A control plane for WireGuard.
- OIDC compliant OAuth2 implementation
- MongoDB
- Mail Server credentials for sending outgoing email
- golang
- nginx
- NodeJS / Vue 2
- Self-hosted and web-based management of WireGuard networks
- Networks define the configuration of the hosts in the network
- Invite people to network with email
- Authenticate them with OAuth2
- Generation of configuration files on demand
- User authentication (OAuth2 OIDC)
- Fully configure all aspects of your VPN
- Manage hosts remotely
- Simple
- Lightweight
- Secure
These instructions are for running Nettica VPN Server on an Ubuntu 22.04 server. Adjust as necessary. This server can run inside the Windows Subsystem for Linux (WSL2) with the Ubuntu 22.04 VM. A simple setup uses approximately 1.2 GB of memory.
Clone the Project
# These instructions assume your username is "user" and you are building and running the service out of /home/user/go/src/nettica-admin
# Adjust as necessary
go version
mkdir -p ~/go/src
cd ~/go/src
git clone https://github.com/nettica-com/nettica-admin
Install MongoDB (Ubuntu 22.04 instructions):
sudo apt-get update
sudo apt-get install gnupg curl
curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | \
sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg \
--dearmor
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/8.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-8.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org
sudo systemctl daemon-reload
sudo systemctl start mongod
sudo systemctl enable mongod
Install nginx, certbot:
sudo apt install nginx certbot python3-certbot-nginx
sudo systemctl enable nginx
sudo systemctl start nginx
Example NGINX Config:
sudo nano /etc/nginx/sites-enabled/nettica.example.com
server {
server_name nettica.example.com;
root /home/user/go/src/nettica-admin/ui/dist; index index.html; location / {
try_files $uri $uri/ /index.html;
}
location /api/ {
# app2 reverse proxy settings follow
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host localhost;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080;
}
}
Example .env file:
sudo nano ~/go/src/nettica-admin/.env
SERVER=https://nettica.example.com
# This file goes in the root of your nettica-admin directory.
# IP address to listen to
LISTEN_ADDR=0.0.0.0
# port to bind
PORT=8080
# Gin framework release mode
GIN_MODE=release
# SMTP settings to send email to clients
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USERNAME=apikey
SMTP_PASSWORD=...
SMTP_FROM=Nettica <[email protected]>
# MONGO settings
MONGODB_CONNECTION_STRING=mongodb://127.0.0.1:27017
# Google Workspaces example
#OAUTH2_PROVIDER_NAME=google
#OAUTH2_PROVIDER=https://accounts.google.com
#OAUTH2_PROVIDER_URL=accounts.google.com
#OAUTH2_CLIENT_ID=...
#OAUTH2_CLIENT_SECRET=...
#OAUTH2_REDIRECT_URL=https://nettica.example.com
#OAUTH2_LOGOUT_URL=https://www.google.com/accounts/Logout
#OAUTH2_AGENT_PROVIDER=https://accounts.google.com
#OAUTH2_AGENT_CLIENT_ID=same....
#OAUTH2_AGENT_CLIENT_SECRET=same...
#OAUTH2_AGENT_REDIRECT_URL=com.nettica.agent://callback/agent
#OAUTH2_AGENT_LOGOUT_URL=https://www.google.com/accounts/Logout
# Micrsoft Entra ID example
#OAUTH2_PROVIDER_NAME=microsoft2
#OAUTH2_PROVIDER=https://login.microsoftonline.com/common/v2.0
#OAUTH2_CLIENT_ID=...
#OAUTH2_CLIENT_SECRET=...
#OAUTH2_REDIRECT_URL=https://nettica.example.com
#OAUTH2_TENET=...
#OAUTH2_LOGOUT_URL=https://login.microsoftonline.com/{tenet}/oauth2/v2.0/logout
#OAUTH2_AGENT_PROVIDER=https://login.microsoftonline.com/common/v2.0
#OAUTH2_AGENT_CLIENT_ID=...
#OAUTH2_AGENT_CLIENT_SECRET=...
#OAUTH2_AGENT_REDIRECT_URL=https://nettica.example.com
#OAUTH2_AGENT_LOGOUT_URL=https://login.microsoftonline.com/{tenet}/oauth2/v2.0/logout
# valid settings: oauth2oidc, google, microsoft2, basic, fake
# Basic auth is a first class citizen compatible with all the apps. Login with the shadow file defined username/pass.
# If the SERVER variable above is set to, for example, nettica.example.com, it will log you in as [email protected],
# removing the first label. During login if you add a domain, such as [email protected], it will remove that
# domain to validate the user, but preserve it for user creation, allowing for easy testing and evaluation of the product.
# Basic auth requires these two variables set:
OAUTH2_AGENT_REDIRECT_URL=com.nettica.agent://callback/agent
OAUTH2_PROVIDER_NAME=basic
Create a systemd service for the API:
sudo nano /lib/systemd/system/nettica-api.service
[Unit]
Description=Nettica API
ConditionPathExists=/home/user/go/src/nettica-admin/cmd/nettica-api
After=network.target
[Service]
Type=simple
User=root
Group=root
LimitNOFILE=1024000
Restart=on-failure
RestartSec=10
#startLimitIntervalSec=60
WorkingDirectory=/home/user/go/src/nettica-admin/
ExecStart=/home/user/go/src/nettica-admin/cmd/nettica-api/nettica-api
# make sure log directory exists and owned by syslog
PermissionsStartOnly=true
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=nettica-api
[Install]
WantedBy=multi-user.target
Ctrl-X, Y to save
Build the API
cd ~/go/src/nettica-admin/cmd/nettica-api
go build
Enable the service:
sudo systemctl enable nettica-api
sudo systemctl start nettica-api
Install NodeJS using NVM
wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh | bash
source ~/.bashrc
nvm install 18
nvm use 18
Build the frontend
cd /home/user/go/src/nettica-admin/ui
cp env.json.sample env.json
npm install
npm run build
With the given nginx config, you should now be able to use your website. Don't forget to get a cert using certbot
Run Certbot
sudo certbot
- Released under MIT License
WireGuard® is a registered trademark of Jason A. Donenfeld.