Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2025-06-29 09:47:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
wg-portal/master/documentation/usage/security/index.html
github-actions[bot] 85d4aaea8c Deployed 7fd2bba to master with MkDocs 1.6.1 and mike 2.1.3
2025-05-17 17:23:27 +00:00

28 lines
34 KiB
HTML
Raw Blame History

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><link href=https://wgportal.org/master/documentation/usage/security/ rel=canonical><link href=../ldap/ rel=prev><link href=../../rest-api/api-doc/ rel=next><link rel=icon href=../../../assets/images/favicon-large.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.6.14"><title>Security - WireGuard Portal</title><link rel=stylesheet href=../../../assets/stylesheets/main.342714a4.min.css><link rel=stylesheet href=../../../assets/stylesheets/palette.06af60db.min.css><link rel=stylesheet href=../../../stylesheets/extra.css><script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="Security - WireGuard Portal"><meta property=og:description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><meta property=og:image content=https://wgportal.org/master/assets/images/social/documentation/usage/security.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://wgportal.org/master/documentation/usage/security/ property=og:url><meta name=twitter:card content=summary_large_image><meta name=twitter:title content="Security - WireGuard Portal"><meta name=twitter:description content="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><meta name=twitter:image content=https://wgportal.org/master/assets/images/social/documentation/usage/security.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#authentication class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../../.. title="WireGuard Portal" class="md-header__button md-logo" aria-label="WireGuard Portal" data-md-component=logo> <img src=../../../assets/images/logo.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> WireGuard Portal </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> Security </span> </div> </div> </div> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </label> <nav class=md-search__options aria-label=Search> <button type=reset class="md-search__icon md-icon" title=Clear aria-label=Clear tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg> </button> </nav> </form> <div class=md-search__output> <div class=md-search__scrollwrap tabindex=0 data-md-scrollfix> <div class=md-search-result data-md-component=search-result> <div class=md-search-result__meta> Initializing search </div> <ol class=md-search-result__list role=presentation></ol> </div> </div> </div> </div> </div> <div class=md-header__source> <a href=https://github.com/h44z/wg-portal title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg> </div> <div class=md-source__repository> h44z/wg-portal </div> </a> </div> </nav> </header> <div class=md-container data-md-component=container> <nav class=md-tabs aria-label=Tabs data-md-component=tabs> <div class=md-grid> <ul class=md-tabs__list> <li class=md-tabs__item> <a href=../../.. class=md-tabs__link> Home </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href=../../overview/ class=md-tabs__link> Documentation </a> </li> </ul> </div> </nav> <main class=md-main data-md-component=main> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component=sidebar data-md-type=navigation> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label=Navigation data-md-level=0> <label class=md-nav__title for=__drawer> <a href=../../.. title="WireGuard Portal" class="md-nav__button md-logo" aria-label="WireGuard Portal" data-md-component=logo> <img src=../../../assets/images/logo.svg alt=logo> </a> WireGuard Portal </label> <div class=md-nav__source> <a href=https://github.com/h44z/wg-portal title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg> </div> <div class=md-source__repository> h44z/wg-portal </div> </a> </div> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../.. class=md-nav__link> <span class=md-ellipsis> Home </span> </a> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_2 checked> <label class=md-nav__link for=__nav_2 id=__nav_2_label tabindex> <span class=md-ellipsis> Documentation </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_2_label aria-expanded=true> <label class=md-nav__title for=__nav_2> <span class="md-nav__icon md-icon"></span> Documentation </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../overview/ class=md-nav__link> <span class=md-ellipsis> Overview </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type=checkbox id=__nav_2_2> <label class=md-nav__link for=__nav_2_2 id=__nav_2_2_label tabindex=0> <span class=md-ellipsis> Getting Started </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_2_2_label aria-expanded=false> <label class=md-nav__title for=__nav_2_2> <span class="md-nav__icon md-icon"></span> Getting Started </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../getting-started/binaries/ class=md-nav__link> <span class=md-ellipsis> Binaries </span> </a> </li> <li class=md-nav__item> <a href=../../getting-started/docker/ class=md-nav__link> <span class=md-ellipsis> Docker </span> </a> </li> <li class=md-nav__item> <a href=../../getting-started/helm/ class=md-nav__link> <span class=md-ellipsis> Helm </span> </a> </li> <li class=md-nav__item> <a href=../../getting-started/sources/ class=md-nav__link> <span class=md-ellipsis> Sources </span> </a> </li> <li class=md-nav__item> <a href=../../getting-started/reverse-proxy/ class=md-nav__link> <span class=md-ellipsis> Reverse Proxy (HTTPS) </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type=checkbox id=__nav_2_3> <label class=md-nav__link for=__nav_2_3 id=__nav_2_3_label tabindex=0> <span class=md-ellipsis> Configuration </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_2_3_label aria-expanded=false> <label class=md-nav__title for=__nav_2_3> <span class="md-nav__icon md-icon"></span> Configuration </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../configuration/overview/ class=md-nav__link> <span class=md-ellipsis> Overview </span> </a> </li> <li class=md-nav__item> <a href=../../configuration/examples/ class=md-nav__link> <span class=md-ellipsis> Examples </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_2_4 checked> <label class=md-nav__link for=__nav_2_4 id=__nav_2_4_label tabindex=0> <span class=md-ellipsis> Usage </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_2_4_label aria-expanded=true> <label class=md-nav__title for=__nav_2_4> <span class="md-nav__icon md-icon"></span> Usage </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../general/ class=md-nav__link> <span class=md-ellipsis> General </span> </a> </li> <li class=md-nav__item> <a href=../ldap/ class=md-nav__link> <span class=md-ellipsis> LDAP </span> </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type=checkbox id=__toc> <label class="md-nav__link md-nav__link--active" for=__toc> <span class=md-ellipsis> Security </span> <span class="md-nav__icon md-icon"></span> </label> <a href=./ class="md-nav__link md-nav__link--active"> <span class=md-ellipsis> Security </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#authentication class=md-nav__link> <span class=md-ellipsis> Authentication </span> </a> <nav class=md-nav aria-label=Authentication> <ul class=md-nav__list> <li class=md-nav__item> <a href=#password-security class=md-nav__link> <span class=md-ellipsis> Password Security </span> </a> </li> <li class=md-nav__item> <a href=#passkey-webauthn-authentication class=md-nav__link> <span class=md-ellipsis> Passkey (WebAuthn) Authentication </span> </a> </li> <li class=md-nav__item> <a href=#oauth-and-oidc-authentication class=md-nav__link> <span class=md-ellipsis> OAuth and OIDC Authentication </span> </a> <nav class=md-nav aria-label="OAuth and OIDC Authentication"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#limiting-login-to-specific-domains class=md-nav__link> <span class=md-ellipsis> Limiting Login to Specific Domains </span> </a> </li> <li class=md-nav__item> <a href=#limit-login-to-existing-users class=md-nav__link> <span class=md-ellipsis> Limit Login to Existing Users </span> </a> </li> <li class=md-nav__item> <a href=#admin-mapping class=md-nav__link> <span class=md-ellipsis> Admin Mapping </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#ldap-authentication class=md-nav__link> <span class=md-ellipsis> LDAP Authentication </span> </a> <nav class=md-nav aria-label="LDAP Authentication"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#limiting-login-to-specific-users class=md-nav__link> <span class=md-ellipsis> Limiting Login to Specific Users </span> </a> </li> <li class=md-nav__item> <a href=#limit-login-to-existing-users_1 class=md-nav__link> <span class=md-ellipsis> Limit Login to Existing Users </span> </a> </li> <li class=md-nav__item> <a href=#admin-mapping_1 class=md-nav__link> <span class=md-ellipsis> Admin Mapping </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#ui-and-api-access class=md-nav__link> <span class=md-ellipsis> UI and API Access </span> </a> <nav class=md-nav aria-label="UI and API Access"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#https class=md-nav__link> <span class=md-ellipsis> HTTPS </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../rest-api/api-doc/ class=md-nav__link> <span class=md-ellipsis> REST API </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../upgrade/v1/ class=md-nav__link> <span class=md-ellipsis> Upgrade </span> </a> </li> <li class=md-nav__item> <a href=../../monitoring/prometheus/ class=md-nav__link> <span class=md-ellipsis> Monitoring </span> </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component=sidebar data-md-type=toc> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#authentication class=md-nav__link> <span class=md-ellipsis> Authentication </span> </a> <nav class=md-nav aria-label=Authentication> <ul class=md-nav__list> <li class=md-nav__item> <a href=#password-security class=md-nav__link> <span class=md-ellipsis> Password Security </span> </a> </li> <li class=md-nav__item> <a href=#passkey-webauthn-authentication class=md-nav__link> <span class=md-ellipsis> Passkey (WebAuthn) Authentication </span> </a> </li> <li class=md-nav__item> <a href=#oauth-and-oidc-authentication class=md-nav__link> <span class=md-ellipsis> OAuth and OIDC Authentication </span> </a> <nav class=md-nav aria-label="OAuth and OIDC Authentication"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#limiting-login-to-specific-domains class=md-nav__link> <span class=md-ellipsis> Limiting Login to Specific Domains </span> </a> </li> <li class=md-nav__item> <a href=#limit-login-to-existing-users class=md-nav__link> <span class=md-ellipsis> Limit Login to Existing Users </span> </a> </li> <li class=md-nav__item> <a href=#admin-mapping class=md-nav__link> <span class=md-ellipsis> Admin Mapping </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#ldap-authentication class=md-nav__link> <span class=md-ellipsis> LDAP Authentication </span> </a> <nav class=md-nav aria-label="LDAP Authentication"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#limiting-login-to-specific-users class=md-nav__link> <span class=md-ellipsis> Limiting Login to Specific Users </span> </a> </li> <li class=md-nav__item> <a href=#limit-login-to-existing-users_1 class=md-nav__link> <span class=md-ellipsis> Limit Login to Existing Users </span> </a> </li> <li class=md-nav__item> <a href=#admin-mapping_1 class=md-nav__link> <span class=md-ellipsis> Admin Mapping </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#ui-and-api-access class=md-nav__link> <span class=md-ellipsis> UI and API Access </span> </a> <nav class=md-nav aria-label="UI and API Access"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#https class=md-nav__link> <span class=md-ellipsis> HTTPS </span> </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class=md-content data-md-component=content> <article class="md-content__inner md-typeset"> <h1>Security</h1> <p>This section describes the security features available to administrators for hardening WireGuard Portal and protecting its data.</p> <h2 id=authentication>Authentication</h2> <p>WireGuard Portal supports multiple authentication methods, including:</p> <ul> <li>Local user accounts</li> <li>LDAP authentication</li> <li>OAuth and OIDC authentication</li> <li>Passkey authentication (WebAuthn)</li> </ul> <p>Users can have two roles which limit their permissions in WireGuard Portal:</p> <ul> <li><strong>User</strong>: Can manage their own account and peers.</li> <li><strong>Admin</strong>: Can manage all users and peers, including the ability to manage WireGuard interfaces.</li> </ul> <h3 id=password-security>Password Security</h3> <p>WireGuard Portal supports username and password authentication for both local and LDAP-backed accounts. Local users are stored in the database, while LDAP users are authenticated against an external LDAP server.</p> <p>On initial startup, WireGuard Portal automatically creates a local admin account with the password <code>wgportal-default</code>.</p> <blockquote> <p><img alt= class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg title=:warning:> This password must be changed immediately after the first login.</p> </blockquote> <p>The minimum password length for all local users can be configured in the <a href=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file. The default value is <strong>16</strong> characters, see <a href=../../configuration/overview/#min_password_length><code>min_password_length</code></a>. The minimum password length is also enforced for the default admin user.</p> <h3 id=passkey-webauthn-authentication>Passkey (WebAuthn) Authentication</h3> <p>Besides the standard authentication mechanisms, WireGuard Portal supports Passkey authentication. This feature is enabled by default and can be configured in the <a href=../../configuration/overview/#webauthn-passkeys><code>webauthn</code></a> section of the configuration file.</p> <p>Users can register multiple Passkeys to their account. These Passkeys can be used to log in to the web UI as long as the user is not locked.</p> <blockquote> <p><img alt= class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg title=:warning:> Passkey authentication does not disable password authentication. The password can still be used to log in (e.g., as a fallback).</p> </blockquote> <p>To register a Passkey, open the settings page <em>(1)</em> in the web UI and click on the "Register Passkey" <em>(2)</em> button.</p> <p><img alt="Passkey UI" src=../../../assets/images/passkey_setup.png></p> <h3 id=oauth-and-oidc-authentication>OAuth and OIDC Authentication</h3> <p>WireGuard Portal supports OAuth and OIDC authentication. You can use any OAuth or OIDC provider that supports the authorization code flow, such as Google, GitHub, or Keycloak.</p> <p>For OAuth or OIDC to work, you need to configure the <a href=../../configuration/overview/#external_url><code>external_url</code></a> property in the <a href=../../configuration/overview/#web><code>web</code></a> section of the configuration file. If you are planning to expose the portal to the internet, make sure that the <code>external_url</code> is configured to use HTTPS.</p> <p>To add OIDC or OAuth authentication to WireGuard Portal, create a Client-ID and Client-Secret in your OAuth provider and configure a new authentication provider in the <a href=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file. Make sure that each configured provider has a unique <code>provider_name</code> property set. Samples can be seen <a href=../../configuration/examples/ >here</a>.</p> <h4 id=limiting-login-to-specific-domains>Limiting Login to Specific Domains</h4> <p>You can limit the login to specific domains by setting the <code>allowed_domains</code> property for OAuth or OIDC providers. This property is a comma-separated list of domains that are allowed to log in. The user's email address is checked against this list. For example, if you want to allow only users with an email address ending in <code>outlook.com</code> to log in, set the property as follows:</p> <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
<span class=w> </span><span class=nt>oidc</span><span class=p>:</span>
<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>&quot;oidc1&quot;</span>
<span class=w> </span><span class=c1># ... other settings</span>
<span class=w> </span><span class=nt>allowed_domains</span><span class=p>:</span>
<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=s>&quot;outlook.com&quot;</span>
</code></pre></div> <h4 id=limit-login-to-existing-users>Limit Login to Existing Users</h4> <p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for OAuth or OIDC providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p> <h4 id=admin-mapping>Admin Mapping</h4> <p>You can map users to admin roles based on their attributes in the OAuth or OIDC provider. To do this, set the <code>admin_mapping</code> property for the provider. Administrative access can either be mapped by a specific attribute or by group membership.</p> <p><strong>Attribute specific mapping</strong> can be achieved by setting the <code>admin_value_regex</code> and the <code>is_admin</code> property. The <code>admin_value_regex</code> property is a regular expression that is matched against the value of the <code>is_admin</code> attribute. The user is granted admin access if the regex matches the attribute value.</p> <p>Example: <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
<span class=w> </span><span class=nt>oidc</span><span class=p>:</span>
<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>&quot;oidc1&quot;</span>
<span class=w> </span><span class=c1># ... other settings</span>
<span class=w> </span><span class=nt>field_map</span><span class=p>:</span>
<span class=w> </span><span class=nt>is_admin</span><span class=p>:</span><span class=w> </span><span class=s>&quot;wg_admin_prop&quot;</span>
<span class=w> </span><span class=nt>admin_mapping</span><span class=p>:</span>
<span class=w> </span><span class=nt>admin_value_regex</span><span class=p>:</span><span class=w> </span><span class=s>&quot;^true$&quot;</span>
</code></pre></div> The example above will grant admin access to users with the <code>wg_admin_prop</code> attribute set to <code>true</code>.</p> <p><strong>Group membership mapping</strong> can be achieved by setting the <code>admin_group_regex</code> and <code>user_groups</code> property. The <code>admin_group_regex</code> property is a regular expression that is matched against the group names of the user. The user is granted admin access if the regex matches any of the group names.</p> <p>Example: <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
<span class=w> </span><span class=nt>oidc</span><span class=p>:</span>
<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>&quot;oidc1&quot;</span>
<span class=w> </span><span class=c1># ... other settings</span>
<span class=w> </span><span class=nt>field_map</span><span class=p>:</span>
<span class=w> </span><span class=nt>user_groups</span><span class=p>:</span><span class=w> </span><span class=s>&quot;groups&quot;</span>
<span class=w> </span><span class=nt>admin_mapping</span><span class=p>:</span>
<span class=w> </span><span class=nt>admin_group_regex</span><span class=p>:</span><span class=w> </span><span class=s>&quot;^the-admin-group$&quot;</span>
</code></pre></div> The example above will grant admin access to users who are members of the <code>the-admin-group</code> group.</p> <h3 id=ldap-authentication>LDAP Authentication</h3> <p>WireGuard Portal supports LDAP authentication. You can use any LDAP server that supports the LDAP protocol, such as Active Directory or OpenLDAP. Multiple LDAP servers can be configured in the <a href=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file. WireGuard Portal remembers the authentication provider of the user and therefore avoids conflicts between multiple LDAP providers.</p> <p>To configure LDAP authentication, create a new <a href=../../configuration/overview/#ldap><code>ldap</code></a> authentication provider in the <a href=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file.</p> <h4 id=limiting-login-to-specific-users>Limiting Login to Specific Users</h4> <p>You can limit the login to specific users by setting the <code>login_filter</code> property for LDAP provider. This filter uses the LDAP search filter syntax. The username can be inserted into the query by placing the <code>{{login_identifier}}</code> placeholder in the filter. This placeholder will then be replaced with the username entered by the user during login.</p> <p>For example, if you want to allow only users with the <code>objectClass</code> attribute set to <code>organizationalPerson</code> to log in, set the property as follows:</p> <div class=highlight><pre><span></span><code><span class=nt>auth</span><span class=p>:</span>
<span class=w> </span><span class=nt>ldap</span><span class=p>:</span>
<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>provider_name</span><span class=p>:</span><span class=w> </span><span class=s>&quot;ldap1&quot;</span>
<span class=w> </span><span class=c1># ... other settings</span>
<span class=w> </span><span class=nt>login_filter</span><span class=p>:</span><span class=w> </span><span class=s>&quot;(&amp;(objectClass=organizationalPerson)(uid={{login_identifier}}))&quot;</span>
</code></pre></div> <p>The <code>login_filter</code> should always be designed to return at most one user.</p> <h4 id=limit-login-to-existing-users_1>Limit Login to Existing Users</h4> <p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for LDAP providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p> <h4 id=admin-mapping_1>Admin Mapping</h4> <p>You can map users to admin roles based on their group membership in the LDAP server. To do this, set the <code>admin_group</code> and <code>memberof</code> property for the provider. The <code>admin_group</code> property defines the distinguished name of the group that is allowed to log in as admin. All groups that are listed in the <code>memberof</code> attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.</p> <h2 id=ui-and-api-access>UI and API Access</h2> <p>WireGuard Portal provides a web UI and a REST API for user interaction. It is important to secure these interfaces to prevent unauthorized access and data breaches.</p> <h3 id=https>HTTPS</h3> <p>It is recommended to use HTTPS for all communication with the portal to prevent eavesdropping. </p> <p>Event though, WireGuard Portal supports HTTPS out of the box, it is recommended to use a reverse proxy like Nginx or Traefik to handle SSL termination and other security features. A detailed explanation is available in the <a href=../../getting-started/reverse-proxy/ >Reverse Proxy</a> section.</p> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> </main> <!-- Application footer --> <footer class=md-footer> <!-- Further information --> <div class="md-footer-meta md-typeset" style="background-color: #fff;"> <div class="md-footer-meta__inner md-grid" style="background-color: #fff;"> <!-- Copyright and theme information --> <div class=md-footer-copyright> <div class=md-footer-copyright__highlight style="color: rgb(38, 38, 38);"> Copyright &copy; 2023-2025 WireGuard Portal Project </div> <div style="color: rgb(38, 38, 38);"> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener style="color: black;"> Material for MkDocs </a> </div> </div> <!-- Social links --> <div class=md-social> <a href=https://github.com/h44z/wg-portal target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 480 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1M480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2m-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3m-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1"/></svg> </a> <a href=https://hub.docker.com/r/wgportal/wg-portal target=_blank rel=noopener title=hub.docker.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M349.9 236.3h-66.1v-59.4h66.1zm0-204.3h-66.1v60.7h66.1zm78.2 144.8H362v59.4h66.1zm-156.3-72.1h-66.1v60.1h66.1zm78.1 0h-66.1v60.1h66.1zm276.8 100c-14.4-9.7-47.6-13.2-73.1-8.4-3.3-24-16.7-44.9-41.1-63.7l-14-9.3-9.3 14c-18.4 27.8-23.4 73.6-3.7 103.8-8.7 4.7-25.8 11.1-48.4 10.7H2.4c-8.7 50.8 5.8 116.8 44 162.1 37.1 43.9 92.7 66.2 165.4 66.2 157.4 0 273.9-72.5 328.4-204.2 21.4.4 67.6.1 91.3-45.2 1.5-2.5 6.6-13.2 8.5-17.1zm-511.1-27.9h-66v59.4h66.1v-59.4zm78.1 0h-66.1v59.4h66.1zm78.1 0h-66.1v59.4h66.1zm-78.1-72.1h-66.1v60.1h66.1z"/></svg> </a> <a href=https://twitter.com/chris_h44z target=_blank rel=noopener title=twitter.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 512 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253"/></svg> </a> </div> </div> </div> </footer> </div> <div class=md-dialog data-md-component=dialog> <div class="md-dialog__inner md-typeset"></div> </div> <script id=__config type=application/json>{"base": "../../..", "features": ["content.code.copy", "navigation.instant", "navigation.tabs", "navigation.expand"], "search": "../../../assets/javascripts/workers/search.d50fe291.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"default": "latest", "provider": "mike"}}</script> <script src=../../../assets/javascripts/bundle.13a4f30d.min.js></script> </body> </html>
Reference in New Issue View Git Blame Copy Permalink