set to <code>true</code>.</p> <p><strong>Group membership mapping</strong> can be achieved by setting the <code>admin_group_regex</code> and <code>user_groups</code> property. The <code>admin_group_regex</code> property is a regular expression that is matched against the group names of the user. The user is granted admin access if the regex matches any of the group names.</p> <p>Example: <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
			`<span class=w> </span><span class=nt>oidc</span><span class=p>:</span>`
			`<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>"oidc1"</span>`
			`<span class=w> </span><span class=c1># ... other settings</span>`
			`<span class=w> </span><span class=nt>field_map</span><span class=p>:</span>`
			`<span class=w> </span><span class=nt>user_groups</span><span class=p>:</span><span class=w> </span><span class=s>"groups"</span>`
			`<span class=w> </span><span class=nt>admin_mapping</span><span class=p>:</span>`
			`<span class=w> </span><span class=nt>admin_group_regex</span><span class=p>:</span><span class=w> </span><span class=s>"^the-admin-group$"</span>`
			</code></pre></div> The example above will grant admin access to users who are members of the <code>the-admin-group</code> group.</p> <h3 id=ldap-authentication>LDAP Authentication</h3> <p>WireGuard Portal supports LDAP authentication. You can use any LDAP server that supports the LDAP protocol, such as Active Directory or OpenLDAP. Multiple LDAP servers can be configured in the <a href=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file. WireGuard Portal remembers the authentication provider of the user and therefore avoids conflicts between multiple LDAP providers.</p> <p>To configure LDAP authentication, create a new <a href=../../configuration/overview/#ldap><code>ldap</code></a> authentication provider in the <a href=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file.</p> <h4 id=limiting-login-to-specific-users>Limiting Login to Specific Users</h4> <p>You can limit the login to specific users by setting the <code>login_filter</code> property for LDAP provider. This filter uses the LDAP search filter syntax. The username can be inserted into the query by placing the <code>{{login_identifier}}</code> placeholder in the filter. This placeholder will then be replaced with the username entered by the user during login.</p> <p>For example, if you want to allow only users with the <code>objectClass</code> attribute set to <code>organizationalPerson</code> to log in, set the property as follows:</p> <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
			`<span class=w> </span><span class=nt>ldap</span><span class=p>:</span>`
			`<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>"ldap1"</span>`
			`<span class=w> </span><span class=c1># ... other settings</span>`
			`<span class=w> </span><span class=nt>login_filter</span><span class=p>:</span><span class=w> </span><span class=s>"(&(objectClass=organizationalPerson)(uid={{login_identifier}}))"</span>`
			</code></pre></div> <p>The <code>login_filter</code> should always be designed to return at most one user.</p> <h4 id=limit-login-to-existing-users_1>Limit Login to Existing Users</h4> <p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for LDAP providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p> <h4 id=admin-mapping_1>Admin Mapping</h4> <p>You can map users to admin roles based on their group membership in the LDAP server. To do this, set the <code>admin_group</code> and <code>memberof</code> property for the provider. The <code>admin_group</code> property defines the distinguished name of the group that is allowed to log in as admin. All groups that are listed in the <code>memberof</code> attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.</p> <h2 id=ui-and-api-access>UI and API Access</h2> <p>WireGuard Portal provides a web UI and a REST API for user interaction. It is important to secure these interfaces to prevent unauthorized access and data breaches.</p> <h3 id=https>HTTPS</h3> <p>It is recommended to use HTTPS for all communication with the portal to prevent eavesdropping. </p> <p>Event though, WireGuard Portal supports HTTPS out of the box, it is recommended to use a reverse proxy like Nginx or Traefik to handle SSL termination and other security features. A detailed explanation is available in the <a href=../../getting-started/reverse-proxy/ >Reverse Proxy</a> section.</p> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> </main> <!-- Application footer --> <footer class=md-footer> <!-- Further information --> <div class="md-footer-meta md-typeset" style="background-color: #fff;"> <div class="md-footer-meta__inner md-grid" style="background-color: #fff;"> <!-- Copyright and theme information --> <div class=md-footer-copyright> <div class=md-footer-copyright__highlight style="color: rgb(38, 38, 38);"> Copyright © 2023-2025 WireGuard Portal Project </div> <div style="color: rgb(38, 38, 38);"> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener style="color: black;"> Material for MkDocs </a> </div> </div> <!-- Social links --> <div class=md-social> <a href=https://github.com/h44z/wg-portal target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 480 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1M480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2m-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3m-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1"/></svg> </a> <a href=https://hub.docker.com/r/wgportal/wg-portal target=_blank rel=noopener title=hub.docker.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M349.9 236.3h-66.1