</code></pre></div></details><p>Below you will find sections like <ahref=#core><code>core</code></a>, <ahref=#advanced><code>advanced</code></a>, <ahref=#database><code>database</code></a>, <ahref=#statistics><code>statistics</code></a>, <ahref=#mail><code>mail</code></a>, <ahref=#auth><code>auth</code></a>, <ahref=#web><code>web</code></a> and <ahref=#webhook><code>webhook</code></a>.<br> Each section describes the individual configuration keys, their default values, and a brief explanation of their purpose.</p><hr><h2id=core>Core</h2><p>These are the primary configuration options that control fundamental WireGuard Portal behavior. More advanced options are found in the subsequent <code>Advanced</code> section.</p><h3id=admin_user><code>admin_user</code></h3><ul><li><strong>Default:</strong><code>admin@wgportal.local</code></li><li><strong>Description:</strong> The administrator user. This user will be created as a default admin if it does not yet exist.</li></ul><h3id=admin_password><code>admin_password</code></h3><ul><li><strong>Default:</strong><code>wgportal</code></li><li><strong>Description:</strong> The administrator password. The default password of <code>wgportal</code> should be changed immediately.</li></ul><h3id=admin_api_token><code>admin_api_token</code></h3><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> An API token for the admin user. If a token is provided, the REST API can be accessed using this token. If empty, the API is initially disabled for the admin user.</li></ul><h3id=editable_keys><code>editable_keys</code></h3><ul><li><strong>Default:</strong><code>true</code></li><li><strong>Description:</strong> Allow editing of WireGuard key-pairs directly in the UI.</li></ul><h3id=create_default_peer><code>create_default_peer</code></h3><ul><li><strong>Default:</strong><code>false</code></li><li><strong>Description:</strong> If a user logs in for the first time with no existing peers, automatically create a new WireGuard peer for <strong>all</strong> server interfaces.</li></ul><h3id=create_default_peer_on_creation><code>create_default_peer_on_creation</code></h3><ul><li><strong>Default:</strong><code>false</code></li><li><strong>Description:</strong> If an LDAP user is created (e.g., through LDAP sync) and has no peers, automatically create a new WireGuard peer for <strong>all</strong> server interfaces.</li></ul><h3id=re_enable_peer_after_user_enable><code>re_enable_peer_after_user_enable</code></h3><ul><li><strong>Default:</strong><code>true</code></li><li><strong>Description:</strong> Re-enable all peers that were previously disabled if the associated user is re-enabled.</li></ul><h3id=delete_peer_after_user_deleted><code>delete_peer_after_user_deleted</code></h3><ul><li><strong>Default:</strong><code>false</code></li><li><strong>Description:</strong> If a user is deleted, remove all linked peers. Otherwise, peers remain but are disabled.</li></ul><h3id=self_provisioning_allowed><code>self_provisioning_allowed</code></h3><ul><li><strong>Default:</strong><code>false</code></li><li><strong>Description:</strong> Allow registered (non-admin) users to self-provision peers from their profile page.</li></ul><h3id=import_existing><code>import_existing</code></h3><ul><li><strong>Default:</strong><code>true</code></li><li><strong>Description:</strong> On startup, import existing WireGuard interfaces and peers into WireGuard Portal.</li></ul><h3id=restore_state><code>restore_state</code></h3><ul><li><strong>Default:</strong><code>true</code></li><li><strong>Description:</strong> Restore the WireGuard interface states (up/down) that existed before WireGuard Portal started.</li></ul><hr><h2id=advanced>Advanced</h2><p>Additional or more specialized configuration options for logging and interface creation details.</p><h3id=log_level><code>log_level</code></h3><ul><li><strong>Default:</strong><code>info</code></li><li><strong>Description:</strong> The log level used by the app
</code></pre></div></li></ul><h3id=encryption_passphrase><code>encryption_passphrase</code></h3><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> Passphrase for encrypting sensitive values such as private keys in the database. Encryption is only applied if this passphrase is set. <strong>Important:</strong> Once you enable encryption by setting this passphrase, you cannot disable it or change it afterward. New or updated records will be encrypted; existing data remains in plaintext until it’s next modified.</li></ul><hr><h2id=statistics>Statistics</h2><p>Controls how WireGuard Portal collects and reports usage statistics, including ping checks and Prometheus metrics.</p><h3id=use_ping_checks><code>use_ping_checks</code></h3><ul><li><strong>Default:</strong><code>true</code></li><li><strong>Description:</strong> Enable periodic ping checks to verify that peers remain responsive.</li></ul><h3id=ping_check_workers><code>ping_check_workers</code></h3><ul><li><strong>Default:</strong><code>10</code></li><li><strong>Description:</strong> Number of parallel worker processes for ping checks.</li></ul><h3id=ping_unprivileged><code>ping_unprivileged</code></h3><ul><li><strong>Default:</strong><code>false</code></li><li><strong>Description:</strong> If <code>false</code>, ping checks run without root privileges. This is currently considered BETA.</li></ul><h3id=ping_check_interval><code>ping_check_interval</code></h3><ul><li><strong>Default:</strong><code>1m</code></li><li><strong>Description:</strong> Interval between consecutive ping checks for all peers. Format uses <code>s</code>, <code>m</code>, <code>h</code>, <code>d</code> for seconds, minutes, hours, days, see <ahref=https://golang.org/pkg/time/#ParseDuration>time.ParseDuration</a>.</li></ul><h3id=data_collection_interval><code>data_collection_interval</code></h3><ul><li><strong>Default:</strong><code>1m</code></li><li><strong>Description:</strong> Interval between data collection cycles (bytes sent/received, handshake times, etc.). Format uses <code>s</code>, <code>m</code>, <code>h</code>, <code>d</code> for seconds, minutes, hours, days, see <ahref=https://golang.org/pkg/time/#ParseDuration>time.ParseDuration</a>.</li></ul><h3id=collect_interface_data><code>collect_interface_data</code></h3><ul><li><strong>Default:</strong><code>true</code></li><li><strong>Description:</strong> If <code>true</code>, collects interface-level data (bytes in/out) for monitoring and statistics.</li></ul><h3id=collect_peer_data><code>collect_peer_data</code></h3><ul><li><strong>Default:</strong><code>true</code></li><li><strong>Description:</strong> If <code>true</code>, collects peer-level data (bytes, last handshake, endpoint, etc.).</li></ul><h3id=collect_audit_data><code>collect_audit_data</code></h3><ul><li><strong>Default:</strong><code>true</code></li><li><strong>Description:</strong> If <code>true</code>, logs certain portal events (such as user logins) to the database.</li></ul><h3id=listening_address><code>listening_address</code></h3><ul><li><strong>Default:</strong><code>:8787</code></li><li><strong>Description:</strong> Address and port for the integrated Prometheus metric server (e.g., <code>:8787</code>).</li></ul><hr><h2id=mail>Mail</h2><p>Options for configuring email notifications or sending peer configurations via email.</p><h3id=host><code>host</code></h3><ul><li><strong>Default:</strong><code>127.0.0.1</code></li><li><strong>Description:</strong> Hostname or IP of the SMTP server.</li></ul><h3id=port><code>port</code></h3><ul><li><strong>Default:</strong><code>25</code></li><li><strong>Description:</strong> Port number for the SMTP server.</li></ul><h3id=encryption><code>encryption</code></h3><ul><li><strong>Default:</strong><code>none</code></li><li><strong>Description:</strong> SMTP encryption type. Valid values: <code>none</code>, <code>tls</code>, <code>starttls</code>.</li></ul><h3id=cert_validation><code>cert_validation</c
</code></pre></div></li></ul><h4id=admin_group><code>admin_group</code></h4><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> A specific LDAP group whose members are considered administrators in WireGuard Portal. For example: <divclass=highlight><pre><span></span><code>CN=WireGuardAdmins,OU=Some-OU,DC=YOURDOMAIN,DC=LOCAL
</code></pre></div></li></ul><h4id=sync_interval><code>sync_interval</code></h4><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> How frequently (in duration, e.g. <code>30m</code>) to synchronize users from LDAP. Empty or <code>0</code> disables sync. Format uses <code>s</code>, <code>m</code>, <code>h</code>, <code>d</code> for seconds, minutes, hours, days, see <ahref=https://golang.org/pkg/time/#ParseDuration>time.ParseDuration</a>. Only users that match the <code>sync_filter</code> are synchronized, if <code>disable_missing</code> is <code>true</code>, users not found in LDAP are disabled.</li></ul><h4id=sync_filter><code>sync_filter</code></h4><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> An LDAP filter to select which users get synchronized into WireGuard Portal. For example: <divclass=highlight><pre><span></span><code>(&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
</code></pre></div></li></ul><h4id=disable_missing><code>disable_missing</code></h4><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> If <code>true</code>, any user <strong>not</strong> found in LDAP (during sync) is disabled in WireGuard Portal.</li></ul><h4id=auto_re_enable><code>auto_re_enable</code></h4><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> If <code>true</code>, users that where disabled because they were missing (see <code>disable_missing</code>) will be re-enabled once they are found again.</li></ul><h4id=registration_enabled_2><code>registration_enabled</code></h4><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> If <code>true</code>, new user accounts are created in WireGuard Portal upon first login.</li></ul><h4id=log_user_info_2><code>log_user_info</code></h4><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> If <code>true</code>, logs LDAP user data at the trace level upon login.</li></ul><hr><h2id=web>Web</h2><p>The web section contains configuration options for the web server, including the listening address, session management, and CSRF protection. It is important to specify a valid <code>external_url</code> for the web server, especially if you are using a reverse proxy. Without a valid <code>external_url</code>, the login process may fail due to CSRF protection.</p><h3id=listening_address_1><code>listening_address</code></h3><ul><li><strong>Default:</strong><code>:8888</code></li><li><strong>Description:</strong> The listening port of the web server.</li></ul><h3id=external_url><code>external_url</code></h3><ul><li><strong>Default:</strong><code>http://localhost:8888</code></li><li><strong>Description:</strong> The URL where a client can access WireGuard Portal. This URL is used for generating links in emails and for performing OAUTH redirects.<br><strong>Important:</strong> If you are using a reverse proxy, set this to the external URL of the reverse proxy, otherwise login will fail. If you access the portal via IP address, set this to the IP address of the server.</li></ul><h3id=site_company_name><code>site_company_name</code></h3><ul><li><strong>Default:</strong><code>WireGuard Portal</code></li><li><strong>Description:</strong> The company name that is shown at the bottom of the web frontend.</li></ul><h3id=site_title><code>site_title</code></h3><ul><li><strong>Default:</strong><code>WireGuard Portal</code></li><li><strong>Description:</strong> The title that is shown in the web frontend.</li></ul><h3id=session_identifier><code>session_identifier</code></h3><ul><li><strong>Default:</strong><code>wgPortalSession</code></li><li><strong>Description:</strong> The session identifier for the web frontend.</li></ul><h3id=session_secret><code>session_secret</code></h3><ul><li><strong>Default:</strong><code>very_secret</code></li><li><strong>Description:</strong> The session secret for the web frontend.</li></ul><h3id=csrf_secret><code>csrf_secret</code></h3><ul><li><strong>Default:</strong><code>extremely_secret</code></li><li><strong>Description:</strong> The CSRF secret.</li></ul><h3id=request_logging><code>request_logging</code></h3><ul><li><strong>Default:</strong><code>false</code></li><li><strong>Description:</strong> Log all HTTP requests.</li></ul><h3id=cert_file><code>cert_file</code></h3><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> (Optional) Path to the TLS certificate file.</li></ul><h3id=key_file><code>key_file</code></h3><ul><li><strong>Default:</strong><em>(empty)</em></li><li><strong>Description:</strong> (Optional) Path to the TLS certificate key file.</li></ul><hr><h2id=webhook>Webhook</h2><p>The webhook section allows you to configure a webhook that is called on certain events in WireGuard Portal. A JSON object is sent in a POST request to the webhook URL with the following structu
