Bump version to 15.0.0-beta.8

* add ui port to template

* update changelog

CHANGELOG.md

@@ -24,6 +24,8 @@ This update is an entire rewrite to make it even easier to set up your own VPN.
 - Deprecated Dockerless Installations
 - Added Docker Volume Mount (`/lib/modules`)
 - Removed ARMv6 and ARMv7 support
+- Connections over HTTP require setting the `INSECURE` env var
+- Changed license from CC BY-NC-SA 4.0 to AGPL-3.0-only
 
 ## [14.0.0] - 2024-09-04
 

README.md

@@ -102,7 +102,7 @@ Now setup a reverse proxy to be able to access the Web UI from the internet.
 
 If you want to access the Web UI over HTTP, change the env var `INSECURE` to `true`. This is not recommended. Only use this for testing
 
-### 3. Sponsor
+### Donate
 
 Are you enjoying this project? Consider donating.
 

docs/content/examples/tutorials/auto-updates.md

@@ -4,13 +4,13 @@ title: Auto Updates
 
 ## Docker Compose
 
-With Docker Compose WireGuard Easy can be updated with a single command:
+With Docker Compose `wg-easy` can be updated with a single command:
 
 Replace `$DIR` with the directory where your `docker-compose.yml` is located.
 
 ```shell
 cd $DIR
-sudo docker compose -f up -d --pull always
+sudo docker compose up -d --pull always
 ```
 
 ## Docker Run
@@ -27,7 +27,7 @@ And then run the `docker run -d \ ...` command from [Docker Run][docker-run] aga
 
 ## Podman
 
-To update `wg-easy` (and every container that has auto updates enabled), you can run the following commands:
+To update `wg-easy` (and every container that has auto updates enabled), you can run the following command:
 
 ```shell
 sudo podman auto-update

docs/content/examples/tutorials/docker-run.md

@@ -4,7 +4,7 @@ title: Docker Run
 
 To setup the IPv6 Network, simply run once:
 
-```bash
+```shell
   docker network create \
   -d bridge --ipv6 \
   -d default \
@@ -14,9 +14,9 @@ To setup the IPv6 Network, simply run once:
 
 <!-- ref: major version -->
 
-To automatically install & run wg-easy, simply run:
+To automatically install & run ``wg-easy, simply run:
 
-```bash
+```shell
   docker run -d \
   --net wg \
   -e INSECURE=true \

docs/content/examples/tutorials/podman.md

@@ -88,7 +88,7 @@ In the Admin Panel of your WireGuard server, go to the `Hooks` tab and add the f
 1. PostUp
 
    ```shell
-   apk add nftables; nft add table inet wg_table; nft add chain inet wg_table postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet wg_table postrouting ip saddr {{ipv4Cidr}} oifname {{device}} masquerade; nft add rule inet wg_table postrouting ip6 saddr {{ipv6Cidr}} oifname {{device}} masquerade; nft add chain inet wg_table input { type filter hook input priority 0 \; policy drop \; }; nft add rule inet wg_table input udp dport {{port}} accept; nft add chain inet wg_table forward { type filter hook forward priority 0 \; policy drop \; }; nft add rule inet wg_table forward iifname "wg0" accept; nft add rule inet wg_table forward oifname "wg0" accept;
+   apk add nftables; nft add table inet wg_table; nft add chain inet wg_table postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet wg_table postrouting ip saddr {{ipv4Cidr}} oifname {{device}} masquerade; nft add rule inet wg_table postrouting ip6 saddr {{ipv6Cidr}} oifname {{device}} masquerade; nft add chain inet wg_table input { type filter hook input priority 0 \; policy drop \; }; nft add rule inet wg_table input udp dport {{port}} accept; nft add rule inet wg_table input tcp dport {{uiPort}} accept; nft add chain inet wg_table forward { type filter hook forward priority 0 \; policy drop \; }; nft add rule inet wg_table forward iifname "wg0" accept; nft add rule inet wg_table forward oifname "wg0" accept;
    ```
 
 2. PostDown

package.json

@@ -7,5 +7,5 @@
     "docs:preview": "docker run --rm -it -p 8080:8080 -v ./docs:/docs squidfunk/mkdocs-material serve -a 0.0.0.0:8080",
     "scripts:version": "bash scripts/version.sh"
   },
-  "packageManager": "pnpm@10.5.2"
+  "packageManager": "pnpm@10.6.2"
 }

src/app/components/Form/NullArrayField.vue

@@ -0,0 +1,68 @@
+<template>
+  <div class="flex flex-col gap-2">
+    <div v-if="data === null">
+      {{ emptyText || $t('form.nullNoItems') }}
+    </div>
+    <div v-for="(item, i) in data" v-else :key="i">
+      <div class="mt-1 flex flex-row gap-1">
+        <input
+          :value="item"
+          :name="name"
+          type="text"
+          class="rounded-lg border-2 border-gray-100 text-gray-500 focus:border-red-800 focus:outline-0 focus:ring-0 dark:border-neutral-800 dark:bg-neutral-700 dark:text-neutral-200 dark:placeholder:text-neutral-400"
+          @input="update($event, i)"
+        />
+        <BaseButton
+          as="input"
+          type="button"
+          class="rounded-lg"
+          value="-"
+          @click="del(i)"
+        />
+      </div>
+    </div>
+    <div class="mt-2">
+      <BaseButton
+        as="input"
+        type="button"
+        class="rounded-lg"
+        :value="$t('form.add')"
+        @click="add"
+      />
+    </div>
+  </div>
+</template>
+
+<script lang="ts" setup>
+const data = defineModel<string[] | null>();
+defineProps<{ emptyText?: string[]; name: string }>();
+
+function update(e: Event, i: number) {
+  const v = (e.target as HTMLInputElement).value;
+  if (!data.value) {
+    return;
+  }
+  data.value[i] = v;
+}
+
+function add() {
+  if (data.value === undefined) {
+    return;
+  }
+  if (data.value === null) {
+    data.value = [''];
+  } else {
+    data.value.push('');
+  }
+}
+
+function del(i: number) {
+  if (!data.value) {
+    return;
+  }
+  data.value.splice(i, 1);
+  if (data.value.length === 0) {
+    data.value = null;
+  }
+}
+</script>

src/app/components/Ui/Footer.vue

@@ -24,7 +24,7 @@
       ·
       <a
         class="hover:underline"
-        href="https://github.com/sponsors/WeeJeWel"
+        href="https://github.com/wg-easy/wg-easy#donate"
         target="_blank"
         >{{ $t('layout.donate') }}</a
       >

src/app/pages/admin/config.vue

@@ -27,7 +27,7 @@
       </FormGroup>
       <FormGroup>
         <FormHeading :description="$t('admin.config.dnsDesc')">{{
-          $t('admin.config.dns')
+          $t('general.dns')
         }}</FormHeading>
         <FormArrayField v-model="data.defaultDns" name="defaultDns" />
       </FormGroup>

src/app/pages/clients/[id].vue

@@ -41,21 +41,26 @@
             />
           </FormGroup>
           <FormGroup>
-            <FormHeading :description="$t('client.allowedIpsDesc')">{{
+            <FormHeading :description="$t('client.allowedIpsDesc')">
-              $t('general.allowedIps')
+              {{ $t('general.allowedIps') }}
-            }}</FormHeading>
+            </FormHeading>
-            <FormArrayField v-model="data.allowedIps" name="allowedIps" />
+            <FormNullArrayField v-model="data.allowedIps" name="allowedIps" />
           </FormGroup>
           <FormGroup>
-            <FormHeading :description="$t('client.serverAllowedIpsDesc')">{{
+            <FormHeading :description="$t('client.serverAllowedIpsDesc')">
-              $t('client.serverAllowedIps')
+              {{ $t('client.serverAllowedIps') }}
-            }}</FormHeading>
+            </FormHeading>
             <FormArrayField
               v-model="data.serverAllowedIps"
               name="serverAllowedIps"
             />
           </FormGroup>
-          <FormGroup></FormGroup>
+          <FormGroup>
+            <FormHeading :description="$t('client.dnsDesc')">
+              {{ $t('general.dns') }}
+            </FormHeading>
+            <FormNullArrayField v-model="data.dns" name="dns" />
+          </FormGroup>
           <FormGroup>
             <FormHeading>{{ $t('form.sectionAdvanced') }}</FormHeading>
             <FormNumberField
@@ -142,8 +147,12 @@ const _submit = useSubmit(
     method: 'post',
   },
   {
-    revert: async () => {
+    revert: async (success) => {
+      if (success) {
         await navigateTo('/');
+      } else {
+        await revert();
+      }
     },
   }
 );

src/app/pages/me.vue

@@ -40,7 +40,7 @@
               id="confirm-password"
               v-model="confirmPassword"
               autocomplete="new-password"
-              :label="$t('me.confirmPassword')"
+              :label="$t('general.confirmPassword')"
             />
             <FormActionField
               type="submit"

src/app/pages/setup/2.vue

@@ -20,6 +20,14 @@
           :label="$t('general.password')"
         />
       </div>
+      <div class="flex flex-col">
+        <FormPasswordField
+          id="confirmPassword"
+          v-model="confirmPassword"
+          autocomplete="new-password"
+          :label="$t('general.confirmPassword')"
+        />
+      </div>
       <div>
         <BaseButton @click="submit">{{ $t('setup.createAccount') }}</BaseButton>
       </div>
@@ -37,6 +45,7 @@ setupStore.setStep(2);
 
 const username = ref<null | string>(null);
 const password = ref<string>('');
+const confirmPassword = ref<string>('');
 
 const _submit = useSubmit(
   '/api/setup/2',
@@ -54,6 +63,10 @@ const _submit = useSubmit(
 );
 
 function submit() {
-  return _submit({ username: username.value, password: password.value });
+  return _submit({
+    username: username.value,
+    password: password.value,
+    confirmPassword: confirmPassword.value,
+  });
 }
 </script>

src/i18n/locales/en.json

@@ -14,8 +14,7 @@
     "email": "E-Mail"
   },
   "me": {
-    "currentPassword": "Current Password",
+    "currentPassword": "Current Password"
-    "confirmPassword": "Confirm Password"
   },
   "general": {
     "name": "Name",
@@ -25,13 +24,15 @@
     "updatePassword": "Update Password",
     "mtu": "MTU",
     "allowedIps": "Allowed IPs",
+    "dns": "DNS",
     "persistentKeepalive": "Persistent Keepalive",
     "logout": "Logout",
     "continue": "Continue",
     "host": "Host",
     "port": "Port",
     "yes": "Yes",
-    "no": "No"
+    "no": "No",
+    "confirmPassword": "Confirm Password"
   },
   "setup": {
     "welcome": "Welcome to your first setup of wg-easy !",
@@ -95,13 +96,14 @@
     "noPrivKey": "This client has no known private key. Cannot create Configuration.",
     "showQR": "Show QR Code",
     "downloadConfig": "Download Configuration",
-    "allowedIpsDesc": "Which IPs will be routed through the VPN",
+    "allowedIpsDesc": "Which IPs will be routed through the VPN (overrides global config)",
     "serverAllowedIpsDesc": "Which IPs the server will route to the client",
     "mtuDesc": "Sets the maximum transmission unit (packet size) for the VPN tunnel",
     "persistentKeepaliveDesc": "Sets the interval (in seconds) for keep-alive packets. 0 disables it",
     "hooks": "Hooks",
     "hooksDescription": "Hooks only work with wg-quick",
-    "hooksLeaveEmpty": "Only for wg-quick. Otherwise, leave it empty"
+    "hooksLeaveEmpty": "Only for wg-quick. Otherwise, leave it empty",
+    "dnsDesc": "DNS server clients will use (overrides global config)"
   },
   "dialog": {
     "change": "Change",
@@ -121,6 +123,7 @@
     "sectionGeneral": "General",
     "sectionAdvanced": "Advanced",
     "noItems": "No items",
+    "nullNoItems": "No items. Using global config",
     "add": "Add"
   },
   "admin": {
@@ -139,11 +142,10 @@
       "connection": "Connection",
       "hostDesc": "Public hostname clients will connect to (invalidates config)",
       "portDesc": "Public UDP port clients will connect to (invalidates config)",
-      "allowedIpsDesc": "Allowed IPs clients will use (invalidates config)",
+      "allowedIpsDesc": "Allowed IPs clients will use (global config)",
-      "dns": "DNS",
+      "dnsDesc": "DNS server clients will use (global config)",
-      "dnsDesc": "DNS server clients will use (invalidates config)",
+      "mtuDesc": "MTU clients will use (only for new clients)",
-      "mtuDesc": "MTU clients will use (invalidates config)",
+      "persistentKeepaliveDesc": "Interval in seconds to send keepalives to the server. 0 = disabled (only for new clients)"
-      "persistentKeepaliveDesc": "Interval in seconds to send keepalives to the server. 0 = disabled (invalidates config)"
     },
     "interface": {
       "cidrSuccess": "Changed CIDR",

src/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wg-easy",
-  "version": "15.0.0-beta.6",
+  "version": "15.0.0-beta.8",
   "description": "The easiest way to run WireGuard VPN + Web-based Admin UI.",
   "private": true,
   "type": "module",
@@ -20,8 +20,8 @@
   "dependencies": {
     "@eschricht/nuxt-color-mode": "^1.1.5",
     "@libsql/client": "^0.14.0",
-    "@nuxtjs/i18n": "^9.2.1",
+    "@nuxtjs/i18n": "^9.3.1",
-    "@nuxtjs/tailwindcss": "^6.13.1",
+    "@nuxtjs/tailwindcss": "^6.13.2",
     "@pinia/nuxt": "^0.10.1",
     "@tailwindcss/forms": "^0.5.10",
     "apexcharts": "^4.5.0",
@@ -36,7 +36,7 @@
     "is-ip": "^5.0.1",
     "js-sha256": "^0.11.0",
     "lowdb": "^7.0.1",
-    "nuxt": "^3.15.4",
+    "nuxt": "^3.16.0",
     "pinia": "^3.0.1",
     "qrcode": "^1.5.4",
     "radix-vue": "^1.9.17",
@@ -48,17 +48,17 @@
     "zod": "^3.24.2"
   },
   "devDependencies": {
-    "@nuxt/eslint": "1.1.0",
+    "@nuxt/eslint": "1.2.0",
     "@types/debug": "^4.1.12",
     "@types/qrcode": "^1.5.5",
     "@types/semver": "^7.5.8",
     "drizzle-kit": "^0.30.5",
-    "eslint": "^9.21.0",
+    "eslint": "^9.22.0",
-    "eslint-config-prettier": "^10.0.2",
+    "eslint-config-prettier": "^10.1.1",
     "prettier": "^3.5.3",
     "prettier-plugin-tailwindcss": "^0.6.11",
     "typescript": "^5.8.2",
     "vue-tsc": "^2.2.8"
   },
-  "packageManager": "pnpm@10.5.2"
+  "packageManager": "pnpm@10.6.2"
 }

src/server/database/migrations/0000_short_skin.sql

@@ -12,11 +12,11 @@ CREATE TABLE `clients_table` (
 	`public_key` text NOT NULL,
 	`pre_shared_key` text NOT NULL,
 	`expires_at` text,
-	`allowed_ips` text NOT NULL,
+	`allowed_ips` text,
 	`server_allowed_ips` text NOT NULL,
 	`persistent_keepalive` integer NOT NULL,
 	`mtu` integer NOT NULL,
-	`dns` text NOT NULL,
+	`dns` text,
 	`enabled` integer NOT NULL,
 	`created_at` text DEFAULT (CURRENT_TIMESTAMP) NOT NULL,
 	`updated_at` text DEFAULT (CURRENT_TIMESTAMP) NOT NULL,

src/server/database/migrations/meta/0000_snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": "6",
   "dialect": "sqlite",
-  "id": "383501e4-f8de-4413-847f-a9082f6dc398",
+  "id": "8c2af02b-c4bd-4880-a9ad-b38805636208",
   "prevId": "00000000-0000-0000-0000-000000000000",
   "tables": {
     "clients_table": {
@@ -106,7 +106,7 @@
           "name": "allowed_ips",
           "type": "text",
           "primaryKey": false,
-          "notNull": true,
+          "notNull": false,
           "autoincrement": false
         },
         "server_allowed_ips": {
@@ -134,7 +134,7 @@
           "name": "dns",
           "type": "text",
           "primaryKey": false,
-          "notNull": true,
+          "notNull": false,
           "autoincrement": false
         },
         "enabled": {

src/server/database/migrations/meta/0001_snapshot.json

@@ -1,6 +1,6 @@
 {
-  "id": "bf316694-e2ce-4e29-bd66-ce6c0a9d3c90",
+  "id": "a61263b1-9af1-4d2e-99e9-80d08127b545",
-  "prevId": "383501e4-f8de-4413-847f-a9082f6dc398",
+  "prevId": "8c2af02b-c4bd-4880-a9ad-b38805636208",
   "version": "6",
   "dialect": "sqlite",
   "tables": {
@@ -106,7 +106,7 @@
           "name": "allowed_ips",
           "type": "text",
           "primaryKey": false,
-          "notNull": true,
+          "notNull": false,
           "autoincrement": false
         },
         "server_allowed_ips": {
@@ -134,7 +134,7 @@
           "name": "dns",
           "type": "text",
           "primaryKey": false,
-          "notNull": true,
+          "notNull": false,
           "autoincrement": false
         },
         "enabled": {

src/server/database/migrations/meta/_journal.json

@@ -5,14 +5,14 @@
     {
       "idx": 0,
       "version": "6",
-      "when": 1741335144499,
+      "when": 1741355094140,
       "tag": "0000_short_skin",
       "breakpoints": true
     },
     {
       "idx": 1,
       "version": "6",
-      "when": 1741335153054,
+      "when": 1741355098159,
       "tag": "0001_classy_the_stranger",
       "breakpoints": true
     }

src/server/database/repositories/client/schema.ts

@@ -3,6 +3,8 @@ import { int, sqliteTable, text } from 'drizzle-orm/sqlite-core';
 
 import { oneTimeLink, user } from '../../schema';
 
+/** null means use value from userConfig */
+
 export const client = sqliteTable('clients_table', {
   id: int().primaryKey({ autoIncrement: true }),
   userId: int('user_id')
@@ -22,13 +24,13 @@ export const client = sqliteTable('clients_table', {
   publicKey: text('public_key').notNull(),
   preSharedKey: text('pre_shared_key').notNull(),
   expiresAt: text('expires_at'),
-  allowedIps: text('allowed_ips', { mode: 'json' }).$type<string[]>().notNull(),
+  allowedIps: text('allowed_ips', { mode: 'json' }).$type<string[]>(),
   serverAllowedIps: text('server_allowed_ips', { mode: 'json' })
     .$type<string[]>()
     .notNull(),
   persistentKeepalive: int('persistent_keepalive').notNull(),
   mtu: int().notNull(),
-  dns: text({ mode: 'json' }).$type<string[]>().notNull(),
+  dns: text({ mode: 'json' }).$type<string[]>(),
   enabled: int({ mode: 'boolean' }).notNull(),
   createdAt: text('created_at')
     .notNull()

src/server/database/repositories/client/service.ts

@@ -1,5 +1,5 @@
 import { eq, sql } from 'drizzle-orm';
-import { parseCidr } from 'cidr-tools';
+import { containsCidr, parseCidr } from 'cidr-tools';
 import { client } from './schema';
 import type {
   ClientCreateFromExistingType,
@@ -115,8 +115,6 @@ export class ClientService {
           ipv4Address,
           ipv6Address,
           mtu: clientConfig.defaultMtu,
-          allowedIps: clientConfig.defaultAllowedIps,
-          dns: clientConfig.defaultDns,
           persistentKeepalive: clientConfig.defaultPersistentKeepalive,
           serverAllowedIps: [],
           enabled: true,
@@ -134,7 +132,27 @@ export class ClientService {
   }
 
   update(id: ID, data: UpdateClientType) {
-    return this.#db.update(client).set(data).where(eq(client.id, id)).execute();
+    return this.#db.transaction(async (tx) => {
+      const clientInterface = await tx.query.wgInterface
+        .findFirst({
+          where: eq(wgInterface.name, 'wg0'),
+        })
+        .execute();
+
+      if (!clientInterface) {
+        throw new Error('WireGuard interface not found');
+      }
+
+      if (!containsCidr(clientInterface.ipv4Cidr, data.ipv4Address)) {
+        throw new Error('IPv4 address is not within the CIDR range');
+      }
+
+      if (!containsCidr(clientInterface.ipv6Cidr, data.ipv6Address)) {
+        throw new Error('IPv6 address is not within the CIDR range');
+      }
+
+      await tx.update(client).set(data).where(eq(client.id, id)).execute();
+    });
   }
 
   async createFromExisting({

src/server/database/repositories/client/types.ts

@@ -61,11 +61,11 @@ export const ClientUpdateSchema = schemaForType<UpdateClientType>()(
     postUp: HookSchema,
     preDown: HookSchema,
     postDown: HookSchema,
-    allowedIps: AllowedIpsSchema,
+    allowedIps: AllowedIpsSchema.nullable(),
     serverAllowedIps: serverAllowedIps,
     mtu: MtuSchema,
     persistentKeepalive: PersistentKeepaliveSchema,
-    dns: DnsSchema,
+    dns: DnsSchema.nullable(),
   })
 );
 

src/server/database/repositories/user/types.ts

@@ -26,10 +26,15 @@ export const UserLoginSchema = z.object({
   remember: remember,
 });
 
-export const UserSetupSchema = z.object({
+export const UserSetupSchema = z
+  .object({
     username: username,
     password: password,
-});
+    confirmPassword: password,
+  })
+  .refine((val) => val.password === val.confirmPassword, {
+    message: t('zod.user.passwordMatch'),
+  });
 
 const name = z
   .string({ message: t('zod.user.name') })

src/server/utils/config.ts

@@ -15,4 +15,16 @@ export const OLD_ENV = {
 export const WG_ENV = {
   /** UI is hosted on HTTP instead of HTTPS */
   INSECURE: process.env.INSECURE === 'true',
+  /** Port the UI is listening on */
+  PORT: assertEnv('PORT'),
 };
+
+function assertEnv<T extends string>(env: T) {
+  const val = process.env[env];
+
+  if (!val) {
+    throw new Error(`Missing environment variable: ${env}`);
+  }
+
+  return val;
+}

src/server/utils/template.ts

@@ -15,6 +15,7 @@ export function template(templ: string, values: Record<string, string>) {
  * - ipv6Cidr: IPv6 CIDR
  * - device: Network device
  * - port: Port number
+ * - uiPort: UI port number
  */
 export function iptablesTemplate(templ: string, wgInterface: InterfaceType) {
   return template(templ, {
@@ -22,5 +23,6 @@ export function iptablesTemplate(templ: string, wgInterface: InterfaceType) {
     ipv6Cidr: wgInterface.ipv6Cidr,
     device: wgInterface.device,
     port: wgInterface.port.toString(),
+    uiPort: WG_ENV.PORT,
   });
 }

src/server/utils/wgHelper.ts

@@ -59,13 +59,13 @@ PostDown = ${iptablesTemplate(hooks.postDown, wgInterface)}`;
     return `[Interface]
 PrivateKey = ${client.privateKey}
 Address = ${client.ipv4Address}/${cidr4Block}, ${client.ipv6Address}/${cidr6Block}
-DNS = ${client.dns.join(', ')}
+DNS = ${(client.dns ?? userConfig.defaultDns).join(', ')}
 MTU = ${client.mtu}
 ${hookLines.length ? `${hookLines.join('\n')}\n` : ''}
 [Peer]
 PublicKey = ${wgInterface.publicKey}
 PresharedKey = ${client.preSharedKey}
-AllowedIPs = ${client.allowedIps.join(', ')}
+AllowedIPs = ${(client.allowedIps ?? userConfig.defaultAllowedIps).join(', ')}
 PersistentKeepalive = ${client.persistentKeepalive}
 Endpoint = ${userConfig.host}:${userConfig.port}`;
   },