2025-06-27 10:37:43 +00:00
<!doctype html> < html lang = en class = no-js > < head > < meta charset = utf-8 > < meta name = viewport content = "width=device-width,initial-scale=1" > < meta name = description content = "Manage WireGuard Peers and Interface using a beautiful and simple web UI." > < link href = https://wgportal.org/master/documentation/usage/security/ rel = canonical > < link href = ../ldap/ rel = prev > < link href = ../webhooks/ rel = next > < link rel = icon href = ../../../assets/images/favicon-large.png > < meta name = generator content = "mkdocs-1.6.1, mkdocs-material-9.6.14" > < title > Security - WireGuard Portal< / title > < link rel = stylesheet href = ../../../assets/stylesheets/main.342714a4.min.css > < link rel = stylesheet href = ../../../assets/stylesheets/palette.06af60db.min.css > < link rel = stylesheet href = ../../../stylesheets/extra.css > < script > _ _md _scope = new URL ( "../../.." , location ) , _ _md _hash = e => [ ... e ] . reduce ( ( ( e , _ ) => ( e << 5 ) - e + _ . charCodeAt ( 0 ) ) , 0 ) , _ _md _get = ( e , _ = localStorage , t = _ _md _scope ) => JSON . parse ( _ . getItem ( t . pathname + "." + e ) ) , _ _md _set = ( e , _ , t = localStorage , a = _ _md _scope ) => { try { t . setItem ( a . pathname + "." + e , JSON . stringify ( _ ) ) } catch ( e ) { } } < / script > < meta property = og:type content = website > < meta property = og:title content = "Security - WireGuard Portal" > < meta property = og:description content = "Manage WireGuard Peers and Interface using a beautiful and simple web UI." > < meta property = og:image content = https://wgportal.org/master/assets/images/social/documentation/usage/security.png > < meta property = og:image:type content = image/png > < meta property = og:image:width content = 1200 > < meta property = og:image:height content = 630 > < meta content = https://wgportal.org/master/documentation/usage/security/ property = og:url > < meta name = twitter:card content = summary_large_image > < meta name = twitter:title content = "Security - WireGuard Portal" > < meta name = twitter:description content = "Manage WireGuard Peers and Interface using a beautiful and simple web UI." > < meta name = twitter:image content = https://wgportal.org/master/assets/images/social/documentation/usage/security.png > < / head > < body dir = ltr data-md-color-scheme = default data-md-color-primary = white data-md-color-accent = indigo > < input class = md-toggle data-md-toggle = drawer type = checkbox id = __drawer autocomplete = off > < input class = md-toggle data-md-toggle = search type = checkbox id = __search autocomplete = off > < label class = md-overlay for = __drawer > < / label > < div data-md-component = skip > < a href = #authentication class = md-skip > Skip to content < / a > < / div > < div data-md-component = announce > < / div > < div data-md-color-scheme = default data-md-component = outdated hidden > < / div > < header class = md-header data-md-component = header > < nav class = "md-header__inner md-grid" aria-label = Header > < a href = ../../.. title = "WireGuard Portal" class = "md-header__button md-logo" aria-label = "WireGuard Portal" data-md-component = logo > < img src = ../../../assets/images/logo.svg alt = logo > < / a > < label class = "md-header__button md-icon" for = __drawer > < svg xmlns = http://www.w3.org/2000/svg viewbox = "0 0 24 24" > < path d = "M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z" / > < / svg > < / label > < div class = md-header__title data-md-component = header-title > < div class = md-header__ellipsis > < div class = md-header__topic > < span class = md-ellipsis > WireGuard Portal < / span > < / div > < div class = md-header__topic data-md-component = header-topic > < span class = md-ellipsis > Security < / span > < / div > < / div > < / div > < label class = "md-header__button md-icon" for = __search > < svg xmlns = http://www.w3.org/2000/svg viewbox = "0 0 24 24" > < path d = "M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5" / > < / svg > < / label > < div class = md-search data-md-component = search role = dialog > < label class = md-search__overlay for = __search > < / label > < div class = md-search__inner role = search > < form class = md-search__form name = search > < input type = text class = md-search__input name = query aria-label = Search placeholder = Search autocapitalize = off autocorrect = off autocomplete = off spellcheck = false data-md-component = search-query required > < label class = "md-search__icon md-icon" for = __search > < svg xmlns
2025-05-17 17:23:27 +00:00
< span class = w > < / span > < span class = nt > oidc< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = "p p-Indicator" > -< / span > < span class = w > < / span > < span class = nt > provider_name< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " oidc1" < / span >
< span class = w > < / span > < span class = c1 > # ... other settings< / span >
< span class = w > < / span > < span class = nt > allowed_domains< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = "p p-Indicator" > -< / span > < span class = w > < / span > < span class = s > " outlook.com" < / span >
< / code > < / pre > < / div > < h4 id = limit-login-to-existing-users > Limit Login to Existing Users< / h4 > < p > You can limit the login to existing users only by setting the < code > registration_enabled< / code > property to < code > false< / code > for OAuth or OIDC providers. If registration is enabled, new users will be created in the database when they log in for the first time.< / p > < h4 id = admin-mapping > Admin Mapping< / h4 > < p > You can map users to admin roles based on their attributes in the OAuth or OIDC provider. To do this, set the < code > admin_mapping< / code > property for the provider. Administrative access can either be mapped by a specific attribute or by group membership.< / p > < p > < strong > Attribute specific mapping< / strong > can be achieved by setting the < code > admin_value_regex< / code > and the < code > is_admin< / code > property. The < code > admin_value_regex< / code > property is a regular expression that is matched against the value of the < code > is_admin< / code > attribute. The user is granted admin access if the regex matches the attribute value.< / p > < p > Example: < div class = highlight > < pre > < span > < / span > < code > < span class = nt > auth< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = nt > oidc< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = "p p-Indicator" > -< / span > < span class = w > < / span > < span class = nt > provider_name< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " oidc1" < / span >
< span class = w > < / span > < span class = c1 > # ... other settings< / span >
< span class = w > < / span > < span class = nt > field_map< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = nt > is_admin< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " wg_admin_prop" < / span >
< span class = w > < / span > < span class = nt > admin_mapping< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = nt > admin_value_regex< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " ^true$" < / span >
< / code > < / pre > < / div > The example above will grant admin access to users with the < code > wg_admin_prop< / code > attribute set to < code > true< / code > .< / p > < p > < strong > Group membership mapping< / strong > can be achieved by setting the < code > admin_group_regex< / code > and < code > user_groups< / code > property. The < code > admin_group_regex< / code > property is a regular expression that is matched against the group names of the user. The user is granted admin access if the regex matches any of the group names.< / p > < p > Example: < div class = highlight > < pre > < span > < / span > < code > < span class = nt > auth< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = nt > oidc< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = "p p-Indicator" > -< / span > < span class = w > < / span > < span class = nt > provider_name< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " oidc1" < / span >
< span class = w > < / span > < span class = c1 > # ... other settings< / span >
< span class = w > < / span > < span class = nt > field_map< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = nt > user_groups< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " groups" < / span >
< span class = w > < / span > < span class = nt > admin_mapping< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = nt > admin_group_regex< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " ^the-admin-group$" < / span >
< / code > < / pre > < / div > The example above will grant admin access to users who are members of the < code > the-admin-group< / code > group.< / p > < h3 id = ldap-authentication > LDAP Authentication< / h3 > < p > WireGuard Portal supports LDAP authentication. You can use any LDAP server that supports the LDAP protocol, such as Active Directory or OpenLDAP. Multiple LDAP servers can be configured in the < a href = ../../configuration/overview/#auth > < code > auth< / code > < / a > section of the configuration file. WireGuard Portal remembers the authentication provider of the user and therefore avoids conflicts between multiple LDAP providers.< / p > < p > To configure LDAP authentication, create a new < a href = ../../configuration/overview/#ldap > < code > ldap< / code > < / a > authentication provider in the < a href = ../../configuration/overview/#auth > < code > auth< / code > < / a > section of the configuration file.< / p > < h4 id = limiting-login-to-specific-users > Limiting Login to Specific Users< / h4 > < p > You can limit the login to specific users by setting the < code > login_filter< / code > property for LDAP provider. This filter uses the LDAP search filter syntax. The username can be inserted into the query by placing the < code > {{login_identifier}}< / code > placeholder in the filter. This placeholder will then be replaced with the username entered by the user during login.< / p > < p > For example, if you want to allow only users with the < code > objectClass< / code > attribute set to < code > organizationalPerson< / code > to log in, set the property as follows:< / p > < div class = highlight > < pre > < span > < / span > < code > < span class = nt > auth< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = nt > ldap< / span > < span class = p > :< / span >
< span class = w > < / span > < span class = "p p-Indicator" > -< / span > < span class = w > < / span > < span class = nt > provider_name< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " ldap1" < / span >
< span class = w > < / span > < span class = c1 > # ... other settings< / span >
< span class = w > < / span > < span class = nt > login_filter< / span > < span class = p > :< / span > < span class = w > < / span > < span class = s > " (& (objectClass=organizationalPerson)(uid={{login_identifier}}))" < / span >
< / code > < / pre > < / div > < p > The < code > login_filter< / code > should always be designed to return at most one user.< / p > < h4 id = limit-login-to-existing-users_1 > Limit Login to Existing Users< / h4 > < p > You can limit the login to existing users only by setting the < code > registration_enabled< / code > property to < code > false< / code > for LDAP providers. If registration is enabled, new users will be created in the database when they log in for the first time.< / p > < h4 id = admin-mapping_1 > Admin Mapping< / h4 > < p > You can map users to admin roles based on their group membership in the LDAP server. To do this, set the < code > admin_group< / code > and < code > memberof< / code > property for the provider. The < code > admin_group< / code > property defines the distinguished name of the group that is allowed to log in as admin. All groups that are listed in the < code > memberof< / code > attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.< / p > < h2 id = ui-and-api-access > UI and API Access< / h2 > < p > WireGuard Portal provides a web UI and a REST API for user interaction. It is important to secure these interfaces to prevent unauthorized access and data breaches.< / p > < h3 id = https > HTTPS< / h3 > < p > It is recommended to use HTTPS for all communication with the portal to prevent eavesdropping. < / p > < p > Event though, WireGuard Portal supports HTTPS out of the box, it is recommended to use a reverse proxy like Nginx or Traefik to handle SSL termination and other security features. A detailed explanation is available in the < a href = ../../getting-started/reverse-proxy/ > Reverse Proxy< / a > section.< / p > < / article > < / div > < script > var target = document . getElementById ( location . hash . slice ( 1 ) ) ; target && target . name && ( target . checked = target . name . startsWith ( "__tabbed_" ) ) < / script > < / div > < / main > <!-- Application footer --> < footer class = md-footer > <!-- Further information --> < div class = "md-footer-meta md-typeset" style = "background-color: #fff;" > < div class = "md-footer-meta__inner md-grid" style = "background-color: #fff;" > <!-- Copyright and theme information --> < div class = md-footer-copyright > < div class = md-footer-copyright__highlight style = "color: rgb(38, 38, 38);" > Copyright © 2023-2025 WireGuard Portal Project < / div > < div style = "color: rgb(38, 38, 38);" > Made with < a href = https://squidfunk.github.io/mkdocs-material/ target = _blank rel = noopener style = "color: black;" > Material for MkDocs < / a > < / div > < / div > <!-- Social links --> < div class = md-social > < a href = https://github.com/h44z/wg-portal target = _blank rel = noopener title = github.com class = md-social__link > < svg xmlns = http://www.w3.org/2000/svg viewbox = "0 0 480 512" > <!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc. --> < path d = "M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1M480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2m-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3m-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1" / > < / svg > < / a > < a href = https://hub.docker.com/r/wgportal/wg-portal target = _blank rel = noopener title = hub.docker.com class = md-social__link > < svg xmlns = http://www.w3.org/2000/svg viewbox = "0 0 640 512" > <!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc. --> < path d = "M349.9 236 . 3h-66 . 1
