|Ambrose Chua bdcc304492||1 year ago|
|cmd||1 year ago|
|lib||1 year ago|
|.gitignore||1 year ago|
|LICENSE||1 year ago|
|README.md||1 year ago|
|go.mod||1 year ago|
|go.sum||1 year ago|
|main.go||1 year ago|
Not-very-secure manual WireGuard negotiator
wireguard-negotiator is built for scenarios where a simple mechanism to exchange and manually accept WireGuard keys is needed. This makes it slightly easier to provision a group of Linux WireGuard peers that peer with a "server".
The primary scenario this tool is going to be used for is to manage machines using Ansible within an unknown LAN behind NAT. I am planning to use it for FOSSASIA Summit 2020.
The "server" manages a WireGuard interface, treating a WireGuard configuration file as a database. It assumes this interface and configuration exists.
wireguard-negotiator server --endpoint wireguard-endpoint:port
--apply-on-startis set (Equivalent to wg setconf)
It can generate an Ansible inventory on the same system. This reads off the same WireGuard configuration file as a database.
wireguard-negotiator ansible-inventory --group test > inventory
The "server" exposes the HTTP server with the following endpoints:
Request for the assignment of an IP address and accepted as a peer. This blocks until the server has finished configuring the peer.
|PublicKey||The public key of the "client" peer||X|
|PublicKey||String||Base64 encoded public key of the "server" peer|
|Endpoint||String||The endpoint of the "server" peer|
|PersistentKeepaliveInterval||Number||Suggests a PersistentKeepaliveInterval|
|AllowedIPs||String||List of allowed IP addresses in CIDR notation|
|InterfaceIPs||String||List of IP addresses assigned to the "client" interface|
The "client" sets up a WireGuard interface, and relies on network backends to do so. It should not be run more than once. The following network backends are supported:
none: Creates an interface and WireGuard configuration file
networkd: Creates a
It obtains peer and interface configuration by performing
POST /request to the "server".
wireguard-negotiator request --server https://url-of-server