# More information about the configuration can be found in the documentation: https://wgportal.org/master/documentation/overview/ advanced: log_level: trace expiry_check_interval: 5h # How often to check for and delete expired peers (cluster-wide: only master node deletes, others skip) core: admin_user: test@test.de admin_password: secret create_default_peer: true create_default_peer_on_creation: false default_user_ttl: "24h" # TTL for peers: 1h, 24h, 2d, 7d, etc. delete_expired_peers: true # true = delete, false = disable expired peers force_client_ip_as_allowed_ip: true # Always use client's IP as AllowedIPs on server (prevents overlapping 0.0.0.0/0) master: false # Set to true on ONE node only - that node will handle expired peer deletion (master-only cleanup for cluster safety) web: external_url: http://localhost:8888 request_logging: true webhook: url: "" authentication: "" timeout: 10s # Statistics and metrics configuration statistics: use_ping_checks: true # Enable ICMP ping checks for peer connectivity ping_check_workers: 10 # Number of concurrent ping check workers ping_unprivileged: false # Use unprivileged ping (requires system configuration) ping_check_interval: 1m # How often to ping peers data_collection_interval: 1m # How often to collect data from WireGuard collect_interface_data: true # Collect interface statistics collect_peer_data: true # Collect peer statistics collect_audit_data: true # Collect audit data store_audit_data: true # Store audit data in database (false = only log to console/file) listening_address: ":8787" # Prometheus metrics endpoint address export_detailed_peer_metrics: false # false = export only wireguard_peer_up; true = export handshake, bytes received/transmitted (more metrics, more load) only_export_connected_peers: false # If true, only export metrics for connected peers (reduces load with many inactive peers in database) auth: ldap: - id: ldap1 provider_name: company ldap url: ldap://ldap.yourcompany.local:389 bind_user: ldap_wireguard@yourcompany.local bind_pass: super_Secret_PASSWORD base_dn: DC=YOURCOMPANY,DC=LOCAL login_filter: (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2)) admin_group: CN=WireGuardAdmins,OU=it,DC=YOURCOMPANY,DC=LOCAL sync_interval: 0 # sync disabled sync_filter: (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*)) registration_enabled: true oidc: - id: oidc1 provider_name: google display_name: Login with
Google base_url: https://accounts.google.com client_id: the-client-id-1234.apps.googleusercontent.com client_secret: A_CLIENT_SECRET extra_scopes: - https://www.googleapis.com/auth/userinfo.email - https://www.googleapis.com/auth/userinfo.profile registration_enabled: true - id: oidc2 provider_name: google2 display_name: Login with
Google2 base_url: https://accounts.google.com client_id: another-client-id-1234.apps.googleusercontent.com client_secret: A_CLIENT_SECRET extra_scopes: - https://www.googleapis.com/auth/userinfo.email - https://www.googleapis.com/auth/userinfo.profile registration_enabled: true oauth: - id: google_plain_oauth provider_name: google3 display_name: Login with
Google3 client_id: another-client-id-1234.apps.googleusercontent.com client_secret: A_CLIENT_SECRET auth_url: https://accounts.google.com/o/oauth2/v2/auth token_url: https://oauth2.googleapis.com/token user_info_url: https://openidconnect.googleapis.com/v1/userinfo scopes: - openid - email - profile field_map: email: email firstname: name user_identifier: sub is_admin: this-attribute-must-be-true registration_enabled: true - id: google_plain_oauth_with_groups provider_name: google4 display_name: Login with
Google4 client_id: another-client-id-1234.apps.googleusercontent.com client_secret: A_CLIENT_SECRET auth_url: https://accounts.google.com/o/oauth2/v2/auth token_url: https://oauth2.googleapis.com/token user_info_url: https://openidconnect.googleapis.com/v1/userinfo scopes: - openid - email - profile - i-want-some-groups field_map: email: email firstname: name user_identifier: sub user_groups: groups admin_mapping: admin_value_regex: ^true$ admin_group_regex: ^admin-group-name$ registration_enabled: true log_user_info: true # FANOUT configuration for peer synchronization between multiple servers fanout: enabled: false # Set to true to enable FANOUT synchronization peers: # List of other wg-portal-2 instances to sync with (use internal Docker network URLs) - "http://wg-server-2:8888" - "http://wg-server-3:8888" - "http://wg-server-4:8888" - "http://wg-server-5:8888" auth_header: "Authorization" # Header name for authentication auth_value: "Bearer your-secret-token" # Authentication value timeout: 10s # HTTP request timeout debounce: 500ms # Debounce delay to prevent too frequent sync requests self_url: "http://wg-server-1:8888" # This server's URL (internal Docker network) origin: "wg-server-1" # Optional: custom origin identifier kick_on_start: true # Trigger sync on startup topics: # Events that trigger synchronization - "peer:created" - "peer:updated" - "peer:deleted" - "interface:created" - "interface:updated" - "interface:deleted" # TLS/SSL configuration (only needed for HTTPS URLs or external communication) tls_skip_verify: false # Set to true to skip SSL certificate verification (NOT recommended for production) tls_ca_cert_file: "" # Path to CA certificate file for custom CA (optional) tls_client_cert_file: "" # Path to client certificate file for mutual TLS authentication (optional) tls_client_key_file: "" # Path to client private key file for mutual TLS authentication (optional)