Just a few small questions

[nod0ubt]

Hi there.
I'm a huge fan of Wireguard and I've been using it since its very beginning. Therefore having it with 2FA was logical step up.
This project is awesome and I've got Wag running on bare-metal just fine, but have some minor issues that I'd like to know if are fixable or planned for the future.

• using config file for initial bootstrap and then relying on etcd is new for me, as I'm not much into devops. So in order to apply any changes made to config file do I have to somehow flush the etcd and then restart the wag server? This doesn't seem to be mentioned in the docs.

• is there any way to generate automatically links for downloading the config file? Right now I have to manually add the token to my external address link.

• why accessing the management webUI seems to work only via ssh-forward? I'm not able to expose my internal network address of the machine so I can reach it once authenticated. Seems like Management.ListenAddress works only for 127.0.0.1. This makes reaching the webUI more complicated that it needs to be. Also, in order to achieve that I have to add port 22 to the ExposePorts in the config.

Let me know if these are up to my mistakes.
Cheers!

[NHAS]

Howdy.

1. There is currently a bit of a mix-and-match in the config file, some values can be updated via the web UI/cli and some values can be only updated via the configuration file.
   Funny enough Im actually working on that as we speak for version 10, which will feature some dev safety improvements and gitops as an optional configuration flow.

For now, just use the admin interface, it covers about 90% of use cases, unless you're changing your wireguard private key, or address you should be fine.

2. Yep! You can define a webhook that you can then create new tokens with: https://wag-docs.dev/guide/automation

3. You've hit one of the "weird mismash of config & etcd" edge cases there. The listen address values for the web servers (public, tunnel, management) are only loaded once from the configuration file.
   You can edit their listening addresses from the web console after that though! So they are absolutely configurable.

[nod0ubt]

Heya.
After exposing the management UI port in the config file and restarting Wag it is now fine. It added the port to the ruleset and the mgmt is accessible through the tunnel. So that sorts my initial issue and provides partial answer to my other question.

However, it seems that wag duplicates some records (not sure if it's intended):

        chain WAG_INPUT_4ede {
                tcp dport 80 counter packets 0 bytes 0 accept
                tcp dport 8082 counter packets 633 bytes 51782 accept
                tcp dport 80 counter packets 0 bytes 0 accept
                tcp dport 443 counter packets 0 bytes 0 accept
                tcp dport 4433 counter packets 472 bytes 42145 accept
                tcp dport 8082 counter packets 0 bytes 0 accept
                udp dport 51820 counter packets 0 bytes 0 accept
                ip protocol icmp counter packets 0 bytes 0 accept
                ct state related,established counter packets 0 bytes 0 accept
                counter packets 3 bytes 156 drop
        }