VPN UI implementation on NS8


A bit off topic from original question but i have very good results with wg-easy

1 Like

Docker based :wink:

MAybe we can have these topic split into a new post.

I looked into Wg Easy in more details to see of a possibility to implement a VPN app into NS8,

its technically doable. I am not sur how much work needs to be put into for base level functions and to get it working with builtin ost ip ranges etc.

Also, have not really played with wgeasy as much, I would be happy to collaborate (expect very many questions)
That is if the core dev team will not, and is never considering a VPN App completely.

@mz05er Have you worked with tailscale and the likes? or even HEadscale

HEadscale is the Opensource control server
@stephdl if the 3 of us dedicate some 3 hours max, i think we can have a viable VPN App ready don’t you think?

what I liked with wg-easy is that you can install only the UI inside a container and probably, I said probably use the UI to control the loca wireguard that is not inside a container.

But this is a plan that need also that we could block resources like cluster-admin or any web application, else it will serve nothing

so, for security reasons, to have this implemented, we need to have the functionality for blocking access implemented first.

this is in consideration the implementation might make use of the pre-implemented wireguard for control, is that so?

Hi i agree to split this, i just don’t know how :grin:. Open another topic ?
BTW i have WG-Easy up and running as podman, i just don’t know how to wrap this in a app.

Sorry but no.

Do you want to build Apps for Nethserver?
A good place to start

Home | NS8 dev manual (nethserver.github.io)

Everything begins here NethServer/ns8-kickstart: NethServer 8 module template (github.com)

@stephdl made some imporvements to the same

To get started much quicker:
for mariadb based systems stephdl/ns8-kickstart-mariadb: NethServer 8 module template (github.com)

for postgres based systems stephdl/ns8-kickstart-postgresql (github.com)

and there are tone of examples Apps on my repo, Nethserver repo as well

1 Like

I’m willing to learn, but i have to admit that i do not understand what to do :man_facepalming:
What i can do is providing a VPS for testing if needed and of course share what i have. I do own a domain so it would be possible to play around with DNS etc.

What i did so far:

  1. firewall-cmd --permanent --add-port=51822/udp
  2. Create Folder: mkdir -p /root/.wg-easy
  3. modprobe ip_tables
  4. modprobe iptable_filter
  5. modprobe iptable_nat
  6. modprobe wireguard

I’m not sure that all from 3 - 5 are needed. This has to be checked.

  1. run podman with:
podman run -d \
  --name=wg-easy \
  -e WG_HOST=*ip_or_FQDN* \
  -e PASSWORD=*a_strong_password_for_login_to_admin_interface* \
  -e WG_PORT=51822 \
  -e UI_TRAFFIC_STATS=true \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51822:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --cap-add=NET_RAW \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \

Replace the values marked with **.

  1. create a HTTP route with (sorry in german)

  2. open https://your_ip_or_FQDN and login with the “PASSWORD” from point 7.

Further can be found here WG-Easy Github
and here WG-Easy with Podman

@mz05er its not just podman, there are a few concepts to be put into consideration when trying to run containers into nethserver.

HAve you taken a look at this

NS8-Generic Containers-: Install Uptime-kuma - Howto - NethServer Community

An example of just running containers in Nethserver 8, without building the app first for ns8

is it also possible to kindly change the language prior to taking screenshot of your setup, would make a world of difference to non German speakers like myself

As a quick tip, you could use the Google “lens app” (available on both Android and Apple) to auto translate everything you point your camera at. Just q quick remedy to get things going :wink:

of course, my apologies.
Here you go

[root@r3-pve wg-easy]# cat /etc/wireguard/wg0.json 
  "server": {
    "privateKey": "KEHHLV5bcNarl7fANSd0/OJCrSg0a8t+jscWs4BTgVE=",
    "publicKey": "rxll5FzsUh301Am1Bz1A5t+hkroNj4x+4rps+SKC3EY=",
    "address": ""
  "clients": {
    "c2c147ff-1c42-4dc8-8f03-a235a685f085": {
      "id": "c2c147ff-1c42-4dc8-8f03-a235a685f085",
      "name": "stephdl",
      "address": "",
      "privateKey": "iJSqH3bNy7QPtUxAmtOwUZKfQ7ZpNcSITu6hIWISyFc=",
      "publicKey": "pQdn53aKiVPawDS3fOEmiEajHLeIpQ2AoZlYIDbfsAE=",
      "preSharedKey": "iCT7Jdq/BRjFFqFglu/n6v+1c1p2er5UlpzLmMK64LA=",
      "createdAt": "2024-03-07T14:42:12.569Z",
      "updatedAt": "2024-03-07T14:42:12.569Z",
      "enabled": true
[root@r3-pve wg-easy]# cat /etc/wireguard/wg0.conf 

# Note: Do not edit this file directly.
# Your changes will be overwritten!

# Server
PrivateKey = KEHHLV5bcNarl7fANSd0/OJCrSg0a8t+jscWs4BTgVE=
Address =
ListenPort = 51820
PreUp = 
PostUp =  iptables -t nat -A POSTROUTING -s -o ens18 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; 
PreDown = 
PostDown = 

# Client: stephdl (c2c147ff-1c42-4dc8-8f03-a235a685f085)
PublicKey = pQdn53aKiVPawDS3fOEmiEajHLeIpQ2AoZlYIDbfsAE=
PresharedKey = iCT7Jdq/BRjFFqFglu/n6v+1c1p2er5UlpzLmMK64LA=
AllowedIPs =

I think we need to run it inside a container we could break the first wg0.conf, what you see is only the UI that I tweaked to run it


could it be made to make use of TUN devices | NS8 dev manual (nethserver.github.io)

Available in Ns8 to create a new interface?
or is that not necessary

would the scratchpad method be feasible

I don’t think a new interface is needed when it runs in a container.

what i meant is, if you have followed the running generic containers Howto.

WHat happens right now if you reboot your server, are you still able to login to your wgeasy instance @mz05er , or do you have to repeat the process

not --permanent

true, it should be --permanent.

The container is not starting.
Step 7 has to be repeated, nothing else.
I guess it could be auto started with something like “podman generate systemd --new --files --name wg-easy”.
But this is maybe the wrong way if the goal is to have it as app.