Bump version to 15.0.0-beta.12

Feat: Improve Docs (#1791 )
* improve docs * preplan guides * fix spelling * fix nftables rules * consistent wg-easy code block * fix grammar
2025-04-11 23:35:51 +02:00 · 2025-04-11 23:25:58 +02:00 · 2025-04-11 22:46:03 +02:00 · 2025-04-09 11:25:30 +02:00 · 2025-04-02 09:32:52 +02:00 · 2025-04-02 09:20:18 +02:00
66 changed files with 2724 additions and 1991 deletions
@@ -6,6 +6,9 @@ on:
    tags:
      - "v*"
 # This workflow does not support fixing old versions
 # as this will break the latest and major tags
 jobs:
  docker:
    name: Build & Deploy Docker
@@ -31,6 +34,8 @@ jobs:
        with:
          images: |
            ghcr.io/wg-easy/wg-easy
          flavor: |
            latest=false
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}
@@ -87,8 +92,6 @@ jobs:
          cd docs
          git fetch origin gh-pages --depth=1 || true
          # latest will point to old docs if old tag is pushed
          # Extract version numbers
          DOCS_VERSION=${GITHUB_REF#refs/tags/}  # e.g. v1.2.3 or v1.2.3-beta
          MINOR_VERSION=$(echo $DOCS_VERSION | cut -d. -f1,2)  # e.g. v1.2
@@ -10,6 +10,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 We're super excited to announce v15!
 This update is an entire rewrite to make it even easier to set up your own VPN.
 ## Breaking Changes
 As the whole setup has changed, we recommend to start from scratch. And import your existing configs.
 ## Major Changes
 - Almost all Environment variables removed
@@ -26,6 +30,8 @@ This update is an entire rewrite to make it even easier to set up your own VPN.
 - Removed ARMv6 and ARMv7 support
 - Connections over HTTP require setting the `INSECURE` env var
 - Changed license from CC BY-NC-SA 4.0 to AGPL-3.0-only
 - Added 2FA using TOTP
 - Improved mobile support
 ## [14.0.0] - 2024-09-04
@@ -26,7 +26,7 @@ COPY --from=build /app/.output /app
 # Copy migrations
 COPY --from=build /app/server/database/migrations /app/server/database/migrations
 # libsql
-RUN npm install --no-save libsql
+RUN cd /app/server && npm install --no-save libsql
 # Install Linux packages
 RUN apk add --no-cache \
@@ -34,6 +34,7 @@ RUN apk add --no-cache \
    dumb-init \
    iptables \
    ip6tables \
    nftables \
    kmod \
    iptables-legacy \
    wireguard-tools
@@ -5,7 +5,7 @@
 [![GitHub Stars](https://img.shields.io/github/stars/wg-easy/wg-easy)](https://github.com/wg-easy/wg-easy/stargazers)
 [![License](https://img.shields.io/github/license/wg-easy/wg-easy)](LICENSE)
 [![GitHub Release](https://img.shields.io/github/v/release/wg-easy/wg-easy)](https://github.com/wg-easy/wg-easy/releases/latest)
-[![Image Pulls](https://img.shields.io/badge/image_pulls-11M-blue)](https://github.com/wg-easy/wg-easy/pkgs/container/wg-easy)
+[![Image Pulls](https://img.shields.io/badge/image_pulls-12M+-blue)](https://github.com/wg-easy/wg-easy/pkgs/container/wg-easy)
 <!-- TODO: remove after release -->
@@ -38,6 +38,7 @@ You have found the easiest way to install & manage WireGuard on any Linux host!
 - Prometheus metrics support
 - IPv6 support
 - CIDR support
 - 2FA support
 > [!NOTE]
 > To better manage documentation for this project, it has its own site here: [https://wg-easy.github.io/wg-easy/latest](https://wg-easy.github.io/wg-easy/latest)
@@ -50,36 +51,19 @@ You have found the easiest way to install & manage WireGuard on any Linux host!
 - [Getting Started](https://wg-easy.github.io/wg-easy/latest/getting-started/)
 - [Basic Installation](https://wg-easy.github.io/wg-easy/latest/examples/tutorials/basic-installation/)
 - [Caddy](https://wg-easy.github.io/wg-easy/latest/examples/tutorials/caddy/)
 - [Nginx](https://wg-easy.github.io/wg-easy/latest/examples/tutorials/nginx/)
 - [Traefik](https://wg-easy.github.io/wg-easy/latest/examples/tutorials/traefik/)
- [Podman](https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman/)
+- [Podman](https://wg-easy.github.io/wg-easy/latest/examples/tutorials/podman-nft/)
 - [AdGuard Home](https://wg-easy.github.io/wg-easy/latest/examples/tutorials/adguard/)
 > [!NOTE]
 > If you want to migrate from the old version to the new version, you can find the migration guide here: [Migration Guide](https://wg-easy.github.io/wg-easy/latest/advanced/migrate/)
 ## Requirements
 - A host with a kernel that supports WireGuard (all modern kernels).
 - A host with Docker installed.
 ## Versions
 > 💡 We follow semantic versioning (semver)
 We offer multiple Docker image tags to suit your needs. The table below is in a particular order, with the first tag being the most recommended:
 | tag           | Branch                                                     | Example                                                       | Description                                                                                                                          |
 | ------------- | ---------------------------------------------------------- | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
 | `15`          | latest minor for that major tag                            | `ghcr.io/wg-easy/wg-easy:15`                                  | latest features for specific major versions, no breaking changes                                                                     |
 | `latest`      | latest tag                                                 | `ghcr.io/wg-easy/wg-easy:latest` or `ghcr.io/wg-easy/wg-easy` | stable as possible get bug fixes quickly when needed, see Releases for more information.                                             |
 | `15.0`        | latest patch for that minor tag                            | `ghcr.io/wg-easy/wg-easy:15.0`                                | latest patches for specific minor version                                                                                            |
 | `15.0.0`      | specific tag                                               | `ghcr.io/wg-easy/wg-easy:15.0.0`                              | specific release, don't use this as this will not get updated                                                                        |
 | `nightly`     | [`master`](https://github.com/wg-easy/wg-easy/tree/master) | `ghcr.io/wg-easy/wg-easy:nightly`                             | mostly unstable gets frequent package and code updates, deployed against [`master`](https://github.com/wg-easy/wg-easy/tree/master). |
 | `development` | pull requests                                              | `ghcr.io/wg-easy/wg-easy:development`                         | used for development, testing code from PRs before landing into [`master`](https://github.com/wg-easy/wg-easy/tree/master).          |
 ## Installation
 This is a quick start guide to get you up and running with WireGuard Easy.
 For a more detailed installation guide, please refer to the [Getting Started](https://wg-easy.github.io/wg-easy/latest/getting-started/) page.
 ### 1. Install Docker
 If you haven't installed Docker yet, install it by running as root:
@@ -95,14 +79,13 @@ And log in again.
 The easiest way to run WireGuard Easy is with Docker Compose.
-Just download [`docker-compose.yml`](docker-compose.yml), make necessary adjustments and
+Just download [`docker-compose.yml`](docker-compose.yml) and execute `sudo docker compose up -d`.
 execute `sudo docker compose up -d`.
 Now setup a reverse proxy to be able to access the Web UI from the internet.
 If you want to access the Web UI over HTTP, change the env var `INSECURE` to `true`. This is not recommended. Only use this for testing
-### Donate
+## Donate
 Are you enjoying this project? Consider donating.
@@ -2,4 +2,37 @@
 title: API
 ---
-TODO
+You can use the API to interact with the application programmatically. The API is available at `/api` and supports both GET and POST requests. The API is designed to be simple and easy to use, with a focus on providing a consistent interface for all endpoints.
 There is no documentation for the API yet, but this will be added as the underlying library supports it.
 ## Authentication
 To use the API, you need to authenticate using Basic Authentication. The username and password are the same as the ones you use to log in to the web application.
 If you use 2FA, the API will not work. You need to disable 2FA in the web application to use the API.
 ### Authentication Example
 ```python
 import requests
 from requests.auth import HTTPBasicAuth
 url = "https://example.com:51821/api/client"
 response = requests.get(url, auth=HTTPBasicAuth('username', 'password'))
 if response.status_code == 200:
    data = response.json()
    print(data)
 else:
    print(f"Error: {response.status_code}")
 ```
 ## Endpoints
 The Endpoints are not yet documented. But as file-based routing is used, you can find the endpoints in the `src/server/api` folder. The method is defined in the file name.
 ### Endpoints Example
 | File Name                        | Endpoint       | Method |
 | -------------------------------- | -------------- | ------ |
 | `src/server/api/client.get.ts`   | `/api/client`  | GET    |
 | `src/server/api/setup/2.post.ts` | `/api/setup/2` | POST   |
@@ -2,7 +2,7 @@
 title: Optional Configuration
 ---
-TODO
+You can set these environment variables to configure the container. They are not required, but can be useful in some cases.
 | Env        | Default   | Example     | Description                    |
 | ---------- | --------- | ----------- | ------------------------------ |
@@ -26,7 +26,7 @@ If you want to skip the setup process, you have to configure group `1`
 /// note | Security
-The initial username and password is not checked for complexity. Make sure to set a long enough username and a secure password. Otherwise, the user won't be able to log in.
+The initial username and password is not checked for complexity. Make sure to set a long enough username and password. Otherwise, the user won't be able to log in.
-Its recommended to remove the variables after the setup is done to prevent the password from being exposed.
+It's recommended to remove the variables after the setup is done to prevent the password from being exposed.
 ///
@@ -2,6 +2,41 @@
 title: Prometheus
 ---
-TODO
+To monitor the WireGuard server, you can use [Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/). The container exposes a `/metrics/prometheus` endpoint that can be scraped by Prometheus.
-<!-- TOOD: add to docs: Grafana dashboard [21733](https://grafana.com/grafana/dashboards/21733-wireguard/) -->
+## Enable Prometheus
 To enable Prometheus metrics, go to Admin Panel > General and enable Prometheus.
 You can optionally set a Bearer Password for the metrics endpoints. This is useful if you want to expose the metrics endpoint to the internet.
 ## Configure Prometheus
 You need to add a scrape config to your Prometheus configuration file. Here is an example:
 ```yaml
 scrape_configs:
  - job_name: "wg-easy"
    scrape_interval: 30s
    metrics_path: /metrics/prometheus
    static_configs:
      - targets:
          - "localhost:51821"
    authorization:
      type: Bearer
      credentials: "SuperSecurePassword"
 ```
 ## Grafana Dashboard
 You can use the following Grafana dashboard to visualize the metrics:
 [![Grafana Dashboard](https://grafana.com/api/dashboards/21733/images/16863/image)](https://grafana.com/grafana/dashboards/21733-wireguard/)
 [21733](https://grafana.com/grafana/dashboards/21733-wireguard/)
 /// note | Unofficial
 The Grafana dashboard is not official and is not maintained by the `wg-easy` team. If you have any issues with the dashboard, please contact the author of the dashboard.
 See [#1299](https://github.com/wg-easy/wg-easy/pull/1299) for more information.
 ///
@@ -1,16 +0,0 @@
 {
  "1": "Initial version. Enjoy!",
  "2": "You can now rename a client & update the address. Enjoy!",
  "3": "Many improvements and small changes. Enjoy!",
  "4": "Now with pretty charts for client's network speed. Enjoy!",
  "5": "Many small improvements & feature requests. Enjoy!",
  "6": "Many small performance improvements & bug fixes. Enjoy!",
  "7": "Improved the look & performance of the upload/download chart.",
  "8": "Updated to Node.js v18.",
  "9": "Fixed issue running on devices with older kernels.",
  "10": "Added sessionless HTTP API auth & automatic dark mode.",
  "11": "Multilanguage Support & various bugfixes.",
  "12": "UI_TRAFFIC_STATS, Import json configurations with no PreShared-Key, allow clients with no privateKey & more.",
  "13": "New framework (h3), UI_CHART_TYPE, some bugfixes & more.",
  "14": "Home Assistent support, PASSWORD_HASH (inc. Helper), translation updates bugfixes & more."
 }
@@ -24,9 +24,9 @@ Maintainers take the time to improve on this project and help by solving issues
 ### Filing a Bug Report
-Thank you for participating in this project and reporting a bug. wg-easy is a community-driven project, and each contribution counts!
+Thank you for participating in this project and reporting a bug. `wg-easy` is a community-driven project, and each contribution counts!
-Maintainers and moderators are volunteers. We greatly appreciate reports that take the time to provide detailed information via the template, enabling us to help you in the best and quickest way. Ignoring the template provided may seem easier, but discourages receiving any support (_via assignment of the label `meta/no template - no support`_).
+Maintainers and moderators are volunteers. We greatly appreciate reports that take the time to provide detailed information via the template, enabling us to help you in the best and quickest way. Ignoring the template provided may seem easier, but discourages receiving any support.
 Markdown formatting can be used in almost all text fields (_unless stated otherwise in the description_).
@@ -2,4 +2,8 @@
 title: AdGuard Home
 ---
-TODO
+It seems like the Docs on how to setup AdGuard Home are not available yet.
 Feel free to create a PR and add them here.
 <!-- TODO -->
@@ -6,11 +6,49 @@ title: Auto Updates
 With Docker Compose `wg-easy` can be updated with a single command:
-Replace `$DIR` with the directory where your `docker-compose.yml` is located.
+```shell
 cd /etc/docker/containers/wg-easy
 sudo docker compose up -d --pull always
 ```
 ### Watchtower
 If you want the updates to be fully automatic you can install Watchtower. This will check for updates every day at 4:00 AM and update the container if a new version is available.
 File: `/etc/docker/containers/watchtower/docker-compose.yml`
 ```yaml
 services:
  watchtower:
    image: containrrr/watchtower:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    env_file:
      - watchtower.env
    restart: unless-stopped
 ```
 File: `/etc/docker/containers/watchtower/watchtower.env`
 ```env
 WATCHTOWER_CLEANUP=true
 WATCHTOWER_SCHEDULE=0 0 4 * * *
 TZ=Europe/Berlin
 # Email
 # WATCHTOWER_NOTIFICATIONS_LEVEL=info
 # WATCHTOWER_NOTIFICATIONS=email
 # WATCHTOWER_NOTIFICATION_EMAIL_FROM=mail@example.com
 # WATCHTOWER_NOTIFICATION_EMAIL_TO=mail@example.com
 # WATCHTOWER_NOTIFICATION_EMAIL_SERVER=smtp.example.com
 # WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=mail@example.com
 # WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="SuperSecurePassword"
 # WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=587
 ```
 ```shell
-cd $DIR
+cd /etc/docker/containers/watchtower
-sudo docker compose up -d --pull always
+sudo docker compose up -d
 ```
 ## Docker Run
@@ -20,20 +20,20 @@ Follow the Docs here: <https://docs.docker.com/engine/install/> and install Dock
 1. Create a directory for the configuration files (you can choose any directory you like):
   ```shell
-   DIR=/docker/wg-easy
+   sudo mkdir -p /etc/docker/containers/wg-easy
   sudo mkdir -p $DIR
   ```
 2. Download docker compose file
   ```shell
-   sudo curl -o $DIR/docker-compose.yml https://raw.githubusercontent.com/wg-easy/wg-easy/master/docker-compose.yml
+   sudo curl -o /etc/docker/containers/wg-easy/docker-compose.yml https://raw.githubusercontent.com/wg-easy/wg-easy/master/docker-compose.yml
   ```
 3. Start `wg-easy`
   ```shell
-    sudo docker-compose -f $DIR/docker-compose.yml up -d
+    cd /etc/docker/containers/wg-easy
    sudo docker-compose up -d
   ```
 ## Setup Firewall
@@ -41,27 +41,22 @@ Follow the Docs here: <https://docs.docker.com/engine/install/> and install Dock
 If you are using a firewall, you need to open the following ports:
 - UDP 51820 (WireGuard)
 - TCP 51821 (Web UI)
 These ports can be changed, so if you change them you have to update your firewall rules accordingly.
 ## Setup Reverse Proxy
-TODO
+- To setup traefik follow the instructions here: [Traefik](./traefik.md)
-
+- To setup caddy follow the instructions here: [Caddy](./caddy.md)
 ## Access the Web UI
 Open your browser and navigate to `https://<your-domain>:51821` or `https://<your-ip>:51821`.
 Follow the instructions to set up your WireGuard VPN.
 ## Update `wg-easy`
 To update `wg-easy` to the latest version, run:
 ```shell
-sudo docker-compose -f $DIR/docker-compose.yml pull
+cd /etc/docker/containers/wg-easy
-sudo docker-compose -f $DIR/docker-compose.yml up -d
+sudo docker-compose pull
 sudo docker-compose up -d
 ```
 ## Auto Update
@@ -2,4 +2,8 @@
 title: Caddy
 ---
-TODO
+It seems like the Docs on how to setup Caddy are not available yet.
 Feel free to create a PR and add them here.
 <!-- TODO -->
@@ -5,7 +5,7 @@ title: Docker Run
 To setup the IPv6 Network, simply run once:
 ```shell
-  docker network create \
+docker network create \
  -d bridge --ipv6 \
  -d default \
  --subnet 10.42.42.0/24 \
@@ -14,10 +14,10 @@ To setup the IPv6 Network, simply run once:
 <!-- ref: major version -->
-To automatically install & run ``wg-easy, simply run:
+To automatically install & run `wg-easy`, simply run:
 ```shell
-  docker run -d \
+docker run -d \
  --net wg \
  -e INSECURE=true \
  --name wg-easy \
@@ -38,6 +38,4 @@ To automatically install & run ``wg-easy, simply run:
  ghcr.io/wg-easy/wg-easy:15
 ```
-The Web UI will now be available on `http://0.0.0.0:51821`.
+The Web UI will now be available at <http://0.0.0.0:51821>.
 > 💡 Your configuration files will be saved in `~/.wg-easy`
@@ -2,4 +2,6 @@
 title: Without Docker
 ---
-TODO
+This is currently not yet supported.
 <!-- TODO -->
@@ -1,5 +1,5 @@
 ---
-title: Podman
+title: Podman + nftables
 ---
 This guide will show you how to run `wg-easy` with rootful Podman and nftables.
@@ -88,7 +88,7 @@ In the Admin Panel of your WireGuard server, go to the `Hooks` tab and add the f
 1. PostUp
   ```shell
-   apk add nftables; nft add table inet wg_table; nft add chain inet wg_table postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet wg_table postrouting ip saddr {{ipv4Cidr}} oifname {{device}} masquerade; nft add rule inet wg_table postrouting ip6 saddr {{ipv6Cidr}} oifname {{device}} masquerade; nft add chain inet wg_table input { type filter hook input priority 0 \; policy drop \; }; nft add rule inet wg_table input udp dport {{port}} accept; nft add rule inet wg_table input tcp dport {{uiPort}} accept; nft add chain inet wg_table forward { type filter hook forward priority 0 \; policy drop \; }; nft add rule inet wg_table forward iifname "wg0" accept; nft add rule inet wg_table forward oifname "wg0" accept;
+   nft add table inet wg_table; nft add chain inet wg_table prerouting { type nat hook prerouting priority 100 \; }; nft add chain inet wg_table postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet wg_table postrouting ip saddr {{ipv4Cidr}} oifname {{device}} masquerade; nft add rule inet wg_table postrouting ip6 saddr {{ipv6Cidr}} oifname {{device}} masquerade; nft add chain inet wg_table input { type filter hook input priority 0 \; policy accept \; }; nft add rule inet wg_table input udp dport {{port}} accept; nft add rule inet wg_table input tcp dport {{uiPort}} accept; nft add chain inet wg_table forward { type filter hook forward priority 0 \; policy accept \; }; nft add rule inet wg_table forward iifname "wg0" accept; nft add rule inet wg_table forward oifname "wg0" accept;
   ```
 2. PostDown
@@ -106,8 +106,3 @@ Restart the container to apply the new hooks:
 ```shell
 sudo systemctl restart wg-easy
 ```
 <!--
 TODO: improve docs after better nftables support
 TODO: fix accept web ui port
 -->
@@ -2,4 +2,183 @@
 title: Traefik
 ---
-TODO
+/// note | Opinionated
 This guide is opinionated. If you use other conventions or folder layouts, feel free to change the commands and paths.
 ///
 ## Create docker compose project
 ```shell
 sudo mkdir -p /etc/docker/containers/traefik
 cd /etc/docker/containers/traefik
 ```
 ## Create docker compose file
 File: `/etc/docker/containers/traefik/docker-compose.yml`
 ```yaml
 services:
  traefik:
    image: traefik:3.3
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443/tcp"
      - "443:443/udp"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/docker/volumes/traefik/traefik.yml:/traefik.yml:ro
      - /etc/docker/volumes/traefik/traefik_dynamic.yml:/traefik_dynamic.yml:ro
      - /etc/docker/volumes/traefik/acme.json:/acme.json
    networks:
      - traefik
 networks:
  traefik:
    external: true
 ```
 ## Create traefik.yml
 File: `/etc/docker/volumes/traefik/traefik.yml`
 ```yaml
 log:
  level: INFO
 entryPoints:
  web:
    address: ":80/tcp"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443/tcp"
    http:
      middlewares:
        - compress@file
        - hsts@file
      tls:
        certResolver: letsencrypt
    http3: {}
 api:
  dashboard: true
 certificatesResolvers:
  letsencrypt:
    acme:
      email: $mail@example.com$
      storage: acme.json
      httpChallenge:
        entryPoint: web
 providers:
  docker:
    watch: true
    network: traefik
    exposedByDefault: false
  file:
    filename: traefik_dynamic.yml
 serversTransport:
  insecureSkipVerify: true
 ```
 ## Create traefik_dynamic.yml
 File: `/etc/docker/volumes/traefik/traefik_dynamic.yml`
 ```yaml
 http:
  middlewares:
    services:
      basicAuth:
        users:
          - "$username$:$password$"
    compress:
      compress: {}
    hsts:
      headers:
        stsSeconds: 2592000
  routers:
    api:
      rule: Host(`traefik.$example.com$`)
      entrypoints:
        - websecure
      middlewares:
        - services
      service: api@internal
 tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      sniStrict: true
 ```
 ## Create acme.json
 ```shell
 sudo touch /etc/docker/volumes/traefik/acme.json
 sudo chmod 600 /etc/docker/volumes/traefik/acme.json
 ```
 ## Create network
 ```shell
 sudo docker network create traefik
 ```
 ## Start traefik
 ```shell
 sudo docker-compose up -d
 ```
 You can no access the Traefik dashboard at `https://traefik.$example.com$` with the credentials you set in `traefik_dynamic.yml`.
 ## Add Labels to `wg-easy`
 To add labels to your `wg-easy` service, you can add the following to your `docker-compose.yml` file:
 File: `/etc/docker/containers/wg-easy/docker-compose.yml`
 ```yaml
 services:
  wg-easy:
    ...
    container_name: wg-easy
    networks:
      ...
      traefik: {}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wg-easy.rule=Host(`wg-easy.$example.com$`)"
      - "traefik.http.routers.wg-easy.entrypoints=websecure"
      - "traefik.http.routers.wg-easy.service=wg-easy"
      - "traefik.http.services.wg-easy.loadbalancer.server.port=51821"
    ...
 networks:
  ...
  traefik:
    external: true
 ```
 ## Restart `wg-easy`
 ```shell
 cd /etc/docker/containers/wg-easy
 sudo docker-compose up -d
 ```
 You can now access `wg-easy` at `https://wg-easy.$example.com$` and start the setup.
@@ -0,0 +1,97 @@
 ---
 title: FAQ
 hide:
  - navigation
 ---
 Here are some frequently asked questions or errors about `wg-easy`. If you have a question that is not answered here, please feel free to open a discussion on GitHub.
 ## Error: WireGuard exited with the error: Cannot find device "wg0"
 This error indicates that the WireGuard interface `wg0` does not exist. This can happen if the WireGuard kernel module is not loaded or if the interface was not created properly.
 To resolve this issue, you can try the following steps:
 1. **Load the WireGuard kernel module**: If the WireGuard kernel module is not loaded, you can load it manually by running:
   ```bash
    sudo modprobe wireguard
   ```
 2. **Load the WireGuard kernel module on boot**: If you want to ensure that the WireGuard kernel module is loaded automatically on boot, you can add it to the `/etc/modules` file:
   ```bash
   echo "wireguard" | sudo tee -a /etc/modules
   ```
 ## can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
 This error indicates that the `nat` table in `iptables` does not exist. This can happen if the `iptables` kernel module is not loaded or if the `nat` table is not supported by your kernel.
 To resolve this issue, you can try the following steps:
 1. **Load the `nat` kernel module**: If the `nat` kernel module is not loaded, you can load it manually by running:
   ```bash
   sudo modprobe iptable_nat
   ```
 2. **Load the `nat` kernel module on boot**: If you want to ensure that the `nat` kernel module is loaded automatically on boot, you can add it to the `/etc/modules` file:
   ```bash
    echo "iptable_nat" | sudo tee -a /etc/modules
   ```
 ## can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
 This error indicates that the `nat` table in `ip6tables` does not exist. This can happen if the `ip6tables` kernel module is not loaded or if the `nat` table is not supported by your kernel.
 To resolve this issue, you can try the following steps:
 1. **Load the `nat` kernel module**: If the `nat` kernel module is not loaded, you can load it manually by running:
   ```bash
   sudo modprobe ip6table_nat
   ```
 2. **Load the `nat` kernel module on boot**: If you want to ensure that the `nat` kernel module is loaded automatically on boot, you can add it to the `/etc/modules` file:
   ```bash
    echo "ip6table_nat" | sudo tee -a /etc/modules
   ```
 ## can't initialize iptables table `filter': Permission denied
 This error indicates that the `filter` table in `iptables` cannot be initialized due to permission issues. This can happen if you are not running the command with sufficient privileges.
 To resolve this issue, you can try the following steps:
 1. **Load the `filter` kernel module**: If the `filter` kernel module is not loaded, you can load it manually by running:
   ```bash
   sudo modprobe iptable_filter
   ```
 2. **Load the `filter` kernel module on boot**: If you want to ensure that the `filter` kernel module is loaded automatically on boot, you can add it to the `/etc/modules` file:
   ```bash
   echo "iptable_filter" | sudo tee -a /etc/modules
   ```
 ## can't initialize ip6tables table `filter': Permission denied
 This error indicates that the `filter` table in `ip6tables` cannot be initialized due to permission issues. This can happen if you are not running the command with sufficient privileges.
 To resolve this issue, you can try the following steps:
 1. **Load the `filter` kernel module**: If the `filter` kernel module is not loaded, you can load it manually by running:
   ```bash
   sudo modprobe ip6table_filter
   ```
 2. **Load the `filter` kernel module on boot**: If you want to ensure that the `filter` kernel module is loaded automatically on boot, you can add it to the `/etc/modules` file:
   ```bash
    echo "ip6table_filter" | sudo tee -a /etc/modules
   ```
@@ -4,7 +4,7 @@ hide:
  - navigation
 ---
-This page explains how to get started with wg-easy. The guide uses Docker Compose as a reference. In our examples, we mount the named volume `etc_wireguard` to `/etc/wireguard` inside the container.
+This page explains how to get started with `wg-easy`. The guide uses Docker Compose as a reference. In our examples, we mount the named volume `etc_wireguard` to `/etc/wireguard` inside the container.
 ## Preliminary Steps
@@ -29,7 +29,7 @@ If you're using podman, make sure to read the related [documentation][docs-podma
 [docker-compose]: https://docs.docker.com/compose/
 [docker-compose-installation]: https://docs.docker.com/compose/install/
 [docker-compose-specification]: https://docs.docker.com/compose/compose-file/
-[docs-podman]: ./examples/tutorials/podman.md
+[docs-podman]: ./examples/tutorials/podman-nft.md
 ## Deploying the Actual Image
@@ -41,10 +41,14 @@ To understand which tags you should use, read this section carefully. [Our CI][g
 All workflows are using the tagging convention listed below. It is subsequently applied to all images.
-| Event                   | Image Tags                    |
+| tag           | Type                                                       | Example                                                       | Description                                                                                                                          |
-| ----------------------- | ----------------------------- |
+| ------------- | ---------------------------------------------------------- | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
-| `cron` on `master`      | `nightly`                     |
+| `15`          | latest minor for that major tag                            | `ghcr.io/wg-easy/wg-easy:15`                                  | latest features for specific major versions, no breaking changes                                                                     |
-| `push` a tag (`v1.2.3`) | `1.2.3`, `1.2`, `1`, `latest` |
+| `latest`      | latest tag                                                 | `ghcr.io/wg-easy/wg-easy:latest` or `ghcr.io/wg-easy/wg-easy` | stable as possible get bug fixes quickly when needed, see Releases for more information.                                             |
 | `15.0`        | latest patch for that minor tag                            | `ghcr.io/wg-easy/wg-easy:15.0`                                | latest patches for specific minor version                                                                                            |
 | `15.0.0`      | specific tag                                               | `ghcr.io/wg-easy/wg-easy:15.0.0`                              | specific release, don't use this as this will not get updated                                                                        |
 | `nightly`     | [`master`](https://github.com/wg-easy/wg-easy/tree/master) | `ghcr.io/wg-easy/wg-easy:nightly`                             | mostly unstable gets frequent package and code updates, deployed against [`master`](https://github.com/wg-easy/wg-easy/tree/master). |
 | `development` | pull requests                                              | `ghcr.io/wg-easy/wg-easy:development`                         | used for development, testing code from PRs before landing into [`master`](https://github.com/wg-easy/wg-easy/tree/master).          |
 When publishing a tag we follow the [Semantic Versioning][semver] specification. The `latest` tag is always pointing to the latest stable release. If you want to avoid breaking changes, use the major version tag (e.g. `15`).
@@ -80,7 +84,7 @@ To stop the container, issue the following command:
 sudo docker compose down
 ```
-/// danger | Using the Correct Commands For Stopping and Starting wg-easy
+/// danger | Using the Correct Commands For Stopping and Starting `wg-easy`
 **Use `sudo docker compose up / down`, not `sudo docker compose start / stop`**. Otherwise, the container is not properly destroyed and you may experience problems during startup because of inconsistent state.
 ///
@@ -1,5 +1,5 @@
 ---
-title: NGINX
+title: 2FA
 ---
 TODO
@@ -0,0 +1,5 @@
 ---
 title: Edit Account
 ---
 TODO
@@ -0,0 +1,5 @@
 ---
 title: Admin Panel
 ---
 TODO
@@ -0,0 +1,5 @@
 ---
 title: Edit Client
 ---
 TODO
@@ -0,0 +1,5 @@
 ---
 title: Login
 ---
 TODO
@@ -0,0 +1,5 @@
 ---
 title: Setup
 ---
 TODO
@@ -11,7 +11,7 @@ hide:
 **Make sure** to select the correct version of this documentation! It should match the version of the image you are using. The default version corresponds to the `:latest` image tag - [the most recent stable release][docs-tagging].
 ///
-This documentation provides you not only with the basic setup and configuration of wg-easy but also with advanced configuration, elaborate usage scenarios, detailed examples, hints and more.
+This documentation provides you not only with the basic setup and configuration of `wg-easy` but also with advanced configuration, elaborate usage scenarios, detailed examples, hints and more.
 [docs-tagging]: ./getting-started.md#tagging-convention
@@ -7,5 +7,5 @@
    "docs:preview": "docker run --rm -it -p 8080:8080 -v ./docs:/docs squidfunk/mkdocs-material serve -a 0.0.0.0:8080",
    "scripts:version": "bash scripts/version.sh"
  },
-  "packageManager": "pnpm@10.6.3"
+  "packageManager": "pnpm@10.8.0"
 }
@@ -3,12 +3,12 @@
    <template #trigger><slot /></template>
    <template #title>{{ $t('admin.config.suggest') }}</template>
    <template #description>
-      <p v-if="!values">
+      <div class="flex flex-col items-start gap-2">
        {{ $t('general.loading') }}
      </p>
      <div v-else class="flex flex-col items-start gap-2">
        <p>{{ $t('admin.config.suggestDesc') }}</p>
-        <BaseSelect v-model="selected" :options="values" />
+        <p v-if="!data">
          {{ $t('general.loading') }}
        </p>
        <BaseSelect v-else v-model="selected" :options="data" />
      </div>
    </template>
    <template #actions>
@@ -31,10 +31,9 @@ const props = defineProps<{
  url: '/api/admin/ip-info' | '/api/setup/4';
 }>();
-const { data } = await useFetch(props.url, {
+const { data } = useFetch(props.url, {
  method: 'get',
 });
 const selected = ref<string>();
 const values = toRef(data.value);
 </script>
@@ -5,7 +5,7 @@
        class="mx-2 inline-flex h-4 w-4 items-center justify-center rounded-full text-gray-400 outline-none focus:shadow-sm focus:shadow-black"
        as-child
      >
-        <button @click="open = !open">
+        <button type="button" @click="open = !open">
          <slot />
        </button>
      </TooltipTrigger>
@@ -4,7 +4,9 @@
      <slot />
    </template>
    <template #description>
-      <img :src="qrCode" />
+      <div class="bg-white">
        <img :src="qrCode" />
      </div>
    </template>
    <template #actions>
      <DialogClose>
@@ -16,14 +16,16 @@
      class="w-full"
      :placeholder="placeholder"
    />
-    <AdminSuggestDialog :url="url" @change="data = $event">
+    <ClientOnly>
-      <BaseButton as="span">
+      <AdminSuggestDialog :url="url" @change="data = $event">
-        <div class="flex items-center gap-3">
+        <BaseButton as="span">
-          <IconsSparkles class="w-4" />
+          <div class="flex items-center gap-3">
-          <span>{{ $t('admin.config.suggest') }}</span>
+            <IconsSparkles class="w-4" />
-        </div>
+            <span>{{ $t('admin.config.suggest') }}</span>
-      </BaseButton>
+          </div>
-    </AdminSuggestDialog>
+        </BaseButton>
      </AdminSuggestDialog>
    </ClientOnly>
  </div>
 </template>
@@ -12,7 +12,7 @@
    v-model.trim="data"
    :name="id"
    type="text"
-    :autcomplete="autocomplete"
+    :autocomplete="autocomplete"
    :placeholder="placeholder"
  />
 </template>
@@ -12,7 +12,8 @@
    v-model.trim="data"
    :name="id"
    type="text"
-    :autcomplete="autocomplete"
+    :autocomplete="autocomplete"
    :disabled="disabled"
  />
 </template>
@@ -22,6 +23,7 @@ defineProps<{
  label: string;
  description?: string;
  autocomplete?: string;
  disabled?: boolean;
 }>();
 const data = defineModel<string>();
@@ -0,0 +1,22 @@
 <template>
  <div
    v-if="!globalStore.information?.insecure && !https"
    class="container mx-auto w-fit rounded-md bg-red-800 p-4 text-white shadow-lg dark:bg-red-100 dark:text-red-600"
  >
    <p class="text-center">{{ $t('login.insecure') }}</p>
  </div>
 </template>
 <script lang="ts" setup>
 const globalStore = useGlobalStore();
 const https = ref(false);
 onMounted(() => {
  if (window.location.protocol === 'https:') {
    https.value = true;
  } else {
    https.value = false;
  }
 });
 </script>
@@ -1,21 +1,21 @@
 <template>
  <div
    v-if="
-      globalStore.release?.updateAvailable &&
+      globalStore.information?.updateAvailable &&
      authStore.userData &&
      hasPermissions(authStore.userData, 'admin', 'any')
    "
    class="font-small mb-10 rounded-md bg-red-800 p-4 text-sm text-white shadow-lg dark:bg-red-100 dark:text-red-600"
-    :title="`v${globalStore.release.currentRelease} → v${globalStore.release.latestRelease.version}`"
+    :title="`v${globalStore.information.currentRelease} → v${globalStore.information.latestRelease.version}`"
  >
    <div class="container mx-auto flex flex-auto flex-row items-center">
      <div class="flex-grow">
        <p class="font-bold">{{ $t('update.updateAvailable') }}</p>
-        <p>{{ globalStore.release.latestRelease.changelog }}</p>
+        <p>{{ globalStore.information.latestRelease.changelog }}</p>
      </div>
      <a
-        :href="`https://github.com/wg-easy/wg-easy/releases/tag/${globalStore.release.latestRelease.version}`"
+        :href="`https://github.com/wg-easy/wg-easy/releases/tag/${globalStore.information.latestRelease.version}`"
        target="_blank"
        class="font-sm float-right flex-shrink-0 rounded-md border-2 border-red-800 bg-white p-3 font-semibold text-red-800 transition-all hover:border-white hover:bg-red-800 hover:text-white dark:border-red-600 dark:bg-red-100 dark:text-red-600 dark:hover:border-red-600 dark:hover:bg-red-600 dark:hover:text-red-100"
      >
@@ -7,7 +7,7 @@
        href="https://github.com/wg-easy/wg-easy"
        >WireGuard Easy</a
      >
-      ({{ globalStore.release?.currentRelease }}) © 2021-2025 by
+      ({{ globalStore.information?.currentRelease }}) © 2021-2025 by
      <a
        class="hover:underline"
        target="_blank"
@@ -1,21 +1,42 @@
-import type { NitroFetchRequest, NitroFetchOptions } from 'nitropack/types';
+import type {
  NitroFetchRequest,
  NitroFetchOptions,
  TypedInternalResponse,
  ExtractedRouteMethod,
 } from 'nitropack/types';
 import { FetchError } from 'ofetch';
-type RevertFn = (success: boolean) => Promise<void>;
+type RevertFn<
  R extends NitroFetchRequest,
  T = unknown,
  O extends NitroFetchOptions<R> = NitroFetchOptions<R>,
 > = (
  success: boolean,
  data:
    | TypedInternalResponse<
        R,
        T,
        NitroFetchOptions<R> extends O ? 'get' : ExtractedRouteMethod<R, O>
      >
    | undefined
 ) => Promise<void>;
-type SubmitOpts = {
+type SubmitOpts<
-  revert: RevertFn;
+  R extends NitroFetchRequest,
  T = unknown,
  O extends NitroFetchOptions<R> = NitroFetchOptions<R>,
 > = {
  revert: RevertFn<R, T, O>;
  successMsg?: string;
  errorMsg?: string;
  noSuccessToast?: boolean;
 };
 export function useSubmit<
  R extends NitroFetchRequest,
  O extends NitroFetchOptions<R> & { body?: never },
->(url: R, options: O, opts: SubmitOpts) {
+  T = unknown,
 >(url: R, options: O, opts: SubmitOpts<R, T, O>) {
  const toast = useToast();
  const { t: $t } = useI18n();
  return async (data: unknown) => {
    try {
@@ -24,11 +45,6 @@ export function useSubmit<
        body: data,
      });
      // eslint-disable-next-line @typescript-eslint/no-explicit-any
      if (!(res as any).success) {
        throw new Error(opts.errorMsg || $t('toast.errored'));
      }
      if (!opts.noSuccessToast) {
        toast.showToast({
          type: 'success',
@@ -36,7 +52,8 @@ export function useSubmit<
        });
      }
-      await opts.revert(true);
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
      await opts.revert(true, res as any);
    } catch (e) {
      if (e instanceof FetchError) {
        toast.showToast({
@@ -51,7 +68,7 @@ export function useSubmit<
      } else {
        console.error(e);
      }
-      await opts.revert(false);
+      await opts.revert(false, undefined);
    }
  };
 }
@@ -18,18 +18,18 @@
        />
      </FormGroup>
      <FormGroup>
-        <FormHeading :description="$t('admin.config.allowedIpsDesc')">{{
+        <FormHeading :description="$t('admin.config.allowedIpsDesc')">
-          $t('general.allowedIps')
+          {{ $t('general.allowedIps') }}
-        }}</FormHeading>
+        </FormHeading>
        <FormArrayField
          v-model="data.defaultAllowedIps"
          name="defaultAllowedIps"
        />
      </FormGroup>
      <FormGroup>
-        <FormHeading :description="$t('admin.config.dnsDesc')">{{
+        <FormHeading :description="$t('admin.config.dnsDesc')">
-          $t('general.dns')
+          {{ $t('general.dns') }}
-        }}</FormHeading>
+        </FormHeading>
        <FormArrayField v-model="data.defaultDns" name="defaultDns" />
      </FormGroup>
      <FormGroup>
@@ -86,7 +86,6 @@ const _changeCidr = useSubmit(
  {
    revert,
    successMsg: t('admin.interface.cidrSuccess'),
    errorMsg: t('admin.interface.cidrError'),
  }
 );
@@ -102,7 +101,6 @@ const _restartInterface = useSubmit(
  {
    revert,
    successMsg: t('admin.interface.restartSuccess'),
    errorMsg: t('admin.interface.restartError'),
  }
 );
@@ -1,6 +1,7 @@
 <template>
  <main>
    <UiBanner />
    <HeaderInsecure />
    <form
      class="mx-auto mt-10 flex w-64 flex-col gap-5 overflow-hidden rounded-md bg-white p-5 text-gray-700 shadow dark:bg-neutral-700 dark:text-neutral-200"
      @submit.prevent="submit"
@@ -29,6 +30,18 @@
        autocomplete="current-password"
      />
      <BaseInput
        v-if="totpRequired"
        v-model="totp"
        type="text"
        name="totp"
        :placeholder="$t('general.2faCode')"
        autocomplete="one-time-code"
        inputmode="numeric"
        maxlength="6"
        pattern="\d{6}"
      />
      <label
        class="flex gap-2 whitespace-nowrap"
        :title="$t('login.rememberMeDesc')"
@@ -57,10 +70,15 @@
 const authStore = useAuthStore();
 authStore.update();
 const toast = useToast();
 const { t } = useI18n();
 const authenticating = ref(false);
 const remember = ref(false);
-const username = ref<null | string>(null);
+const username = ref<string>('');
-const password = ref<null | string>(null);
+const password = ref<string>('');
 const totpRequired = ref(false);
 const totp = ref<string>('');
 const _submit = useSubmit(
  '/api/session',
@@ -68,13 +86,32 @@ const _submit = useSubmit(
    method: 'post',
  },
  {
-    revert: async (success) => {
+    revert: async (success, data) => {
      authenticating.value = false;
      password.value = null;
      if (success) {
-        await navigateTo('/');
+        if (data?.status === 'success') {
          await navigateTo('/');
        } else if (data?.status === 'TOTP_REQUIRED') {
          authenticating.value = false;
          totpRequired.value = true;
          toast.showToast({
            title: t('general.2fa'),
            message: t('login.2faRequired'),
            type: 'error',
          });
          return;
        } else if (data?.status === 'INVALID_TOTP_CODE') {
          authenticating.value = false;
          totp.value = '';
          toast.showToast({
            title: t('general.2fa'),
            message: t('login.2faWrong'),
            type: 'error',
          });
          return;
        }
      }
      authenticating.value = false;
      password.value = '';
    },
    noSuccessToast: true,
  }
@@ -89,6 +126,7 @@ async function submit() {
    username: username.value,
    password: password.value,
    remember: remember.value,
    totpCode: totpRequired.value ? totp.value : undefined,
  });
 }
 </script>
@@ -48,12 +48,74 @@
            />
          </FormGroup>
        </FormElement>
        <FormElement @submit.prevent>
          <FormGroup>
            <FormHeading>{{ $t('general.2fa') }}</FormHeading>
            <div
              v-if="!authStore.userData?.totpVerified && !twofa"
              class="col-span-2 flex flex-col"
            >
              <FormActionField :label="$t('me.enable2fa')" @click="setup2fa" />
            </div>
            <div
              v-if="!authStore.userData?.totpVerified && twofa"
              class="col-span-2"
            >
              <p class="text-sm text-gray-500 dark:text-gray-400">
                {{ $t('me.enable2faDesc') }}
              </p>
              <div class="mt-2 flex flex-col gap-2">
                <img :src="twofa.qrcode" size="128" class="bg-white" />
                <FormTextField
                  id="2fakey"
                  :model-value="twofa.key"
                  :on-update:model-value="() => {}"
                  :label="$t('me.2faKey')"
                  :disabled="true"
                />
                <p class="text-sm text-gray-500 dark:text-gray-400">
                  {{ $t('me.2faCodeDesc') }}
                </p>
                <FormTextField
                  id="2facode"
                  v-model="code"
                  :label="$t('general.2faCode')"
                />
                <FormActionField
                  :label="$t('me.enable2fa')"
                  @click="enable2fa"
                />
              </div>
            </div>
            <div
              v-if="authStore.userData?.totpVerified"
              class="col-span-2 flex flex-col gap-2"
            >
              <p class="text-sm text-gray-500 dark:text-gray-400">
                {{ $t('me.disable2faDesc') }}
              </p>
              <FormPasswordField
                id="2fapassword"
                v-model="disable2faPassword"
                :label="$t('me.currentPassword')"
                type="password"
                autocomplete="current-password"
              />
              <FormActionField
                :label="$t('me.disable2fa')"
                @click="disable2fa"
              />
            </div>
          </FormGroup>
        </FormElement>
      </PanelBody>
    </Panel>
  </main>
 </template>
 <script setup lang="ts">
 import { encodeQR } from 'qr';
 const authStore = useAuthStore();
 authStore.update();
@@ -101,4 +163,81 @@ function updatePassword() {
    confirmPassword: confirmPassword.value,
  });
 }
 const twofa = ref<{ key: string; qrcode: string } | null>(null);
 const _setup2fa = useSubmit(
  `/api/me/totp`,
  {
    method: 'post',
  },
  {
    revert: async (success, data) => {
      if (success && data?.type === 'setup') {
        const qrcode = encodeQR(data.uri, 'svg', {
          ecc: 'high',
          scale: 4,
          encoding: 'byte',
        });
        const svg = new Blob([qrcode], { type: 'image/svg+xml' });
        twofa.value = { key: data.key, qrcode: URL.createObjectURL(svg) };
      }
    },
  }
 );
 async function setup2fa() {
  return _setup2fa({
    type: 'setup',
  });
 }
 const code = ref<string>('');
 const _enable2fa = useSubmit(
  `/api/me/totp`,
  {
    method: 'post',
  },
  {
    revert: async (success, data) => {
      if (success && data?.type === 'created') {
        authStore.update();
        twofa.value = null;
        code.value = '';
      }
    },
  }
 );
 async function enable2fa() {
  return _enable2fa({
    type: 'create',
    code: code.value,
  });
 }
 const disable2faPassword = ref('');
 const _disable2fa = useSubmit(
  `/api/me/totp`,
  {
    method: 'post',
  },
  {
    revert: async (success, data) => {
      if (success && data?.type === 'deleted') {
        authStore.update();
        disable2faPassword.value = '';
      }
    },
  }
 );
 async function disable2fa() {
  return _disable2fa({
    type: 'delete',
    currentPassword: disable2faPassword.value,
  });
 }
 </script>
@@ -1,5 +1,5 @@
 export const useGlobalStore = defineStore('Global', () => {
-  const { data: release } = useFetch('/api/release', {
+  const { data: information } = useFetch('/api/information', {
    method: 'get',
  });
@@ -21,7 +21,7 @@ export const useGlobalStore = defineStore('Global', () => {
  return {
    sortClient,
-    release,
+    information,
    uiShowCharts,
    toggleCharts,
    uiChartType,
@@ -14,7 +14,13 @@
    "email": "E-Mail"
  },
  "me": {
-    "currentPassword": "Current Password"
+    "currentPassword": "Current Password",
    "enable2fa": "Enable Two Factor Authentication",
    "enable2faDesc": "Scan the QR code with your authenticator app or enter the key manually.",
    "2faKey": "TOTP Key",
    "2faCodeDesc": "Enter the code from your authenticator app.",
    "disable2fa": "Disable Two Factor Authentication",
    "disable2faDesc": "Enter your password to disable Two Factor Authentication."
  },
  "general": {
    "name": "Name",
@@ -33,7 +39,9 @@
    "yes": "Yes",
    "no": "No",
    "confirmPassword": "Confirm Password",
-    "loading": "Loading"
+    "loading": "Loading...",
    "2fa": "Two Factor Authentication",
    "2faCode": "TOTP Code"
  },
  "setup": {
    "welcome": "Welcome to your first setup of wg-easy",
@@ -65,11 +73,10 @@
  "login": {
    "signIn": "Sign In",
    "rememberMe": "Remember me",
-    "rememberMeDesc": "Stay logged after closing the browser"
+    "rememberMeDesc": "Stay logged after closing the browser",
-  },
+    "insecure": "You can't log in with an insecure connection. Use HTTPS.",
-  "error": {
+    "2faRequired": "Two Factor Authentication is required",
-    "clear": "Clear",
+    "2faWrong": "Two Factor Authentication is wrong"
    "login": "Log in error"
  },
  "client": {
    "empty": "There are no clients yet.",
@@ -116,8 +123,7 @@
  "toast": {
    "success": "Success",
    "saved": "Saved",
-    "error": "Error",
+    "error": "Error"
    "errored": "Failed to save"
  },
  "form": {
    "actions": "Actions",
@@ -135,7 +141,7 @@
      "sessionTimeoutDesc": "Session duration for Remember Me (seconds)",
      "metrics": "Metrics",
      "metricsPassword": "Password",
-      "metricsPasswordDesc": "Bearer Password for the metrics endpoint (argon2 hash)",
+      "metricsPasswordDesc": "Bearer Password for the metrics endpoint (password or argon2 hash)",
      "json": "JSON",
      "jsonDesc": "Route for metrics in JSON format",
      "prometheus": "Prometheus",
@@ -154,7 +160,6 @@
    },
    "interface": {
      "cidrSuccess": "Changed CIDR",
      "cidrError": "Failed to change CIDR",
      "device": "Device",
      "deviceDesc": "Ethernet device the wireguard traffic should be forwarded through",
      "mtuDesc": "MTU WireGuard will use",
@@ -163,8 +168,7 @@
      "restart": "Restart Interface",
      "restartDesc": "Restart the WireGuard interface",
      "restartWarn": "Are you sure to restart the interface? This will disconnect all clients.",
-      "restartSuccess": "Interface restarted",
+      "restartSuccess": "Interface restarted"
      "restartError": "Failed to restart interface"
    },
    "introText": "Welcome to the admin panel.\n\nHere you can manage the general settings, the configuration, the interface settings and the hooks.\n\nStart by choosing one of the sections in the sidebar."
  },
@@ -189,15 +193,14 @@
    "user": {
      "username": "Username",
      "password": "Password",
      "passwordUppercase": "Password must have at least 1 uppercase letter",
      "passwordLowercase": "Password must have at least 1 lowercase letter",
      "passwordNumber": "Password must have at least 1 number",
      "passwordSpecial": "Password must have at least 1 special character",
      "remember": "Remember",
      "name": "Name",
      "email": "Email",
      "emailInvalid": "Email must be a valid email",
-      "passwordMatch": "Passwords must match"
+      "passwordMatch": "Passwords must match",
      "totpEnable": "TOTP Enable",
      "totpEnableTrue": "TOTP Enable must be true",
      "totpCode": "TOTP Code"
    },
    "userConfig": {
      "host": "Host"
@@ -1,6 +1,6 @@
 {
  "name": "wg-easy",
-  "version": "15.0.0-beta.9",
+  "version": "15.0.0-beta.12",
  "description": "The easiest way to run WireGuard VPN + Web-based Admin UI.",
  "private": true,
  "type": "module",
@@ -20,10 +20,11 @@
  "dependencies": {
    "@eschricht/nuxt-color-mode": "^1.1.5",
    "@heroicons/vue": "^2.2.0",
-    "@libsql/client": "^0.14.0",
+    "@libsql/client": "^0.15.3",
-    "@nuxtjs/i18n": "^9.3.1",
+    "@nuxtjs/i18n": "^9.5.3",
    "@nuxtjs/tailwindcss": "^6.13.2",
-    "@pinia/nuxt": "^0.10.1",
+    "@phc/format": "^1.0.0",
    "@pinia/nuxt": "^0.11.0",
    "@tailwindcss/forms": "^0.5.10",
    "apexcharts": "^4.5.0",
    "argon2": "^0.41.1",
@@ -31,15 +32,16 @@
    "cidr-tools": "^11.0.3",
    "crc-32": "^1.2.2",
    "debug": "^4.4.0",
-    "drizzle-orm": "^0.40.0",
+    "drizzle-orm": "^0.41.0",
    "ip-bigint": "^8.2.1",
    "is-cidr": "^5.1.1",
    "is-ip": "^5.0.1",
    "js-sha256": "^0.11.0",
    "lowdb": "^7.0.1",
-    "nuxt": "^3.16.0",
+    "nuxt": "^3.16.2",
-    "pinia": "^3.0.1",
+    "otpauth": "^9.4.0",
-    "qrcode": "^1.5.4",
+    "pinia": "^3.0.2",
    "qr": "^0.4.0",
    "radix-vue": "^1.9.17",
    "semver": "^7.7.1",
    "tailwindcss": "^3.4.17",
@@ -49,17 +51,17 @@
    "zod": "^3.24.2"
  },
  "devDependencies": {
-    "@nuxt/eslint": "1.2.0",
+    "@nuxt/eslint": "1.3.0",
    "@types/debug": "^4.1.12",
-    "@types/qrcode": "^1.5.5",
+    "@types/phc__format": "^1.0.1",
-    "@types/semver": "^7.5.8",
+    "@types/semver": "^7.7.0",
-    "drizzle-kit": "^0.30.5",
+    "drizzle-kit": "^0.30.6",
-    "eslint": "^9.22.0",
+    "eslint": "^9.24.0",
-    "eslint-config-prettier": "^10.1.1",
+    "eslint-config-prettier": "^10.1.2",
    "prettier": "^3.5.3",
    "prettier-plugin-tailwindcss": "^0.6.11",
-    "typescript": "^5.8.2",
+    "typescript": "^5.8.3",
    "vue-tsc": "^2.2.8"
  },
-  "packageManager": "pnpm@10.6.3"
+  "packageManager": "pnpm@10.8.0"
 }
@@ -3,9 +3,11 @@ import { gt } from 'semver';
 export default defineEventHandler(async () => {
  const latestRelease = await cachedFetchLatestRelease();
  const updateAvailable = gt(latestRelease.version, RELEASE);
  const insecure = WG_ENV.INSECURE;
  return {
    currentRelease: RELEASE,
    latestRelease: latestRelease,
    updateAvailable,
    insecure,
  };
 });
@@ -0,0 +1,65 @@
 import { Secret, TOTP } from 'otpauth';
 import { UserUpdateTotpSchema } from '#db/repositories/user/types';
 type Response =
  | {
      success: boolean;
      type: 'setup';
      key: string;
      uri: string;
    }
  | { success: boolean; type: 'created' }
  | { success: boolean; type: 'deleted' };
 export default definePermissionEventHandler(
  'me',
  'update',
  async ({ event, user, checkPermissions }) => {
    const body = await readValidatedBody(
      event,
      validateZod(UserUpdateTotpSchema, event)
    );
    checkPermissions(user);
    if (body.type === 'setup') {
      const key = new Secret({ size: 20 });
      const totp = new TOTP({
        issuer: 'wg-easy',
        label: user.username,
        algorithm: 'SHA1',
        digits: 6,
        period: 30,
        secret: key,
      });
      await Database.users.updateTotpKey(user.id, key.base32);
      return {
        success: true,
        type: 'setup',
        key: key.base32,
        uri: totp.toString(),
      } as Response;
    } else if (body.type === 'create') {
      await Database.users.verifyTotp(user.id, body.code);
      return {
        success: true,
        type: 'created',
      } as Response;
    } else if (body.type === 'delete') {
      await Database.users.deleteTotpKey(user.id, body.currentPassword);
      return {
        success: true,
        type: 'deleted',
      } as Response;
    }
    throw createError({
      statusCode: 400,
      statusMessage: 'Invalid request',
    });
  }
 );
@@ -20,5 +20,6 @@ export default defineEventHandler(async (event) => {
    username: user.username,
    name: user.name,
    email: user.email,
    totpVerified: user.totpVerified,
  };
 });
@@ -1,29 +1,42 @@
 import { UserLoginSchema } from '#db/repositories/user/types';
 export default defineEventHandler(async (event) => {
-  const { username, password, remember } = await readValidatedBody(
+  const { username, password, remember, totpCode } = await readValidatedBody(
    event,
    validateZod(UserLoginSchema, event)
  );
-  // TODO: timing can be used to enumerate usernames
+  const result = await Database.users.login(username, password, totpCode);
-  const user = await Database.users.getByUsername(username);
+  // TODO: add localization support
  if (!user)
    throw createError({
      statusCode: 401,
      statusMessage: 'Incorrect credentials',
    });
-  const userHashPassword = user.password;
+  if (!result.success) {
-  const passwordValid = await isPasswordValid(password, userHashPassword);
+    switch (result.error) {
-  if (!passwordValid) {
+      case 'INCORRECT_CREDENTIALS':
-    throw createError({
+        throw createError({
-      statusCode: 401,
+          statusCode: 401,
-      statusMessage: 'Incorrect credentials',
+          statusMessage: 'Invalid username or password',
-    });
+        });
      case 'TOTP_REQUIRED':
        return { status: 'TOTP_REQUIRED' };
      case 'INVALID_TOTP_CODE':
        return { status: 'INVALID_TOTP_CODE' };
      case 'USER_DISABLED':
        throw createError({
          statusCode: 401,
          statusMessage: 'User disabled',
        });
      case 'UNEXPECTED_ERROR':
        throw createError({
          statusCode: 500,
          statusMessage: 'Unexpected error',
        });
    }
    assertUnreachable(result.error);
  }
  const user = result.user;
  const session = await useWGSession(event, remember);
  const data = await session.update({
@@ -34,5 +47,5 @@ export default defineEventHandler(async (event) => {
  SERVER_DEBUG(`New Session: ${data.id} for ${user.id} (${user.username})`);
-  return { success: true };
+  return { status: 'success' };
 });
@@ -17,6 +17,7 @@ CREATE TABLE `clients_table` (
 	`persistent_keepalive` integer NOT NULL,
 	`mtu` integer NOT NULL,
 	`dns` text,
 	`server_endpoint` text,
 	`enabled` integer NOT NULL,
 	`created_at` text DEFAULT (CURRENT_TIMESTAMP) NOT NULL,
 	`updated_at` text DEFAULT (CURRENT_TIMESTAMP) NOT NULL,
@@ -80,6 +81,8 @@ CREATE TABLE `users_table` (
 	`email` text,
 	`name` text NOT NULL,
 	`role` integer NOT NULL,
 	`totp_key` text,
 	`totp_verified` integer NOT NULL,
 	`enabled` integer NOT NULL,
 	`created_at` text DEFAULT (CURRENT_TIMESTAMP) NOT NULL,
 	`updated_at` text DEFAULT (CURRENT_TIMESTAMP) NOT NULL
@@ -1,7 +1,7 @@
 {
  "version": "6",
  "dialect": "sqlite",
-  "id": "8c2af02b-c4bd-4880-a9ad-b38805636208",
+  "id": "b812341a-1ec2-49a6-8bc8-0332f5b32df4",
  "prevId": "00000000-0000-0000-0000-000000000000",
  "tables": {
    "clients_table": {
@@ -137,6 +137,13 @@
          "notNull": false,
          "autoincrement": false
        },
        "server_endpoint": {
          "name": "server_endpoint",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        },
        "enabled": {
          "name": "enabled",
          "type": "integer",
@@ -558,6 +565,20 @@
          "notNull": true,
          "autoincrement": false
        },
        "totp_key": {
          "name": "totp_key",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        },
        "totp_verified": {
          "name": "totp_verified",
          "type": "integer",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "enabled": {
          "name": "enabled",
          "type": "integer",
@@ -1,6 +1,6 @@
 {
-  "id": "a61263b1-9af1-4d2e-99e9-80d08127b545",
+  "id": "c4c5bfb7-a66c-4e6b-a15c-232b16689dcf",
-  "prevId": "8c2af02b-c4bd-4880-a9ad-b38805636208",
+  "prevId": "b812341a-1ec2-49a6-8bc8-0332f5b32df4",
  "version": "6",
  "dialect": "sqlite",
  "tables": {
@@ -137,6 +137,13 @@
          "notNull": false,
          "autoincrement": false
        },
        "server_endpoint": {
          "name": "server_endpoint",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        },
        "enabled": {
          "name": "enabled",
          "type": "integer",
@@ -558,6 +565,20 @@
          "notNull": true,
          "autoincrement": false
        },
        "totp_key": {
          "name": "totp_key",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        },
        "totp_verified": {
          "name": "totp_verified",
          "type": "integer",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "enabled": {
          "name": "enabled",
          "type": "integer",
@@ -5,14 +5,14 @@
    {
      "idx": 0,
      "version": "6",
-      "when": 1741355094140,
+      "when": 1743515334198,
      "tag": "0000_short_skin",
      "breakpoints": true
    },
    {
      "idx": 1,
      "version": "6",
-      "when": 1741355098159,
+      "when": 1743515338707,
      "tag": "0001_classy_the_stranger",
      "breakpoints": true
    }
@@ -31,6 +31,7 @@ export const client = sqliteTable('clients_table', {
  persistentKeepalive: int('persistent_keepalive').notNull(),
  mtu: int().notNull(),
  dns: text({ mode: 'json' }).$type<string[]>(),
  serverEndpoint: text('server_endpoint'),
  enabled: int({ mode: 'boolean' }).notNull(),
  createdAt: text('created_at')
    .notNull()
@@ -65,6 +65,7 @@ export const ClientUpdateSchema = schemaForType<UpdateClientType>()(
    serverAllowedIps: serverAllowedIps,
    mtu: MtuSchema,
    persistentKeepalive: PersistentKeepaliveSchema,
    serverEndpoint: AddressSchema.nullable(),
    dns: DnsSchema.nullable(),
  })
 );
@@ -107,7 +107,15 @@ export class GeneralService {
    };
  }
-  update(data: GeneralUpdateType) {
+  async update(data: GeneralUpdateType) {
    // only hash the password if it is not already hashed
    if (
      data.metricsPassword !== null &&
      !isValidPasswordHash(data.metricsPassword)
    ) {
      data.metricsPassword = await hashPassword(data.metricsPassword);
    }
    return this.#db.update(general).set(data).execute();
  }
@@ -11,7 +11,6 @@ const metricsEnabled = z.boolean({ message: t('zod.general.metricsEnabled') });
 const metricsPassword = z
  .string({ message: t('zod.general.metricsPassword') })
  .min(1, { message: t('zod.general.metricsPassword') })
  // TODO?: validate argon2 regex
  .nullable();
 export const GeneralUpdateSchema = z.object({
@@ -10,6 +10,8 @@ export const user = sqliteTable('users_table', {
  email: text(),
  name: text().notNull(),
  role: int().$type<Role>().notNull(),
  totpKey: text('totp_key'),
  totpVerified: int('totp_verified', { mode: 'boolean' }).notNull(),
  enabled: int({ mode: 'boolean' }).notNull(),
  createdAt: text('created_at')
    .notNull()
@@ -1,7 +1,24 @@
 import { eq, sql } from 'drizzle-orm';
 import { TOTP } from 'otpauth';
 import { user } from './schema';
 import type { UserType } from './types';
 import type { DBType } from '#db/sqlite';
 type LoginResult =
  | {
      success: true;
      user: UserType;
    }
  | {
      success: false;
      error:
        | 'INCORRECT_CREDENTIALS'
        | 'TOTP_REQUIRED'
        | 'USER_DISABLED'
        | 'INVALID_TOTP_CODE'
        | 'UNEXPECTED_ERROR';
    };
 function createPreparedStatement(db: DBType) {
  return {
    findAll: db.query.user.findMany().prepare(),
@@ -21,6 +38,14 @@ function createPreparedStatement(db: DBType) {
      })
      .where(eq(user.id, sql.placeholder('id')))
      .prepare(),
    updateKey: db
      .update(user)
      .set({
        totpKey: sql.placeholder('key') as never as string,
        totpVerified: false,
      })
      .where(eq(user.id, sql.placeholder('id')))
      .prepare(),
  };
 }
@@ -67,6 +92,7 @@ export class UserService {
        email: null,
        name: 'Administrator',
        role: userCount === 0 ? roles.ADMIN : roles.CLIENT,
        totpVerified: false,
        enabled: true,
      });
    });
@@ -105,4 +131,121 @@ export class UserService {
        .execute();
    });
  }
  updateTotpKey(id: ID, key: string | null) {
    return this.#statements.updateKey.execute({ id, key });
  }
  login(username: string, password: string, code: string | undefined) {
    return this.#db.transaction(async (tx): Promise<LoginResult> => {
      const txUser = await tx.query.user
        .findFirst({ where: eq(user.username, username) })
        .execute();
      if (!txUser) {
        return { success: false, error: 'INCORRECT_CREDENTIALS' };
      }
      const passwordValid = await isPasswordValid(password, txUser.password);
      if (!passwordValid) {
        return { success: false, error: 'INCORRECT_CREDENTIALS' };
      }
      if (txUser.totpVerified) {
        if (!code) {
          return { success: false, error: 'TOTP_REQUIRED' };
        } else {
          if (!txUser.totpKey) {
            return { success: false, error: 'UNEXPECTED_ERROR' };
          }
          const totp = new TOTP({
            issuer: 'wg-easy',
            label: txUser.username,
            algorithm: 'SHA1',
            digits: 6,
            period: 30,
            secret: txUser.totpKey,
          });
          const valid = totp.validate({ token: code, window: 1 });
          if (valid === null) {
            return { success: false, error: 'INVALID_TOTP_CODE' };
          }
        }
      }
      if (!txUser.enabled) {
        return { success: false, error: 'USER_DISABLED' };
      }
      return { success: true, user: txUser };
    });
  }
  verifyTotp(id: ID, code: string) {
    return this.#db.transaction(async (tx) => {
      const txUser = await tx.query.user
        .findFirst({ where: eq(user.id, id) })
        .execute();
      if (!txUser) {
        throw new Error('User not found');
      }
      if (!txUser.totpKey) {
        throw new Error('TOTP key is not set');
      }
      const totp = new TOTP({
        issuer: 'wg-easy',
        label: txUser.username,
        algorithm: 'SHA1',
        digits: 6,
        period: 30,
        secret: txUser.totpKey,
      });
      const valid = totp.validate({ token: code, window: 1 });
      if (valid === null) {
        throw new Error('Invalid TOTP code');
      }
      await tx
        .update(user)
        .set({ totpVerified: true })
        .where(eq(user.id, id))
        .execute();
    });
  }
  deleteTotpKey(id: ID, currentPassword: string) {
    return this.#db.transaction(async (tx) => {
      const txUser = await tx.query.user
        .findFirst({ where: eq(user.id, id) })
        .execute();
      if (!txUser) {
        throw new Error('User not found');
      }
      const passwordValid = await isPasswordValid(
        currentPassword,
        txUser.password
      );
      if (!passwordValid) {
        throw new Error('Invalid password');
      }
      await tx
        .update(user)
        .set({ totpKey: null, totpVerified: false })
        .where(eq(user.id, id))
        .execute();
    });
  }
 }
@@ -6,24 +6,26 @@ export type UserType = InferSelectModel<typeof user>;
 const username = z
  .string({ message: t('zod.user.username') })
-  .min(8, t('zod.user.username'))
+  .min(2, t('zod.user.username'))
  .pipe(safeStringRefine);
 const password = z
  .string({ message: t('zod.user.password') })
  .min(12, t('zod.user.password'))
  .regex(/[A-Z]/, t('zod.user.passwordUppercase'))
  .regex(/[a-z]/, t('zod.user.passwordLowercase'))
  .regex(/\d/, t('zod.user.passwordNumber'))
  .regex(/[!@#$%^&*(),.?":{}|<>]/, t('zod.user.passwordSpecial'))
  .pipe(safeStringRefine);
 const remember = z.boolean({ message: t('zod.user.remember') });
 const totpCode = z
  .string({ message: t('zod.user.totpCode') })
  .min(6, t('zod.user.totpCode'))
  .pipe(safeStringRefine);
 export const UserLoginSchema = z.object({
  username: username,
  password: password,
  remember: remember,
  totpCode: totpCode.optional(),
 });
 export const UserSetupSchema = z
@@ -62,3 +64,17 @@ export const UserUpdatePasswordSchema = z
  .refine((val) => val.newPassword === val.confirmPassword, {
    message: t('zod.user.passwordMatch'),
  });
 export const UserUpdateTotpSchema = z.union([
  z.object({
    type: z.literal('setup'),
  }),
  z.object({
    type: z.literal('create'),
    code: totpCode,
  }),
  z.object({
    type: z.literal('delete'),
    currentPassword: password,
  }),
 ]);
@@ -1,4 +1,12 @@
 export default defineNitroPlugin((nitroApp) => {
  console.log(`====================================================`);
  console.log(`    wg-easy - https://github.com/wg-easy/wg-easy    `);
  console.log(`====================================================`);
  console.log(`| wg-easy:  ${RELEASE.padEnd(38)} |`);
  console.log(`| Node:     ${process.version.padEnd(38)} |`);
  console.log(`| Platform: ${process.platform.padEnd(38)} |`);
  console.log(`| Arch:     ${process.arch.padEnd(38)} |`);
  console.log(`====================================================`);
  nitroApp.hooks.hook('close', async () => {
    console.log('Shutting down');
    await WireGuard.Shutdown();
@@ -1,6 +1,6 @@
 import fs from 'node:fs/promises';
 import debug from 'debug';
-import QRCode from 'qrcode';
+import { encodeQR } from 'qr';
 import type { InterfaceType } from '#db/repositories/interface/types';
 const WG_DEBUG = debug('WireGuard');
@@ -34,6 +34,8 @@ class WireGuard {
      result.push(wg.generateServerPeer(client));
    }
    result.push('');
    WG_DEBUG('Saving Config...');
    await fs.writeFile(
      `/etc/wireguard/${wgInterface.name}.conf`,
@@ -128,9 +130,10 @@ class WireGuard {
  async getClientQRCodeSVG({ clientId }: { clientId: ID }) {
    const config = await this.getClientConfiguration({ clientId });
-    return QRCode.toString(config, {
+    return encodeQR(config, 'svg', {
-      type: 'svg',
+      ecc: 'high',
-      width: 512,
+      scale: 4,
      encoding: 'byte',
    });
  }
@@ -200,6 +203,7 @@ class WireGuard {
  async cronJob() {
    const clients = await Database.clients.getAll();
    let needsSave = false;
    // Expires Feature
    for (const client of clients) {
      if (client.enabled !== true) continue;
@@ -209,6 +213,7 @@ class WireGuard {
      ) {
        WG_DEBUG(`Client ${client.id} expired.`);
        await Database.clients.toggle(client.id, false);
        needsSave = true;
      }
    }
    // One Time Link Feature
@@ -219,10 +224,13 @@ class WireGuard {
      ) {
        WG_DEBUG(`OneTimeLink for Client ${client.id} expired.`);
        await Database.oneTimeLinks.delete(client.id);
        // otl does not need wireguard sync
      }
    }
-    await this.saveConfig();
+    if (needsSave) {
      await this.saveConfig();
    }
  }
 }
@@ -1,4 +1,5 @@
 import argon2 from 'argon2';
 import { deserialize } from '@phc/format';
 /**
 * Checks if `password` matches the hash.
@@ -16,3 +17,21 @@ export function isPasswordValid(
 export async function hashPassword(password: string): Promise<string> {
  return argon2.hash(password);
 }
 /**
 * Checks if the password hash is valid.
 * This only checks if the hash is a valid PHC formatted string using argon2.
 */
 export function isValidPasswordHash(hash: string): boolean {
  try {
    const obj = deserialize(hash);
    if (obj.id !== 'argon2i' && obj.id !== 'argon2d' && obj.id !== 'argon2id') {
      return false;
    }
    return true;
  } catch {
    return false;
  }
 }
@@ -147,3 +147,10 @@ export function validateZod<T>(
    }
  };
 }
 /**
 * exhaustive check
 */
 export function assertUnreachable(_: never): never {
  throw new Error("Didn't expect to get here");
 }
@@ -13,11 +13,16 @@ export const wg = {
      ...(client.serverAllowedIps ?? []),
    ];
    const extraLines = [];
    if (client.serverEndpoint) {
      extraLines.push(`Endpoint = ${client.serverEndpoint}`);
    }
    return `# Client: ${client.name} (${client.id})
 [Peer]
 PublicKey = ${client.publicKey}
 PresharedKey = ${client.preSharedKey}
-AllowedIPs = ${allowedIps.join(', ')}`;
+AllowedIPs = ${allowedIps.join(', ')}${extraLines.length ? `\n${extraLines.join('\n')}` : ''}`;
  },
  generateServerInterface: (wgInterface: InterfaceType, hooks: HooksType) => {
Author	SHA1	Message	Date
Bernd Storath	3ef258a28a	Bump version to 15.0.0-beta.12	2025-04-11 23:35:51 +02:00
Bernd Storath	ff783fd4d1	Feat: Improve Docs (#1791 ) * improve docs * preplan guides * fix spelling * fix nftables rules * consistent wg-easy code block * fix grammar	2025-04-11 23:25:58 +02:00
Bernd Storath	65aa067100	update packages	2025-04-11 22:46:03 +02:00
Edgars	48e6949a4d	Update `docker-run.md` (#1804 ) Small fixes were made to: - adjust indentation for the first line in code blocks; - fix backticks; - make the URL interactive.	2025-04-09 11:25:30 +02:00
Bernd Storath	9ebf2c1d33	chore: disable latest tag for docker so old installations wont break until v15 is stable enough	2025-04-02 09:32:52 +02:00
Bernd Storath	d0f85316a6	chore: delete changelog from docs	2025-04-02 09:20:18 +02:00
Bernd Storath	ff9fd553c5	Fix: sync / rekey issue (#1789 ) only sync if needed	2025-04-02 08:49:04 +02:00
Bernd Storath	e92ee0464e	Feat: Server Endpoint (#1785 ) * add server endpoint to client * be able to update endpoint over api	2025-04-01 16:13:51 +02:00
Bernd Storath	9df049d3f4	Feat: startup info (#1784 ) add startup info	2025-04-01 15:18:13 +02:00
Bernd Storath	32b73b850a	Feat: 2fa (#1783 ) * preplan otp, better qrcode library * add 2fa as feature * add totp generation * working totp lifecycle * don't allow disabled user to log in not a security issue as permission handler would fail anyway * require 2fa on login if enabled * update packages * fix typo * remove console.logs	2025-04-01 14:43:48 +02:00
Bernd Storath	1c7f64ebd5	Bump version to 15.0.0-beta.11	2025-03-31 10:32:27 +02:00
Bernd Storath	589ec1fe9a	Feat: Show insecure warning (#1779 ) show insecure warning	2025-03-31 10:29:22 +02:00
Bernd Storath	6e0d758e36	Feat: Hash metrics password (#1778 ) hash the metrics password if it is not already hashed	2025-03-31 09:58:02 +02:00
Pokydko Oleksandr	940edb2b0c	Improvements to username and password validations (#1745 ) * Fix: Improve special character regex (#1744) * update password special character regex to support ( `-` `_` `=` `+` `[` `]` `;` `'` `\` `/` ) * Fix: Allow usernames starting from 2 characters (#1744) * update username validation to support short usernames starting from 2 characters * remove char validation altogether --------- Co-authored-by: Bernd Storath <999999bst@gmail.com>	2025-03-31 08:58:24 +02:00
Bernd Storath	d51f12a82f	update packages	2025-03-31 07:51:21 +02:00
Bernd Storath	4a3747fa12	update packages	2025-03-24 07:53:02 +01:00
Bernd Storath	499fb096b6	Fix: button triggering form (#1750 ) prevent button from triggering form	2025-03-19 11:50:48 +01:00
Bernd Storath	c5c3a65bbf	Fix: slow suggest Host Address (#1746 ) load on client instead of block	2025-03-17 14:28:03 +01:00
Bernd Storath	c133446f9c	Bump version to 15.0.0-beta.10	2025-03-14 14:28:12 +01:00
Bernd Storath	e8b3e54228	fix libsql bundling issue	2025-03-14 14:26:08 +01:00