dev-resources.site

for different kinds of informations.

Setting up WireGuard VPN with WAG for Enhanced Security and MFA

Published at

11/16/2024

Introduction to WAG with WireGuard

WAG enhances WireGuard by providing 2FA on selected routes while allowing other routes to remain accessible as long as the client has a valid public key. With WAG, you can ensure only authenticated users can access sensitive network resources, securing your VPN further.

Reference: WAG GitHub Repository

Prerequisites

System Requirements: This guide assumes you are working on Ubuntu 20.04.
Necessary Tools: Make sure iptables is installed and IP forwarding is enabled. Wag must be run as root, to manage iptables and the wireguard device.

sysctl -w net.ipv4.ip_forward=1

Step 1: Install WAG

Create Directory: Install WAG in the /opt directory.

mkdir /opt/wag && cd /opt/wag

Download WAG:

curl -L $(curl -s https://api.github.com/repos/NHAS/wag/releases/latest | jq -M -r '.assets[0].browser_download_url') -o wag

Set Permissions:

chmod 700 wag

Step 2: Generate WAG Configurations

Generate the initial configuration file:

sudo ./wag gen-config

Rename the generated config file:

After providing valid information in the above command, it will generate one config file with the tag "config.json.*". Rename it to "config.json"

mv config.json.* config.json

Step 3: Modify WireGuard Port and Add ACLs in the Config File

Set Port and Add Private Key: Configure WireGuard to listen on a chosen port (e.g., 51820).

"Wireguard": {
    "DevName": "wg0",
    "ListenPort": 51820,
    "PrivateKey": "your_private_key_here",
    "Address": "10.1.2.1/24",
    "MTU": 1420,
    "PersistentKeepAlive": 25,
    "DNS": ["8.8.8.8"]
}

Define ACLs: Use ACL policies to enforce 2FA for specific networks while allowing general access to others. Here, a username "mayur" is allowed only for network "0.0.0.0/0, ::/0" but it must enter MFA for network "172.69.0.0/16 and following", mfa defines the network which will be accessible only if it is authorized.

Example ACL Configuration:

"Acls": {
    "Groups": {
        "group:admin": ["mayur"]
    },
    "Policies": {
        "group:admin": {
            "Mfa": [
               "172.69.0.0/16", "172.63.0.0/16"
            ],
            "Allow": [
               "0.0.0.0/0", "::/0"
            ]
        }
    }
}

After adding this, the config will look like this:

{
  "Proxied": false,
  "ExposePorts": null,
  "HelpMail": "<email address>",
  "Lockout": 5,
  "ExternalAddress": "<public ip>",
  "MaxSessionLifetimeMinutes": 1440,
  "SessionInactivityTimeoutMinutes ": 60,
  "ManagementUI": {
    "ListenAddress": "",
    "Enabled": false
  },
  "Webserver": {
    "Public": {
      "ListenAddress": ":8080"
    },
    "Tunnel": {
      "Port": "80"
    }
  },
  "Authenticators": {
    "Issuer": "Wireguard",
    "Methods": ["totp"],
    "DomainURL": "",
    "OIDC": {
      "IssuerURL": "",
      "ClientSecret": "",
      "ClientID": ""
    }
  },
  "Wireguard": {
    "DevName": "wg0",
    "ListenPort": 51820,
    "PrivateKey": "<private key>",
    "Address": "10.1.2.1/24",
    "MTU": 1420,
    "PersistentKeepAlive": 25,
    "DNS": ["8.8.8.8"]
  },
  "DatabaseLocation": "devices.db",
  "Acls": {
    "Groups": {
      "group:admin": ["mayur"]
    },
    "Policies": {
      "group:admin": {
        "Mfa": ["172.69.0.0/16", "172.63.0.0/16"],
        "Allow": ["0.0.0.0/0", "::/0"]
      }
    }
  }
}

Step 4: Start the WAG Service

Run WAG with the following command:

./wag start -config config.json

wag will create a database "devices.db" where it will store all users and their respective keys.

Step 5: Set Up WAG as a Service

Create a wag.service file for managing WAG via systemd:

sudo nano /etc/systemd/system/wag.service

Add the following service configuration:

[Unit]
Description=WireguardManager

[Service]
User=root

WorkingDirectory=/opt/wag
ExecStart=/opt/wag/wag start

# If any of the ExecStarttasks fail, then ExecStopPostwill run
ExecStopPost=/opt/wag/wag cleanup

Restart=on-failure
RestartSec=10
RestartPreventExitStatus=3

KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

Enable and start the service:

sudo systemctl enable wag
sudo systemctl start wag

Step 6: Register New Users with WAG

./wag registration -add -username your_username

This command generates a token for device enrollment.

Restart the WAG service:

Now copy the token that was generated from the adding username, Now restart the wag service

sudo systemctl restart wag

Step 7: Download User Configuration File

Users can retrieve their VPN configuration file using their generated token:

curl http://{public.server.address}:8080/register_device?key={token}

This will download the config that will later need to be used in the WireGuard Client.

Additional Feature:

Registration - Deals with creating, deleting and listing the registration tokens

Usage of registration:

"-add" : Create a new enrolment token
"-del" : Delete existing enrolment token
"-group value" : Manually set user group (can supply multiple -group, or use -groups for delimited group list, useful for OIDC)
"-groups string" : Set user groups manually, ',' delimited list of groups, useful for OIDC
"-list" : List tokens
"-overwrite string" : Add registration token for an existing user device, will overwrite wireguard public key (but not 2FA)
"-socket string" : Wag socket to act on (default "/tmp/wag.sock")
"-token string" : Manually set registration token (Optional)
"-username string" : User to add device

(Optional) Configure WAG Management UI

To enable the WAG UI, make the following changes in config.json:

"ManagementUI": {
    "ListenAddress": ":9000",
    "Enabled": true
}

Restart WAG to apply changes:

sudo systemctl restart wag

Set up an admin account for the web console:

sudo ./wag webadmin -add -username admin -password admin_password

Now, Just use http://{public_ip}:9000 and we will be able to access the WAG UI console where we will be able to manage the user and config.

vpn Article's

30 articles in total

Как создать свой VPN и получить доступ ко всему?