75 lines
2.5 KiB
Markdown
75 lines
2.5 KiB
Markdown
|
|
# wireguard-negotiator
|
|
|
|
A not-very-secure manual WireGuard negotiator
|
|
|
|
## Purpose
|
|
|
|
`wireguard-negotiator` is built for scenarios where a simple mechanism to exchange and manually accept WireGuard keys is needed. This makes it slightly easier to provision a group of Linux WireGuard peers that peer with a "server".
|
|
|
|
In summary:
|
|
|
|
* Manage "client" keys
|
|
* Exchange keys over HTTP(S)
|
|
* Exchange IP addressing
|
|
* Manually gate new peers
|
|
* Sets up network interface on the "client"
|
|
* Generate Ansible INI inventory
|
|
|
|
The primary scenario this tool is going to be used for is to manage machines using Ansible within an unknown LAN behind NAT. I am planning to use it for FOSSASIA Summit 2020.
|
|
|
|
## Limitations
|
|
|
|
* Linux-only
|
|
* Manages existing config files only
|
|
* Removing peers is a manual process
|
|
|
|
# Usage
|
|
|
|
## Server
|
|
|
|
The "server" manages a WireGuard interface, ~~treating a WireGuard configuration file as a database~~ (TODO). It assumes this interface and configuration exists. It only adds new peers to the configuration file and interface, and does not delete existing configuration.
|
|
|
|
```
|
|
wireguard-negotiator server --endpoint wireguard-endpoint:port
|
|
```
|
|
|
|
The "server" also exposes the HTTP server with the following endpoints:
|
|
|
|
### `POST /request`
|
|
|
|
Request for the assignment of an IP address and accepted as a peer. This blocks until the server has finished configuring the peer, therefore the client SHOULD NOT timeout.
|
|
|
|
#### Request Body
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
| Name | Description | Required |
|
|
|------|-------------|----------|
|
|
| PublicKey | The public key of the "client" peer | X |
|
|
|
|
#### Response Body
|
|
|
|
Content-Type: application/json
|
|
|
|
| Name | Type | Description |
|
|
|------|------|-------------|
|
|
| PublicKey | String | Base64 encoded public key of the "server" peer |
|
|
| Endpoint | String | The endpoint of the "server" peer |
|
|
| PersistentKeepaliveInterval | Number | Suggests a PersistentKeepaliveInterval |
|
|
| AllowedIPs | []String | List of allowed IP addresses in CIDR notation |
|
|
| InterfaceIPs | []String | List of IP addresses assigned to the "client" interface |
|
|
|
|
## Client
|
|
|
|
The "client" sets up a WireGuard interface, and relies on network backends to do so. *It should not be run more than once*. The following network backends are supported:
|
|
|
|
- (Not implemented) `none`: Creates an interface and WireGuard configuration file
|
|
- `networkd`: Creates a `systemd.netdev` file in `/etc/systemd/network`
|
|
|
|
It does so by performing `POST /request` to the "server".
|
|
|
|
```
|
|
wireguard-negotiator request --server https://url-of-server
|
|
```
|