ambrose
/
wireguard-negotiator
mirror of https://github.com/serverwentdown/wireguard-negotiator.git
1
0
Fork 0
Code Releases Activity
9 Commits
1 Branch
0 Tags
68 KiB
Go 100%
 
Go to file
Ambrose Chua 93073c4d8e Update README with usage 2019-12-21 10:50:10 +00:00
cmd Graceful server, fix masking AllowedIPs 2019-12-20 16:28:28 +00:00
lib Initial prototype server 2019-12-20 17:41:49 +08:00
.gitignore Initial project scaffold 2019-12-19 11:48:52 +00:00
LICENSE Initial commit 2019-12-19 18:03:15 +08:00
README.md Update README with usage 2019-12-21 10:50:10 +00:00
go.mod Initial prototype server 2019-12-20 17:41:49 +08:00
go.sum Initial prototype server 2019-12-20 17:41:49 +08:00
main.go Initial prototype server 2019-12-20 17:41:49 +08:00

README.md

wireguard-negotiator

A not-very-secure manual WireGuard negotiator

Purpose

wireguard-negotiator is built for scenarios where a simple mechanism to exchange and manually accept WireGuard keys is needed. This makes it slightly easier to provision a group of Linux WireGuard peers that peer with a "server".

In summary:

  • Manage "client" keys
  • Exchange keys over HTTP(S)
  • Exchange IP addressing
  • Manually gate new peers
  • Sets up network interface on the "client"
  • Generate Ansible INI inventory

The primary scenario this tool is going to be used for is to manage machines using Ansible within an unknown LAN behind NAT. I am planning to use it for FOSSASIA Summit 2020.

Limitations

  • Linux-only
  • Manages existing config files only
  • Removing peers is a manual process

Usage

Server

The "server" manages a WireGuard interface, treating a WireGuard configuration file as a database (TODO). It assumes this interface and configuration exists. It only adds new peers to the configuration file and interface, and does not delete existing configuration.

wireguard-negotiator server --endpoint wireguard-endpoint:port

The "server" also exposes the HTTP server with the following endpoints:

POST /request

Request for the assignment of an IP address and accepted as a peer. This blocks until the server has finished configuring the peer, therefore the client SHOULD NOT timeout.

Request Body

Content-Type: application/x-www-form-urlencoded

Name Description Required
PublicKey The public key of the "client" peer X

Response Body

Content-Type: application/json

Name Type Description
PublicKey String Base64 encoded public key of the "server" peer
Endpoint String The endpoint of the "server" peer
PersistentKeepaliveInterval Number Suggests a PersistentKeepaliveInterval
AllowedIPs []String List of allowed IP addresses in CIDR notation
InterfaceIPs []String List of IP addresses assigned to the "client" interface

Client

The "client" sets up a WireGuard interface, and relies on network backends to do so. It should not be run more than once. The following network backends are supported:

  • (Not implemented) none: Creates an interface and WireGuard configuration file
  • networkd: Creates a systemd.netdev file in /etc/systemd/network

It does so by performing POST /request to the "server".

wireguard-negotiator request --server https://url-of-server