My Wag installation

[wa2023pi]

Hi there,
looking for a VPN with MFA i stumbled upon wag.
Already using wireguard, this looked like a practical approach.

As I'm using Proxmox for allmost everything, i started deploying wag in an lxc container.
For using wireguard I added

lxc.cgroup2.devices.allow: c 10:200 
rwmlxc.mount.entry: /dev/net dev/net none bind,create=dir

on the corresponding lxc.conf on the Proxmox host

I was not able to use an unprivileged container as i had later problems with the wag process

wag wag[451]: 2024/04/28 06:50:46 unable to start router: failed to set memlock rlimit: operation not permitted

I did not get arround it and then used a privileged container with nesting enabled.
( some advice to use it inside an unprivileged container? )

logged in as root

apt update
apt upgrade
apt install wireguard-tools iptables mc tcpdump net-tools

and installed wag inside /opt/wag

mkdir /opt/wag
mkdir /opt/wag/certs
cd /opt/wag
wget https://github.com/NHAS/wag/releases/download/v7.3.2/wag
chmod u+x /opt/wag/wag

and then copy/paste the Full config example and the wag.service data from https://github.com/NHAS/wag inside

/opt/wag/config.json
and
/opt/wag/wag.service

to get the service running later.

ln -s /opt/wag/wag.service /etc/systemd/system
systemctl daemon-reload
systemctl enable wag.service

of course the service does not work at this point, we first have to adjust the config.json for our needs.

for routing to function you have to uncomment in

/etc/sysctl.conf

net.ipv4.ip_forward = 1

At home i have a special construct, as i'm using a access-router from my provider to access internet via dsl with pppoe and to use voip services. Behind i use an openwrt router as packet-filter, dns-filter, reverse-proxy and wireguard-vpn to access my private networks.To integrate wag i connected its lxc container with one network interface parallel to openwrt to get the wireguard port forwarded from my access-router. For the seccond interface i created a new vlan and firewall zone on openwrt to access my local networks.
so i edited /etc/network/interfaces to represent my interfaces and routing needs.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.5.254/24

auto eth1
iface eth1 inet static
        address 10.120.1.254/24
        gateway 10.120.1.1

up ip route add 192.168.1.0/24 via 192.168.5.1 dev eth0
up ip route add 192.168.99.0/24 via 192.168.5.1 dev eth0
up ip route add 192.168.77.0/24 via 192.168.5.1 dev eth0

The first step with wag is like with a normal wireguard instance, everybody who has a valid configuration can access the endpoint.

To manage and allow access to your networks wag presents 3 services ( configure ports to your needs ).

1. The admin gui on port 4433 where the configuration is done,
2. the api endpoint on port 8080 to download the wireguard config for the clients
3. the authentication website on port 443 .

The admin gui should only be accessible from the intranet and as i'm configuring the devices myself, also the api endpoint could only be accessed from my intranet. the authentication website is only accessible from inside the wireguard tunnel.

I also integrated my lets encrypt wildcard certificate for the three services and realized that it is important to the use the fullchain certificate. otherwise i was not able to access the sites.

Next problem was i could not access the authentication website ( and the external authprovider authelia ) after i established a successfull wireguard connection. I only got TLS handshake errors. Problem here was that i use wag behind my access-router and i had to reduce the wireguard MTU to 1380 , then everything was ok.
It seems to be the same problem like in #85

Now everything worked for me. I experimented with the policy rules and used only the default one *
My mobile is permanently connected to my home and so the internet access. For this 0.0.0.0/0 is inside "public routes" and my intranet networks belong to the "mfa routes" . So i can access intranet only authorized.

at the moment i'm experimenting with authelia, but there i still have problems.

here is my config.json ( ip's and keys are changed )

{
    "Socket": "/tmp/wag.sock",
    "Proxied": false,
    "NAT": false,
    "HelpMail": "[email protected]",
    "Lockout": 5,
    "ExternalAddress": "wag.domain.de",
    "MaxSessionLifetimeMinutes": 1800,
    "SessionInactivityTimeoutMinutes": 1800,
    "DownloadConfigFileName": "wg0.conf",
    "ManagementUI": {
        "ListenAddress": "192.168.5.254:4433",
        "CertPath": "/opt/wag/certs/fullchain.cer",
        "KeyPath": "/opt/wag/certs/key.cer",
        "Enabled": true
    },
    "Webserver": {
        "Public": {
            "ListenAddress": "192.168.5.254:8080",
            "CertPath": "/opt/wag/certs/fullchain.cer",
            "KeyPath": "/opt/wag/certs/key.cer"
        },
        "Tunnel": {
            "CertPath": "/opt/wag/certs/fullchain.cer",
            "KeyPath": "/opt/wag/certs/key.cer",
            "Port": "443"
        }
    },
    "Authenticators": {
        "DefaultMethod": "totp",
        "Issuer": "wgwag.domain.de:8080",
        "Methods": [
            "totp",
            "pam"
        ],
        "PAM": {
            "ServiceName": "vpncheckpass"
        }
    },
    "Wireguard": {
        "DevName": "wg0",
        "ListenPort": 53230,
        "PrivateKey": "xxxx",
        "Address": "10.10.10.1/24",
        "MTU": 1380,
        "DNS": [
            "192.168.5.1/32"
        ]
    },
    "DatabaseLocation": "devices.db",
    "Acls": {
        "Groups": {
            "group:mobile": [
                "mobile1"
            ],
            "group:notebook": [
                "notebook1",
                "notebook2"
            ]
        },
        "Policies": {
            "*": {
                "Mfa": [
                    "192.168.1.0/24",
                    "192.168.99.0/24",
                    "192.168.77.0/24"
                ],
                "Allow": [
                    "authelia.domain.de 9091/tcp icmp",
                    "192.168.5.254",
                    "0.0.0.0/0"
                ]
            },
            "group:mobile": {},
            "group:notebook": {},
            "notebook1": {},
            "notebook2": {},
            "mobile1": {}
        }
    }
}

Thank you for this nice software NHAS!
Is there a possibility to donate with paypal?

[NHAS]

Hi there!

Thanks for this write-up Im sure folk using lxc containers will find this super useful! I personally dont use them myself so I consider them not officially supported.

As for PayPal you can send money directly to [email protected] thank you so much!

Keep an eye out, Im about a week out from releasing wag v8.0.0 which features clustering and high availability!

[NHAS]

Oh yeah, if you were looking for an auth provider that you could self host. I cannot recommend keycloak strongly enough, super mature project and well hardened.