diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1aba90f..007f958 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -28,3 +28,8 @@ updates:
patch:
update-types:
- patch
+
+ - package-ecosystem: "docker"
+ directory: /
+ schedule:
+ interval: weekly
diff --git a/Dockerfile b/Dockerfile
index e904d89..f850ece 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -50,7 +50,7 @@ COPY --from=builder /build/dist/wg-portal /
######
# Final image
######
-FROM alpine:3.19
+FROM alpine:3.22
# Install OS-level dependencies
RUN apk add --no-cache bash curl iptables nftables openresolv wireguard-tools
# Setup timezone
diff --git a/cmd/wg-portal/main.go b/cmd/wg-portal/main.go
index 753cb81..97f0b67 100644
--- a/cmd/wg-portal/main.go
+++ b/cmd/wg-portal/main.go
@@ -88,6 +88,7 @@ func main() {
authenticator, err := auth.NewAuthenticator(&cfg.Auth, cfg.Web.ExternalUrl, eventBus, userManager)
internal.AssertNoError(err)
+ authenticator.StartBackgroundJobs(ctx)
webAuthn, err := auth.NewWebAuthnAuthenticator(cfg, eventBus, userManager)
internal.AssertNoError(err)
diff --git a/docs/documentation/configuration/overview.md b/docs/documentation/configuration/overview.md
index 70496aa..dd20d79 100644
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@@ -38,6 +38,7 @@ advanced:
rule_prio_offset: 20000
route_table_offset: 20000
api_admin_only: true
+ limit_additional_user_peers: 0
database:
debug: false
@@ -75,6 +76,7 @@ auth:
webauthn:
enabled: true
min_password_length: 16
+ hide_login_form: false
web:
listening_address: :8888
@@ -215,6 +217,10 @@ Additional or more specialized configuration options for logging and interface c
- **Default:** `true`
- **Description:** If `true`, the public REST API is accessible only to admin users. The API docs live at [`/api/v1/doc.html`](../rest-api/api-doc.md).
+### `limit_additional_user_peers`
+- **Default:** `0`
+- **Description:** Limit additional peers a normal user can create. `0` means unlimited.
+
---
## Database
@@ -349,6 +355,12 @@ Some core authentication options are shared across all providers, while others a
The default admin password strength is also enforced by this setting.
- **Important:** The password should be strong and secure. It is recommended to use a password with at least 16 characters, including uppercase and lowercase letters, numbers, and special characters.
+### `hide_login_form`
+- **Default:** `false`
+- **Description:** If `true`, the login form is hidden and only the OIDC, OAuth, LDAP, or WebAuthn providers are shown. This is useful if you want to enforce a specific authentication method.
+ If no social login providers are configured, the login form is always shown, regardless of this setting.
+- **Important:** You can still access the login form by adding the `?all` query parameter to the login URL (e.g. https://wg.portal/#/login?all).
+
---
### OIDC
@@ -661,18 +673,7 @@ Without a valid `external_url`, the login process may fail due to CSRF protectio
## Webhook
The webhook section allows you to configure a webhook that is called on certain events in WireGuard Portal.
-A JSON object is sent in a POST request to the webhook URL with the following structure:
-```json
-{
- "event": "peer_created",
- "entity": "peer",
- "identifier": "the-peer-identifier",
- "payload": {
- // The payload of the event, e.g. peer data.
- // Check the API documentation for the exact structure.
- }
-}
-```
+Further details can be found in the [usage documentation](../usage/webhooks.md).
### `url`
- **Default:** *(empty)*
diff --git a/docs/documentation/usage/webhooks.md b/docs/documentation/usage/webhooks.md
new file mode 100644
index 0000000..1d0c692
--- /dev/null
+++ b/docs/documentation/usage/webhooks.md
@@ -0,0 +1,285 @@
+
+Webhooks allow WireGuard Portal to notify external services about events such as user creation, device changes, or configuration updates. This enables integration with other systems and automation workflows.
+
+When webhooks are configured and a specified event occurs, WireGuard Portal sends an HTTP **POST** request to the configured webhook URL.
+The payload contains event-specific data in JSON format.
+
+## Configuration
+
+All available configuration options for webhooks can be found in the [configuration overview](../configuration/overview.md#webhook).
+
+A basic webhook configuration looks like this:
+
+```yaml
+webhook:
+ url: https://your-service.example.com/webhook
+```
+
+### Security
+
+Webhooks can be secured by using a shared secret. This secret is included in the `Authorization` header of the webhook request, allowing your service to verify the authenticity of the request.
+You can set the shared secret in the webhook configuration:
+
+```yaml
+webhook:
+ url: https://your-service.example.com/webhook
+ secret: "Basic dXNlcm5hbWU6cGFzc3dvcmQ="
+```
+
+You should also make sure that your webhook endpoint is secured with HTTPS to prevent eavesdropping and tampering.
+
+## Available Events
+
+WireGuard Portal supports various events that can trigger webhooks. The following events are available:
+
+- `create`: Triggered when a new entity is created.
+- `update`: Triggered when an existing entity is updated.
+- `delete`: Triggered when an entity is deleted.
+- `connect`: Triggered when a user connects to the VPN.
+- `disconnect`: Triggered when a user disconnects from the VPN.
+
+The following entity models are supported for webhook events:
+
+- `user`: WireGuard Portal users support creation, update, or deletion events.
+- `peer`: Peers support creation, update, or deletion events. Via the `peer_metric` entity, you can also receive connection status updates.
+- `peer_metric`: Peer metrics support connection status updates, such as when a peer connects or disconnects.
+- `interface`: WireGuard interfaces support creation, update, or deletion events.
+
+## Payload Structure
+
+All webhook events send a JSON payload containing relevant data. The structure of the payload depends on the event type and entity involved.
+A common shell structure for webhook payloads is as follows:
+
+```json
+{
+ "event": "create", // The event type, e.g. "create", "update", "delete", "connect", "disconnect"
+ "entity": "user", // The entity type, e.g. "user", "peer", "peer_metric", "interface"
+ "identifier": "the-user-identifier", // Unique identifier of the entity, e.g. user ID or peer ID
+ "payload": {
+ // The payload of the event, e.g. a Peer model.
+ // Detailed model descriptions are provided below.
+ }
+}
+```
+
+### Payload Models
+
+All payload models are encoded as JSON objects. Fields with empty values might be omitted in the payload.
+
+#### User Payload (entity: `user`)
+
+| JSON Field | Type | Description |
+|----------------|-------------|-----------------------------------|
+| CreatedBy | string | Creator identifier |
+| UpdatedBy | string | Last updater identifier |
+| CreatedAt | time.Time | Time of creation |
+| UpdatedAt | time.Time | Time of last update |
+| Identifier | string | Unique user identifier |
+| Email | string | User email |
+| Source | string | Authentication source |
+| ProviderName | string | Name of auth provider |
+| IsAdmin | bool | Whether user has admin privileges |
+| Firstname | string | User's first name (optional) |
+| Lastname | string | User's last name (optional) |
+| Phone | string | Contact phone number (optional) |
+| Department | string | User's department (optional) |
+| Notes | string | Additional notes (optional) |
+| Disabled | *time.Time | When user was disabled |
+| DisabledReason | string | Reason for deactivation |
+| Locked | *time.Time | When user account was locked |
+| LockedReason | string | Reason for being locked |
+
+
+#### Peer Payload (entity: `peer`)
+
+| JSON Field | Type | Description |
+|----------------------|------------|----------------------------------------|
+| CreatedBy | string | Creator identifier |
+| UpdatedBy | string | Last updater identifier |
+| CreatedAt | time.Time | Creation timestamp |
+| UpdatedAt | time.Time | Last update timestamp |
+| Endpoint | string | Peer endpoint address |
+| EndpointPublicKey | string | Public key of peer endpoint |
+| AllowedIPsStr | string | Allowed IPs |
+| ExtraAllowedIPsStr | string | Extra allowed IPs |
+| PresharedKey | string | Pre-shared key for encryption |
+| PersistentKeepalive | int | Keepalive interval in seconds |
+| DisplayName | string | Display name of the peer |
+| Identifier | string | Unique identifier |
+| UserIdentifier | string | Associated user ID (optional) |
+| InterfaceIdentifier | string | Interface this peer is attached to |
+| Disabled | *time.Time | When the peer was disabled |
+| DisabledReason | string | Reason for being disabled |
+| ExpiresAt | *time.Time | Expiration date |
+| Notes | string | Notes for this peer |
+| AutomaticallyCreated | bool | Whether peer was auto-generated |
+| PrivateKey | string | Peer private key |
+| PublicKey | string | Peer public key |
+| InterfaceType | string | Type of the peer interface |
+| Addresses | []string | IP addresses |
+| CheckAliveAddress | string | Address used for alive checks |
+| DnsStr | string | DNS servers |
+| DnsSearchStr | string | DNS search domains |
+| Mtu | int | MTU (Maximum Transmission Unit) |
+| FirewallMark | uint32 | Firewall mark (optional) |
+| RoutingTable | string | Custom routing table (optional) |
+| PreUp | string | Command before bringing up interface |
+| PostUp | string | Command after bringing up interface |
+| PreDown | string | Command before bringing down interface |
+| PostDown | string | Command after bringing down interface |
+
+
+#### Interface Payload (entity: `interface`)
+
+| JSON Field | Type | Description |
+|----------------------------|------------|----------------------------------------|
+| CreatedBy | string | Creator identifier |
+| UpdatedBy | string | Last updater identifier |
+| CreatedAt | time.Time | Creation timestamp |
+| UpdatedAt | time.Time | Last update timestamp |
+| Identifier | string | Unique identifier |
+| PrivateKey | string | Private key for the interface |
+| PublicKey | string | Public key for the interface |
+| ListenPort | int | Listening port |
+| Addresses | []string | IP addresses |
+| DnsStr | string | DNS servers |
+| DnsSearchStr | string | DNS search domains |
+| Mtu | int | MTU (Maximum Transmission Unit) |
+| FirewallMark | uint32 | Firewall mark |
+| RoutingTable | string | Custom routing table |
+| PreUp | string | Command before bringing up interface |
+| PostUp | string | Command after bringing up interface |
+| PreDown | string | Command before bringing down interface |
+| PostDown | string | Command after bringing down interface |
+| SaveConfig | bool | Whether to save config to file |
+| DisplayName | string | Human-readable name |
+| Type | string | Type of interface |
+| DriverType | string | Driver used |
+| Disabled | *time.Time | When the interface was disabled |
+| DisabledReason | string | Reason for being disabled |
+| PeerDefNetworkStr | string | Default peer network configuration |
+| PeerDefDnsStr | string | Default peer DNS servers |
+| PeerDefDnsSearchStr | string | Default peer DNS search domains |
+| PeerDefEndpoint | string | Default peer endpoint |
+| PeerDefAllowedIPsStr | string | Default peer allowed IPs |
+| PeerDefMtu | int | Default peer MTU |
+| PeerDefPersistentKeepalive | int | Default keepalive value |
+| PeerDefFirewallMark | uint32 | Default firewall mark for peers |
+| PeerDefRoutingTable | string | Default routing table for peers |
+| PeerDefPreUp | string | Default peer pre-up command |
+| PeerDefPostUp | string | Default peer post-up command |
+| PeerDefPreDown | string | Default peer pre-down command |
+| PeerDefPostDown | string | Default peer post-down command |
+
+
+#### Peer Metrics Payload (entity: `peer_metric`)
+
+| JSON Field | Type | Description |
+|------------|------------|----------------------------|
+| Status | PeerStatus | Current status of the peer |
+| Peer | Peer | Peer data |
+
+`PeerStatus` sub-structure:
+
+| JSON Field | Type | Description |
+|------------------|------------|------------------------------|
+| UpdatedAt | time.Time | Time of last status update |
+| IsConnected | bool | Is peer currently connected |
+| IsPingable | bool | Can peer be pinged |
+| LastPing | *time.Time | Time of last successful ping |
+| BytesReceived | uint64 | Bytes received from peer |
+| BytesTransmitted | uint64 | Bytes sent to peer |
+| Endpoint | string | Last known endpoint |
+| LastHandshake | *time.Time | Last successful handshake |
+| LastSessionStart | *time.Time | Time the last session began |
+
+
+### Example Payloads
+
+The following payload is an example of a webhook event when a peer connects to the VPN:
+
+```json
+{
+ "event": "connect",
+ "entity": "peer_metric",
+ "identifier": "Fb5TaziAs1WrPBjC/MFbWsIelVXvi0hDKZ3YQM9wmU8=",
+ "payload": {
+ "Status": {
+ "UpdatedAt": "2025-06-27T22:20:08.734900034+02:00",
+ "IsConnected": true,
+ "IsPingable": false,
+ "BytesReceived": 212,
+ "BytesTransmitted": 2884,
+ "Endpoint": "10.55.66.77:58756",
+ "LastHandshake": "2025-06-27T22:19:46.580842776+02:00",
+ "LastSessionStart": "2025-06-27T22:19:46.580842776+02:00"
+ },
+ "Peer": {
+ "CreatedBy": "admin@wgportal.local",
+ "UpdatedBy": "admin@wgportal.local",
+ "CreatedAt": "2025-06-26T21:43:49.251839574+02:00",
+ "UpdatedAt": "2025-06-27T22:18:39.67763985+02:00",
+ "Endpoint": "10.55.66.1:51820",
+ "EndpointPublicKey": "eiVibpi3C2PUPcx2kwA5s09OgHx7AEaKMd33k0LQ5mM=",
+ "AllowedIPsStr": "10.11.12.0/24,fdfd:d3ad:c0de:1234::/64",
+ "ExtraAllowedIPsStr": "",
+ "PresharedKey": "p9DDeLUSLOdQcjS8ZsBAiqUzwDIUvTyzavRZFuzhvyE=",
+ "PersistentKeepalive": 16,
+ "DisplayName": "Peer Fb5TaziA",
+ "Identifier": "Fb5TaziAs1WrPBjC/MFbWsIelVXvi0hDKZ3YQM9wmU8=",
+ "UserIdentifier": "admin@wgportal.local",
+ "InterfaceIdentifier": "wgTesting",
+ "AutomaticallyCreated": false,
+ "PrivateKey": "QBFNBe+7J49ergH0ze2TGUJMFrL/2bOL50Z2cgluYW8=",
+ "PublicKey": "Fb5TaziAs1WrPBjC/MFbWsIelVXvi0hDKZ3YQM9wmU8=",
+ "InterfaceType": "client",
+ "Addresses": [
+ "10.11.12.10/32",
+ "fdfd:d3ad:c0de:1234::a/128"
+ ],
+ "CheckAliveAddress": "",
+ "DnsStr": "",
+ "DnsSearchStr": "",
+ "Mtu": 1420
+ }
+ }
+}
+```
+
+Here is another example of a webhook event when a peer is updated:
+
+```json
+{
+ "event": "update",
+ "entity": "peer",
+ "identifier": "Fb5TaziAs1WrPBjC/MFbWsIelVXvi0hDKZ3YQM9wmU8=",
+ "payload": {
+ "CreatedBy": "admin@wgportal.local",
+ "UpdatedBy": "admin@wgportal.local",
+ "CreatedAt": "2025-06-26T21:43:49.251839574+02:00",
+ "UpdatedAt": "2025-06-27T22:18:39.67763985+02:00",
+ "Endpoint": "10.55.66.1:51820",
+ "EndpointPublicKey": "eiVibpi3C2PUPcx2kwA5s09OgHx7AEaKMd33k0LQ5mM=",
+ "AllowedIPsStr": "10.11.12.0/24,fdfd:d3ad:c0de:1234::/64",
+ "ExtraAllowedIPsStr": "",
+ "PresharedKey": "p9DDeLUSLOdQcjS8ZsBAiqUzwDIUvTyzavRZFuzhvyE=",
+ "PersistentKeepalive": 16,
+ "DisplayName": "Peer Fb5TaziA",
+ "Identifier": "Fb5TaziAs1WrPBjC/MFbWsIelVXvi0hDKZ3YQM9wmU8=",
+ "UserIdentifier": "admin@wgportal.local",
+ "InterfaceIdentifier": "wgTesting",
+ "AutomaticallyCreated": false,
+ "PrivateKey": "QBFNBe+7J49ergH0ze2TGUJMFrL/2bOL50Z2cgluYW8=",
+ "PublicKey": "Fb5TaziAs1WrPBjC/MFbWsIelVXvi0hDKZ3YQM9wmU8=",
+ "InterfaceType": "client",
+ "Addresses": [
+ "10.11.12.10/32",
+ "fdfd:d3ad:c0de:1234::a/128"
+ ],
+ "CheckAliveAddress": "",
+ "DnsStr": "",
+ "DnsSearchStr": "",
+ "Mtu": 1420
+ }
+}
+```
\ No newline at end of file
diff --git a/frontend/index.html b/frontend/index.html
index fd8033f..287ef99 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -1,5 +1,5 @@
-
+
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index afbb37b..db118ca 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -14,8 +14,8 @@
"@popperjs/core": "^2.11.8",
"@simplewebauthn/browser": "^13.1.0",
"@vojtechlanka/vue-tags-input": "^3.1.1",
- "bootstrap": "^5.3.5",
- "bootswatch": "^5.3.5",
+ "bootstrap": "^5.3.7",
+ "bootswatch": "^5.3.7",
"flag-icons": "^7.3.2",
"ip-address": "^10.0.1",
"is-cidr": "^5.1.1",
@@ -1048,9 +1048,9 @@
}
},
"node_modules/bootstrap": {
- "version": "5.3.5",
- "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-5.3.5.tgz",
- "integrity": "sha512-ct1CHKtiobRimyGzmsSldEtM03E8fcEX4Tb3dGXz1V8faRwM50+vfHwTzOxB3IlKO7m+9vTH3s/3C6T2EAPeTA==",
+ "version": "5.3.7",
+ "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-5.3.7.tgz",
+ "integrity": "sha512-7KgiD8UHjfcPBHEpDNg+zGz8L3LqR3GVwqZiBRFX04a1BCArZOz1r2kjly2HQ0WokqTO0v1nF+QAt8dsW4lKlw==",
"funding": [
{
"type": "github",
@@ -1067,9 +1067,9 @@
}
},
"node_modules/bootswatch": {
- "version": "5.3.5",
- "resolved": "https://registry.npmjs.org/bootswatch/-/bootswatch-5.3.5.tgz",
- "integrity": "sha512-1z8LNoUL5NHmv/hNROALQ6qtjw9OJIjMgP8ovBlIft+oI15b/mvnzxGL896iO9LtoDZH0Vdm+D2YW+j03GduSg==",
+ "version": "5.3.7",
+ "resolved": "https://registry.npmjs.org/bootswatch/-/bootswatch-5.3.7.tgz",
+ "integrity": "sha512-n0X99+Jmpmd4vgkli5KwMOuAkgdyUPhq7cIAwoGXbM6WhE/mmkWACfxpr7WZeG9Pdx509Ndi+2K1HlzXXOr8/Q==",
"license": "MIT"
},
"node_modules/buffer-builder": {
diff --git a/frontend/package.json b/frontend/package.json
index 0be893a..e226a95 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -14,8 +14,8 @@
"@popperjs/core": "^2.11.8",
"@simplewebauthn/browser": "^13.1.0",
"@vojtechlanka/vue-tags-input": "^3.1.1",
- "bootstrap": "^5.3.5",
- "bootswatch": "^5.3.5",
+ "bootstrap": "^5.3.7",
+ "bootswatch": "^5.3.7",
"flag-icons": "^7.3.2",
"ip-address": "^10.0.1",
"is-cidr": "^5.1.1",
diff --git a/frontend/src/App.vue b/frontend/src/App.vue
index e6e20d2..cddea54 100644
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@@ -14,6 +14,10 @@ const settings = settingsStore()
onMounted(async () => {
console.log("Starting WireGuard Portal frontend...");
+ // restore theme from localStorage
+ const theme = localStorage.getItem('wgTheme') || 'light';
+ document.documentElement.setAttribute('data-bs-theme', theme);
+
await sec.LoadSecurityProperties();
await auth.LoadProviders();
@@ -40,6 +44,13 @@ const switchLanguage = function (lang) {
}
}
+const switchTheme = function (theme) {
+ if (document.documentElement.getAttribute('data-bs-theme') !== theme) {
+ localStorage.setItem('wgTheme', theme);
+ document.documentElement.setAttribute('data-bs-theme', theme);
+ }
+}
+
const languageFlag = computed(() => {
// `this` points to the component instance
let lang = appGlobal.$i18n.locale.toLowerCase();
@@ -125,6 +136,24 @@ const userDisplayName = computed(() => {
{{ $t('menu.login') }}
+
+
+
+
@@ -141,7 +170,7 @@ const userDisplayName = computed(() => {