Captive portal like redirect for unauthenticated traffic

[alanmcg]

As per the title, it would be great if we can implement some kind of captive portal like redirect so that users are redirected to the SSO authentication page the first time they try to browse to a protected page after connecting to wireguard. This obviously wouldn't work with non http / https traffic but (at least for me) that's the biggest use case, and for SSH i would know that auth is needed first anyway.

[alanmcg]

made this "poor mans" solution, PostUp = <script.sh> in [Interface] section of the config where <script.sh> contains this:

#!/bin/bash

# Check is Lock File exists, if not create it and set trap on exit
# shellcheck disable=SC2188
if { set -C; 2>/dev/null >~/sync.lock; }; then
        trap "rm -f ~/sync.lock" EXIT
else
        echo "Lock file exists… exiting"
        exit
fi

#set -x
AUTH="http://wireguard-auth.example-domain.net"
TEST="https://internal-tool.example-domain.net"
AUTHPAGE_OPENED=0 # use this to not bother user with 1000 tabs open to the auth page because they went for lunch

while true; do
        if ip a | grep -q wg0; then
                if curl -m 5 -s -o /dev/null -I -w "%{http_code}" "$TEST" | grep -q "302"; then
                        echo "Wireguard is up already"
                        AUTHPAGE_OPENED=0
                        sleep 5
                elif [ $AUTHPAGE_OPENED -eq 0 ]; then   
                        echo "Wireguard is down, opening auth page"
                        DISPLAY=:0 xdg-open "$AUTH"
                        AUTHPAGE_OPENED=1
                fi
        else
                echo "Wireguard is down, exiting"
                exit 1
        fi
done

So far it's working really well

[NHAS]

Hi there! Instead of having to hit another page,

You can query the vpn directly about your auth state.

If you look at http://wireguard-auth.example-domain.net/status/ you should get a JSON blob telling you if you are authorized or not!

[alanmcg]

ah that's great, thank you, probably going to switch to using that for the linux version!

I actually just converted it to powershell as well for windows users, but in that case I am checking if a port is open as windows powershell Invoke-WebRequest is absolute garbage. I haven't done extensive testing on the scripts (and literally just finished the ps version) but they seem to be working:

$AUTH = "http://wireguard-auth.example-domain.net"
$TEST_HOST = "internal-tool.example-domain.net"
$TEST_PORT = 443
$AUTHPAGE_OPENED = $false

while ($true) {
    try {
        # Check if WireGuard interface exists
        if (Get-NetAdapter | Where-Object {$_.InterfaceDescription -match "WireGuard Tunnel"}) {
            # Attempt request, with a timeout and error handling
			$t = (New-Object System.Net.Sockets.TcpClient)
			$portOpen = ($t.ConnectAsync("$TEST_HOST", $TEST_PORT).Wait(100))
			$t.Close()
            if ($portOpen) {
                Write-Host "WireGuard is up already"
                $AUTHPAGE_OPENED = $false
                Start-Sleep -Seconds 5
            } elseif (-not $AUTHPAGE_OPENED) {
                Write-Host "WireGuard is down, opening auth page"
                Start-Process $AUTH
                $AUTHPAGE_OPENED = $true
            }
        } else {
            Write-Host "WireGuard is down, exiting"
            Cleanup
            exit 1
        }
    } catch {
        Write-Host "Error connecting to $TEST. Retrying in 5 seconds..."
        Start-Sleep -Seconds 5
    }
} 

I couldn't think of a cleaner way to achieve this "captive portal" effect, hopefully it's useful to someone. Thanks for your support in any case!