Install Wireguard-UI with Nginx Proxy

Introduction

Wireguard-UI is a web interface for managing Wireguard VPN connections.

Prerequisites

• You have a hosting.fr Cloud server with a valid DNS entry, for example demo.mustermann-domain.fr.
• A privileged shell on the system.

Configuration

Wireguard-UI can be installed both via Docker and directly. Since a VPN server should be as simple as possible to minimize complexity and attack surface, we will use the direct variant here. Additionally, an nginx web server ensures secure TLS (Let’s Encrypt) connections to the web interface.

Info: At the time of writing this article, the latest version of Wireguard UI is about a year old. If this project is no longer actively maintained, access to the web interface must be additionally secured (e.g., with basic authentication via the nginx web server).

Preparations

Wireguard-UI must run as a separate user, so we need a new system user.

adduser wireguard-ui --system --group  --home /opt/wireguard-ui

Install Wireguard

To use Wireguard, the necessary tools must first be installed.

apt update
apt install wireguard-tools

Install Wireguard-UI

Wireguard-UI is now downloaded from Github and decompressed. Make sure to download the latest version.

cd /opt/wireguard-ui
wget https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.6.2/wireguard-ui-v0.6.2-linux-amd64.tar.gz
tar -xvf wireguard-ui-v0.6.2-linux-amd64.tar.gz
rm wireguard-ui-v0.6.2-linux-amd64.tar.gz
chown wireguard-ui:wireguard-ui wireguard-ui

Now, Wireguard-UI must be granted the right to modify the Wireguard configuration file /etc/wireguard/wg0.conf

chgrp -R wireguard-ui /etc/wireguard/
chmod g+x /etc/wireguard/
chmod g+rw /etc/wireguard/wg0.conf

A Systemd unit file for Wireguard-UI is now created. For this, we create the file /etc/systemd/system/wireguard-ui.service with the following content:

[Unit]
Description=A web interface for configuring wireguard
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=exec
ExecStart=/opt/wireguard-ui/wireguard-ui -bind-address 127.0.0.1:8001
WorkingDirectory=/opt/wireguard-ui/
User=wireguard-ui
Group=wireguard-ui

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectSystem=strict
ProtectHome=yes
MemoryDenyWriteExecute=yes

ReadWritePaths=/etc/wireguard/wg0.conf
ReadWritePaths=/run /opt/wireguard-ui/db

[Install]
WantedBy=multi-user.target

Update the Systemd configuration and start the service.

systemctl daemon-reload
systemctl enable wireguard-ui.service
systemctl start wireguard-ui.service

A check with systemctl status wireguard-ui.service should now produce a similar output.

● wireguard-ui.service - A web interface for configuring wireguard
     Loaded: loaded (/etc/systemd/system/wireguard-ui.service; disabled; preset: enabled)
     Active: active (running) since Fri 2025-01-24 23:34:31 UTC; 3s ago
   Main PID: 154486 (wireguard-ui)
      Tasks: 8 (limit: 38467)
     Memory: 10.3M
        CPU: 92ms
     CGroup: /system.slice/wireguard-ui.service
             └─154486 /opt/wireguard-ui/wireguard-ui -bind-address 127.0.0.1:8001

Change the Wireguard-UI Admin Password

The web interface for configuring Wireguard is now started and accessible via localhost. For security reasons, it is advisable to change the admin password before the service is publicly accessible. For this, we will establish a new SSH connection with ssh -L 127.0.0.1:8001:127.0.0.1:8001 root@demo.mustermann-domain.fr. Then you can access the interface in the browser at http://127.0.0.1:8001. Log in with admin:admin and click on Administrator: admin at the top left to change the password.

Configure Systemd for Wireguard-UI Interaction with Wireguard

For now, Wireguard-UI can modify the configuration file /etc/wireguard/wg0.conf, but the changes are not yet taken into account by Wireguard. For this, Wireguard must be automatically restarted as needed.

Create the file /etc/systemd/system/wgui-update.service with the following content:

[Unit]
Description=Restart WireGuard
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl restart wg-quick@wg0.service

[Install]
RequiredBy=wgui-update.path

Create the file /etc/systemd/system/wgui-update.path with the following content:

[Unit]
Description=Monitor /etc/wireguard/wg0.conf for changes

[Path]
PathModified=/etc/wireguard/wg0.conf

[Install]
WantedBy=multi-user.target

Then reload Systemd and enable Wireguard-UI:

systemctl daemon-reload
systemctl enable wgui-update.{path,service}
systemctl start wgui-update.{path,service}

Firewall and Routing

For connections via Wireguard to Internet targets to work, forwarding must be enabled. To redirect only Wireguard traffic, appropriate iptables rules must be configured.

Modify the file /etc/network/interfaces as follows (add the pre-up lines):

auto lo
iface lo inet loopback

auto enx<mac>
iface enx<mac> inet static
    address <IP>
    gateway <GW>
    pre-up /usr/sbin/iptables -P FORWARD DROP

iface <mac> inet6 static
    address <IP6>
    gateway <GW6>
    pre-up /usr/sbin/ip6tables -P FORWARD DROP

Create the file /etc/sysctl.d/99-forward.conf with the following content:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

In the Wireguard-UI interface, appropriate iptables rules must now be configured. In the web interface, click on “Wireguard Server” in the main menu. Under the Post Up script, enter the following:

/usr/sbin/iptables -A FORWARD -i wg0 -j ACCEPT && /usr/sbin/iptables -A FORWARD -o wg0 -j ACCEPT && /usr/sbin/iptables -t nat -A POSTROUTING -o <interfacename> -j MASQUERADE && /usr/sbin/ip6tables -A FORWARD -i wg0 -j ACCEPT && /usr/sbin/ip6tables -t nat -A POSTROUTING -o <interfacename> -j MASQUERADE

Under the Post Down script, enter the following:

/usr/sbin/iptables -D FORWARD -i wg0 -j ACCEPT && /usr/sbin/iptables -D FORWARD -o wg0 -j ACCEPT && /usr/sbin/iptables -t nat -D POSTROUTING -o <interfacename> -j MASQUERADE && /usr/sbin/ip6tables -D FORWARD -i wg0 -j ACCEPT && /usr/sbin/ip6tables -t nat -D POSTROUTING -o <interfacename> -j MASQUERADE

Interfacename is the name of the network interface (configured in /etc/network/interfaces). The name can be checked, for example, with ip route list default.

Optionally, in Global Settings -> DNS Servers, you can enter the Wireguard server’s resolvers. For hosting.fr, it is 95.129.51.51 and 80.244.244.244.

Finally, enable the Wireguard connection in Systemd:

systemctl enable wg-quick@wg0.service

Install Nginx

If the web interface is to be accessible via the Internet, Nginx must be installed and adapted. Install Nginx with Let’s Encrypt certificates Install.

Create the Nginx configuration for Wireguard-UI. For this, the file /etc/nginx/sites-enabled/demo.mustermann-domain.fr must be modified:

server {
    server_name demo.mustermann-domain.fr;

    include snippets/mozilla-modern.conf;
    . . .

    # allow uploading large files
    client_max_body_size 50000M;

    # Set headers
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # set the timeout
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://127.0.0.1:8001;
    }
}

Then check the Nginx configuration with nginx-t for its validity and restart the web server (systemctl restart nginx.service). The web interface and the Wireguard server are now accessible via the configured domain (e.g., demo.mustermann-domain.fr).

Don't hesitate to subscribe to our newsletter

Back to form

Thank you for subscribing to the hosting.fr newsletter.

E-mail

Verification

Subscribe