|
1 year ago | |
---|---|---|
cmd | 1 year ago | |
lib | 1 year ago | |
.gitignore | 1 year ago | |
LICENSE | 1 year ago | |
README.md | 1 year ago | |
go.mod | 1 year ago | |
go.sum | 1 year ago | |
main.go | 1 year ago |
Not-very-secure manual WireGuard negotiator
wireguard-negotiator
is built for scenarios where a simple mechanism to exchange and manually accept WireGuard keys is needed. This makes it slightly easier to provision a group of Linux WireGuard peers that peer with a "server".
In summary:
The primary scenario this tool is going to be used for is to manage machines using Ansible within an unknown LAN behind NAT. I am planning to use it for FOSSASIA Summit 2020.
wg
and systemctl
commandsThe "server" manages a WireGuard interface, treating a WireGuard configuration file as a database. It assumes this interface and configuration exists.
wireguard-negotiator server --endpoint wireguard-endpoint:port
--apply-on-start
is set (Equivalent to wg setconf)It can generate an Ansible inventory on the same system. This reads off the same WireGuard configuration file as a database.
wireguard-negotiator ansible-inventory --group test > inventory
The "server" exposes the HTTP server with the following endpoints:
POST /request
Request for the assignment of an IP address and accepted as a peer. This blocks until the server has finished configuring the peer.
Content-Type: application/x-www-form-urlencoded
Name | Description | Required |
---|---|---|
PublicKey | The public key of the "client" peer | X |
Content-Type: application/json
Name | Type | Description |
---|---|---|
PublicKey | String | Base64 encoded public key of the "server" peer |
Endpoint | String | The endpoint of the "server" peer |
PersistentKeepaliveInterval | Number | Suggests a PersistentKeepaliveInterval |
AllowedIPs | []String | List of allowed IP addresses in CIDR notation |
InterfaceIPs | []String | List of IP addresses assigned to the "client" interface |
The "client" sets up a WireGuard interface, and relies on network backends to do so. It should not be run more than once. The following network backends are supported:
none
: Creates an interface and WireGuard configuration filenetworkd
: Creates a systemd.netdev
and systemd.network
file in /etc/systemd/network
It obtains peer and interface configuration by performing POST /request
to the "server".
wireguard-negotiator request --server https://url-of-server