Gate-WireGuard is self sign up oauth enabled VPN server providing WireGuard as backend for client connections. it's Web-UI and configuration management tool for wireguard server. It automatically reloads the configuration when new devices are added, and also provides a way to manage the devices.
Gate-WireGuard provides automated setup scripts for production deployment on Ubuntu/Debian systems. The setup process follows a three-stage approach: Database → WireGuard → Application.
For a complete production deployment, simply run:
./setup.shThis will guide you through the entire setup process with interactive prompts.
The setup script provides two database options:
Option A: Install MySQL Locally
- Automatically installs and configures MySQL server
- Creates production database and user with provided credentials
- Configures proper security settings
Option B: Use Existing MySQL Server
- Connects to your existing MySQL server
- Verifies connection before proceeding
- Creates production database if it doesn't exist
Interactive Setup:
# You'll be prompted for:
- Database choice (local/remote)
- MySQL username and password
- Database name (defaults to gate_wireguard_production)
- Server address (for remote MySQL)Application User Configuration:
- Install as current user (default)
- Or specify a different user (creates if doesn't exist)
- Handles proper file ownership and permissions
- Sets up Ruby environment for the specified user
What Gets Installed:
- ✅ MySQL database (local or remote connection verified)
- ✅ WireGuard VPN server with configuration watcher
- ✅ Ruby environment (rbenv + Ruby 3.3.4)
- ✅ Rails application in production mode
- ✅ Redis cache server
- ✅ Node.js and asset compilation tools
- ✅ Nginx web server
You can also run individual components:
# Database configuration only
./setup.sh --database-only
# WireGuard infrastructure only
./setup.sh --wireguard-only
# Rails application only
./setup.sh --application-onlyThe setup creates a production .env file with:
# Rails Environment
RAILS_ENV=production
# Database Configuration (auto-configured)
DATABASE_URL=mysql2://username:password@host/database_name
# Redis Configuration
REDIS_URL=redis://localhost:6379/0
# Secret Key Base (auto-generated)
SECRET_KEY_BASE=your_generated_secret
# Google OAuth (configure these manually)
GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret
# Production Settings
RAILS_SERVE_STATIC_FILES=true
RAILS_LOG_TO_STDOUT=trueAfter setup completion, you'll need to configure:
-
Google OAuth Credentials
- Create OAuth app in Google Cloud Console
- Update
GOOGLE_CLIENT_IDandGOOGLE_CLIENT_SECRETin.env
-
SSL Certificates
- Configure SSL certificates for HTTPS
- Update Nginx configuration
-
Domain Configuration
- Point your domain to the server
- Configure Nginx virtual host
# Check service status
sudo systemctl status wg-quick@wg0 # WireGuard
sudo systemctl status wireguard-conf-watcher # Config watcher
sudo systemctl status mysql # Database
sudo systemctl status redis-server # Cache
sudo systemctl status nginx # Web server
# Start Rails application (production)
sudo -u [app_user] bash -c 'cd /path/to/app && bundle exec rails server -e production'- WireGuard:
/etc/wireguard/wg0.conf - Application:
/path/to/app/.env - Nginx:
/etc/nginx/sites-available/gate-wireguard
- Environment file permissions set to 600 (secure)
- Application runs under dedicated user (if specified)
- Database connections use dedicated credentials
- Firewall rules configured for WireGuard (port 51820)
# Test MySQL connection
mysql -h host -u username -p database_name# Check all services
sudo systemctl list-units --state=active | grep -E "(mysql|redis|nginx|wg-quick|wireguard)"# Rails logs
tail -f /path/to/app/log/production.log
# System logs
sudo journalctl -u wg-quick@wg0 -f
sudo journalctl -u wireguard-conf-watcher -f-
Configure WireGuard Network Settings
- Access the web interface
- Set up your public endpoint
- Configure private IP ranges
- Save and generate configuration
-
Add VPN Devices
- Sign in with Google OAuth
- Add devices through the web interface
- Download configuration files for clients
-
Set Up Monitoring
- Configure log rotation
- Set up system monitoring
- Configure backup strategies
For local development, use the development setup process below:
- Checkout gate-wireguard, and run the following commands to get it running
scripts/rails_setup.sh- Checkout gate-wireguard, and run the following commands to get it running
scripts/rails_setup.shif you need to setup docker as well, because we need compose plugin, please use following script to setup docker.
sh scripts/docker_setup.sh-
Docker in only required if you do not want to install mysql on local server, else you can just install mysql server
- to run docker, just run
docker compose up db -dand you are good to go
- to run docker, just run
-
Setup gate_wireguard_dev database in mysql for non-root users, for dev you can use root user as well. |
create database gate_wireguard_dev; grant all privileges on gate_wireguard_dev to 'gate_wireguard'@% idenfied by 'gate_wireguard'; create database gate_wireguard_test; grant all privileges on gate_wireguard_test to 'gate_wireguard'@% identified by 'gate_wireguard';
-
Run
rails db:create db:migrateto create the database and run the migrations -
If you rather want to use root user root@localhost just do the following.
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password'; FLUSH PRIVILEGES; -
Setup RubyLSP and watchman and then execute
bundle exec srb typecheck --lsp-
Ruby version - 3.0.2p107
-
System dependencies
- mysql header
- nodejs
- install gems - rails and bundler
-
Configuration
- database configuration
-
Database creation
- mysql command as given above
-
Database initialization
- rails db:create db:migrate
-
How to run the test suite
- rspec
-
Services (job queues, cache servers, search engines, etc.)
- docker-compose up
-
Deployment instructions - You can setup gate-wireguard with or without docker, with docker, it's just docker-compose, without docker, please follow the steps below
- checkout latest tar, run ./setup_production.sh
- run ./configure_production.sh (this will create database etc)
If you are doing local development and you need to sync the file to remote box as they change, following command can be useful for running rails server that automatically gets new files
watchmedo shell-command \
--recursive \
--command='echo "${watch_src_path}"' \
/some/folderIf you running Ubuntu and have "ruby-full" package, and want to install gems locally, following commands are useful
echo 'export GEM_HOME=~/.ruby/' >> ~/.bashrc
echo 'export PATH="$PATH:~/.ruby/bin"' >> ~/.bashrc
source ~/.bashrcYou may end up getting application.css not found error. in that case please install yarn
npm install yarn
#or
npm install --global yarn
yarn add sass
yarn build:cssThis is a know problem with Yarn, Bootstrap and Rails 7 combo.
If you want to install newer node framework, required for this repo
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
. ~/.nvm/nvm.sh
nvm install 20If you are not able to get ruby to build and compile, use rvm on macos and then
brew install ruby-build
brew install [email protected]
export PKG_CONFIG_PATH=/usr/local/opt/[email protected]/lib/pkgconfig/
rvm install 3.0.2 --with-openssl-dir=/usr/local/opt/[email protected]
#for rbenv
RUBY_CONFIGURE_OPTS=--with-openssl-dir=/usr/local/opt/[email protected]
rbenv install 3.0.2On Mac installing Ruby
rvm install ruby-3.3.4 --reconfigure --enable-yjit --with-openssl-dir=$(brew --prefix [email protected])
Also, please read brew's post install messages to be able to install ruby 3.0.2 successfully
Getting wireguard to work inside lxc containers you need to use proxy deviceW
incus config device add gate <udp51820> proxy listen=udp:0.0.0.0:51820 connect=udp:0.0.0.0:51820
incus config device add gate tcp8080 proxy listen=tcp:0.0.0.0:8080 connect=tcp:0.0.0.0:8080
Also, once you have wireguard setup, you need to be able to accept the traffic, and source nat it.
sudo iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <the lan interface>
sudo iptables -t nat -A POSTROUTING -o eth0@if16 -j SNAT --to-source <the lan/vpc interface>We use snat because we are using a private ip address, and we need to masquerade it to the routable return address for the server.
So our traffic works like this, here is ascii diagram for VPN Client -> VPN Server -> Local Network
+-----------------+ +-----------------+ +-----------------+
| | | | | |
| VPN Client |------->| VPN Server |------->| Local Network |
| | | | | |
+-----------------+ +-----------------+ +-----------------+
VPN Traffic wg0 VPN Traffic eth0 Local Traffic
so in this case SNAT address will be the eth0 address of the VPN Server, and the return traffic will be sent to the VPN Server, which will then forward it to the VPN Client.
OpenSource is not possible without people contributing to it, The following posts, resources have helped me immensely to get this going off the ground. Some credits to internet reading material for helping me with various tasks
- Ryan Bigg - Adding bootstrap to rails