Merge branch 'master' into stable

# Conflicts:
#	internal/domain/peer.go

Author: h44z

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: h44z # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]

.github/dependabot.yml

@@ -28,3 +28,8 @@ updates:
       patch:
         update-types:
           - patch
+
+  - package-ecosystem: "docker"
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/chart.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -35,7 +35,7 @@ jobs:
       # ct lint requires Python 3.x to run following packages:
       #  - yamale (https://github.com/23andMe/Yamale)
       #  - yamllint (https://github.com/adrienverge/yamllint)
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.x'
 
@@ -60,7 +60,7 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: docker/login-action@v3
         with:

.github/workflows/docker-publish.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -110,7 +110,7 @@ jobs:
       contents: write
     steps:
       - name: Download binaries
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: binaries
 

.github/workflows/pages.yml

@@ -15,11 +15,11 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: 3.x
 

Dockerfile

@@ -20,7 +20,7 @@ RUN npm run build
 ######
 # Build backend
 ######
-FROM --platform=${BUILDPLATFORM} golang:1.24-alpine AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.25-alpine AS builder
 # Set the working directory
 WORKDIR /build
 # Download dependencies
@@ -50,9 +50,9 @@ COPY --from=builder /build/dist/wg-portal /
 ######
 # Final image
 ######
-FROM alpine:3.19
+FROM alpine:3.22
 # Install OS-level dependencies
-RUN apk add --no-cache bash curl iptables nftables openresolv wireguard-tools
+RUN apk add --no-cache bash curl iptables nftables openresolv wireguard-tools tzdata
 # Setup timezone
 ENV TZ=UTC
 # Copy binaries

LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2020-2023 Christoph Haas
+Copyright (c) 2020-2025 Christoph Haas
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -21,17 +21,18 @@ The configuration portal supports using a database (SQLite, MySQL, MsSQL, or Pos
 ## Features
 
 * Self-hosted - the whole application is a single binary
-* Responsive multi-language web UI written in Vue.js
+* Responsive multi-language web UI with dark-mode written in Vue.js
 * Automatically selects IP from the network pool assigned to the client
 * QR-Code for convenient mobile client configuration
 * Sends email to the client with QR-code and client config
 * Enable / Disable clients seamlessly
 * Generation of wg-quick configuration file (`wgX.conf`) if required
-* User authentication (database, OAuth, or LDAP)
+* User authentication (database, OAuth, or LDAP), Passkey support
 * IPv6 ready
 * Docker ready
 * Can be used with existing WireGuard setups
 * Support for multiple WireGuard interfaces
+* Supports multiple WireGuard backends (wgctrl or MikroTik)
 * Peer Expiry Feature
 * Handles route and DNS settings like wg-quick does
 * Exposes Prometheus metrics for monitoring and alerting
@@ -61,6 +62,17 @@ For the complete documentation visit [wgportal.org](https://wgportal.org).
 
 * MIT License. [MIT](LICENSE.txt) or <https://opensource.org/licenses/MIT>
 
+## Contributors and Sponsors
+
+Thanks so much for all your contributions! They’re truly appreciated and help keep WireGuard Portal moving ahead.
+
+<a href="https://github.com/h44z/wg-portal/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=h44z/wg-portal" />
+</a>
+
+Want to support the project? You can buy me a coffee or join as a contributor - every bit of support helps! 
+[Become a sponsor!](https://github.com/sponsors/h44z)
+
 
 > [!IMPORTANT]
 > Since the project was accepted by the Docker-Sponsored Open Source Program, the Docker image location has moved to [wgportal/wg-portal](https://hub.docker.com/r/wgportal/wg-portal).

SECURITY.md

@@ -7,7 +7,7 @@ If you believe you've found a security issue in one of the supported versions of
 | Version | Supported          |
 |---------|--------------------|
 | v2.x    | :white_check_mark: |
-| v1.x    | :white_check_mark: |
+| v1.x    | :x:                |
 
 ## Reporting a Vulnerability
 

cmd/wg-portal/main.go

@@ -50,9 +50,8 @@ func main() {
 	database, err := adapters.NewSqlRepository(rawDb)
 	internal.AssertNoError(err)
 
-	wireGuard := adapters.NewWireGuardRepository()
-
-	wgQuick := adapters.NewWgQuickRepo()
+	wireGuard, err := wireguard.NewControllerManager(cfg)
+	internal.AssertNoError(err)
 
 	mailer := adapters.NewSmtpMailRepo(cfg.Mail)
 
@@ -87,8 +86,12 @@ func main() {
 
 	authenticator, err := auth.NewAuthenticator(&cfg.Auth, cfg.Web.ExternalUrl, eventBus, userManager)
 	internal.AssertNoError(err)
+	authenticator.StartBackgroundJobs(ctx)
+
+	webAuthn, err := auth.NewWebAuthnAuthenticator(cfg, eventBus, userManager)
+	internal.AssertNoError(err)
 
-	wireGuardManager, err := wireguard.NewWireGuardManager(cfg, eventBus, wireGuard, wgQuick, database)
+	wireGuardManager, err := wireguard.NewWireGuardManager(cfg, eventBus, wireGuard, database)
 	internal.AssertNoError(err)
 	wireGuardManager.StartBackgroundJobs(ctx)
 
@@ -102,7 +105,7 @@ func main() {
 	mailManager, err := mail.NewMailManager(cfg, mailer, cfgFileManager, database, database)
 	internal.AssertNoError(err)
 
-	routeManager, err := route.NewRouteManager(cfg, eventBus, database)
+	routeManager, err := route.NewRouteManager(cfg, eventBus, database, wireGuard)
 	internal.AssertNoError(err)
 	routeManager.StartBackgroundJobs(ctx)
 
@@ -124,12 +127,13 @@ func main() {
 	apiV0BackendInterfaces := backendV0.NewInterfaceService(cfg, wireGuardManager, cfgFileManager)
 	apiV0BackendPeers := backendV0.NewPeerService(cfg, wireGuardManager, cfgFileManager, mailManager)
 
-	apiV0EndpointAuth := handlersV0.NewAuthEndpoint(cfg, apiV0Auth, apiV0Session, validatorManager, authenticator)
+	apiV0EndpointAuth := handlersV0.NewAuthEndpoint(cfg, apiV0Auth, apiV0Session, validatorManager, authenticator,
+		webAuthn)
 	apiV0EndpointAudit := handlersV0.NewAuditEndpoint(cfg, apiV0Auth, auditManager)
 	apiV0EndpointUsers := handlersV0.NewUserEndpoint(cfg, apiV0Auth, validatorManager, apiV0BackendUsers)
 	apiV0EndpointInterfaces := handlersV0.NewInterfaceEndpoint(cfg, apiV0Auth, validatorManager, apiV0BackendInterfaces)
 	apiV0EndpointPeers := handlersV0.NewPeerEndpoint(cfg, apiV0Auth, validatorManager, apiV0BackendPeers)
-	apiV0EndpointConfig := handlersV0.NewConfigEndpoint(cfg, apiV0Auth)
+	apiV0EndpointConfig := handlersV0.NewConfigEndpoint(cfg, apiV0Auth, wireGuard)
 	apiV0EndpointTest := handlersV0.NewTestEndpoint(apiV0Auth)
 
 	apiFrontend := handlersV0.NewRestApi(apiV0Session,