provvedo/wiregui
2
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages 1 Wiki Activity Actions
Firezone Inspired Wireguard VPN Server written in Python with Nicegui framework
40 commits 3 branches 8 tags 1.5 MiB
Find a file
Stefano Bertelli a06ce9e156
Some checks failed
Dev / test (push) Failing after 46s
Details
Dev / docker (push) Has been skipped
Details
fix: add Playwright, Valkey, and mock-OIDC to CI pipelines 
- Add valkey and mock-oidc services to both release and dev workflows
- Install Playwright with Chromium deps for headless e2e tests
- Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI
- Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var
- Add full test job (unit + e2e) to dev pipeline before Docker build
2026-03-31 14:48:27 -05:00
.forgejo/workflows fix: add Playwright, Valkey, and mock-OIDC to CI pipelines 2026-03-31 14:48:27 -05:00
alembic feat: firewall policy switches and nftables troubleshooting 2026-03-31 00:00:21 -05:00
tests fix: add Playwright, Valkey, and mock-OIDC to CI pipelines 2026-03-31 14:48:27 -05:00
wiregui feat: fix OIDC auth flow, improve config dialogs, add mock IdP 2026-03-31 14:28:34 -05:00
.dockerignore feat: initial WireGUI implementation — full VPN management platform 2026-03-30 16:53:46 -05:00
.gitignore feat: redesign account page — compact Firezone-style layout 2026-03-30 18:47:07 -05:00
.python-version feat: initial WireGUI implementation — full VPN management platform 2026-03-30 16:53:46 -05:00
alembic.ini feat: initial WireGUI implementation — full VPN management platform 2026-03-30 16:53:46 -05:00
CLAUDE.md feat: UI modernization — Manrope font, dark/light theme, card-based layouts 2026-03-30 21:40:29 -05:00
compose.prod.yml fix: CI runner containers for Forgejo actions 2026-03-30 18:22:42 -05:00
compose.yml feat: fix OIDC auth flow, improve config dialogs, add mock IdP 2026-03-31 14:28:34 -05:00
Dockerfile feat: initial WireGUI implementation — full VPN management platform 2026-03-30 16:53:46 -05:00
LICENSE chore: add AGPL-3.0 license and README 2026-03-30 22:45:10 -05:00
pyproject.toml feat: IdP provisioning from YAML file + Playwright e2e tests 2026-03-31 14:23:31 -05:00
README.md feat: IdP provisioning from YAML file + Playwright e2e tests 2026-03-31 14:23:31 -05:00
TODO.md Merge remote-tracking branch 'refs/remotes/origin/dev' 2026-03-31 14:26:44 -05:00
uv.lock feat: IdP provisioning from YAML file + Playwright e2e tests 2026-03-31 14:23:31 -05:00

README.md

WireGUI

A self-hosted WireGuard VPN management platform built with Python, NiceGUI, and PostgreSQL.

WireGUI gives you a clean web interface for managing WireGuard peers, firewall rules, and user authentication -- without depending on any third-party cloud service. It's designed for teams and individuals who want full control over their VPN infrastructure.

Against enshittification

This project exists because we believe infrastructure software should serve its users, not its investors. Too many open-source VPN tools have been enshittified -- features locked behind paid tiers, telemetry quietly added, self-hosting made deliberately painful to push you toward a managed offering.

WireGUI is AGPL-licensed specifically to prevent this. If you run it, you own it. If you modify it and offer it as a service, you share the source. No bait-and-switch, no open-core grift, no "community edition" that mysteriously lacks the features you actually need.

Software that manages your network traffic should be fully transparent and fully yours.

Features

  • WireGuard management -- create/delete peers, automatic IP allocation (IPv4 + IPv6), QR codes and .conf downloads
  • Firewall rules -- per-user nftables chains with CIDR, protocol, and port range support
  • Multi-factor auth -- TOTP authenticator apps and WebAuthn security keys
  • SSO -- OpenID Connect and SAML identity providers with auto-provisioning
  • Magic links -- passwordless email login
  • API tokens -- programmatic access via REST API (/api/v0)
  • Dark/light theme -- user preference stored in profile, auto mode follows system
  • VPN session management -- configurable session duration with automatic peer expiry
  • Real-time stats -- live RX/TX counters and handshake tracking
  • Diagnostics -- WAN connectivity checks, peer status, system notifications

Tech stack

Layer Technology
UI NiceGUI (reactive server-side, WebSocket)
API FastAPI (built into NiceGUI)
ORM SQLModel (SQLAlchemy + Pydantic)
Database PostgreSQL (asyncpg)
Cache Valkey (Redis-compatible)
Migrations Alembic
Auth authlib, python-jose, pyotp, webauthn, bcrypt
VPN WireGuard (wg + ip CLI)
Firewall nftables (nft CLI)
Python 3.13+

Quick start

# Clone and install
git clone https://forge.provvedo.com/provvedo/wiregui.git
cd wiregui
uv sync

# Start PostgreSQL and Valkey
docker compose up -d

# Run migrations and start
alembic upgrade head
uv run python -m wiregui.main

Open http://localhost:13000 -- an admin account is created automatically on first run (check the logs for the generated password).

Production deployment

# Docker Compose (recommended)
docker compose -f compose.prod.yml up -d

The container runs migrations on startup, manages the WireGuard interface, and requires NET_ADMIN + SYS_MODULE capabilities. See compose.prod.yml for the full configuration including environment variables.

Environment variables

All settings use the WG_ prefix:

Variable Default Description
WG_DATABASE_URL postgresql+asyncpg://wiregui:wiregui@localhost/wiregui PostgreSQL connection
WG_REDIS_URL redis://localhost:6379/0 Valkey/Redis connection
WG_SECRET_KEY change-me-in-production JWT signing + Fernet encryption key
WG_WG_ENABLED false Enable WireGuard interface management
WG_WG_ENDPOINT_HOST localhost Public endpoint for client configs
WG_WG_ENDPOINT_PORT 51820 WireGuard listen port
WG_WG_IPV4_NETWORK 10.3.2.0/24 IPv4 tunnel network
WG_WG_IPV6_NETWORK fd00::3:2:0/120 IPv6 tunnel network
WG_ADMIN_EMAIL admin@localhost Initial admin email
WG_ADMIN_PASSWORD (auto-generated) Initial admin password
WG_EXTERNAL_URL http://localhost:13000 Public-facing URL
WG_IDP_CONFIG_FILE (none) Path to YAML file with OIDC/SAML IdP definitions

Testing

# Unit + integration tests
uv run pytest

# E2E tests (Playwright — requires running PostgreSQL, Valkey, and mock-oidc)
docker compose up -d
uv run pytest tests/e2e/ -v

# E2E in headed mode (watch tests in a browser)
uv run pytest tests/e2e/ --headed --slowmo 300

E2E tests automatically start a WireGUI instance on port 13001 and use Playwright's async API to drive a real Chromium browser. The --headed flag opens a visible browser window and --slowmo adds a delay (in ms) between actions for debugging. The OIDC login flow tests use the mock-oidc service from compose.yml.

IdP provisioning from YAML

Identity providers can be seeded at startup from a YAML file, enabling GitOps and infrastructure-as-code workflows:

WG_IDP_CONFIG_FILE=/etc/wiregui/idps.yaml uv run python -m wiregui.main

See tests/e2e/test_idp_seed.py for the YAML format and seeding behavior.

License

Copyright 2026 Stefano Bertelli / Provvedo

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This means: if you run a modified version of WireGUI as a network service, you must make the source code available to users of that service. No exceptions, no loopholes.

See LICENSE for the full text.