One thing I wish for wireguard: the ability to look up keys/ips in an external system like LDAP. I moved an entire call center [50+ people] fully remote last week. We're using wireguard. Key management stinks, and that is my only complaint! It is an incredible piece of software and I'm very thankful for it.
I think the idea is that you're supposed to build a system to manage WireGuard using that sort of information. I.e. WireGuard provides the basic primitives and second- or third-party tooling uses them.
I like that idea, because it means that the actual WireGuard core is small and it's usable right now. It is annoying that someone hasn't yet developed neat integrations for WireGuard and stuff I might want to use, but — I'm someone! I (or you, or whoever) can build something, and as surely as day follows the night someone else will build some neat things in the future.
Algo (mentioned above) will generate a bunch of profiles for you (including QR codes to configure mobile devices without needing to type awkward strings), which works pretty well for me - at least with a family you won't need to add or revoke identities very often I'd hope...
I'm using Algo right now and it's perfect if I plan to maintain the same server consistently. The problem is that we're constantly traveling around and latency suffers when trying to connect to a box in DO's NYC3 from Vietnam.
It's a huge hassle to take that box down, spin up a new instance in Singapore, distribute profiles and authenticate. This is neither Algo nor Wireguard's fault. I just wish we had some more tooling to make it easier to move between instances.
I completely agree that it should never be part of Wireguard itself. Mostly looking forward to the project and tooling ecosystem that develops around it.
Yep, that's what I'm asking for... right now wireguard can only look at configuration text files AFAIK. If it had a way to invoke a command/script to lookup a key/ip, any number of external management systems could be created!
actually wireguard doesn't look at text files at all, it only has a netlink interface so you can configure it using the `ip` command. The current tools read the text files and set up the network interface.
If you look at their tutorial video, you can see what's going on. The tutorial has a lot of commands like
ip link add wg0 type wrieguard
ip addr add 10.1.20.1/24 dev wg0
wg set wg0 listen-port 5100 private-key /etc/path/to/key
ip link set wg0 up
wg set wg0 peer........
If you look at the wg-quick script, it basically reads an /etc/wireguard/<adapter>.conf and runs the same commands based on your settings.
It's great when you're just trying to test things out. You can do a lot of stuff by hand, make sure it's working, try the conf file, enable the systemd or runit service, reboot and make sure it comes up.
This is what I do. I have a small dynamo table and a Python script I run from cron. I grab all updates since the last run and apply all changes to the running service. I have the config option set to write out the config on service stop, so I don't lose anything on a restart and don't have to replay everything. I have lots of room for improvement but it's a quick hack that works for my needs. (Not sharing yet because it doesn't fully CRUD right now.)
Building on what katnegermis said, this is what we're trying to help with. We integrate with identity management systems and handle the key management (and NAT traversal) on top of WireGuard, making it easier to deploy and manage.
Tailscale looks awesome but I would love a tier between “free single user with gmail” and “$10/user/month + GSuite/etc” (GSuite itself is $5/user/month I think?). Something like 1Password’s family plan, with the ability to use gmail accounts.
Then I would use it for my family, e.g. I could replace DynDNS + port forwarding I set up so my dad can control his home automation software (Hass.io) from his iPhone app, even off the WiFi. I’m unfortunately just not willing to set up/shell out for GSuite/Active Directory/Office365 for my family.
What really hooked me was your story about the medical practice a little while back.
Wow! I'm super happy I gave this a try. I've been trying to put together an elegant solution to this problem for my personal infrastructure for over a year now and the furthest I ever got was an OpenVPN server on DigitalOcean and an EasyRSA folder full of certificates. I was living in UK university halls at the time, so my main use-case was being able to access my computers located in my UK uni dorm while visiting home in the US and accessing my US machines while at university in the UK.
It is extremely refreshing to not have to deal with key/certificate management, and to have all my VPN traffic be directly client to client instead of via a slow (or expensive) and likely remote VPN server.
Great product and I can't wait for some time to play around with it further!
This looks pretty interesting. Can I setup a sink inside my AWS vpc ? So that everyone can access my RDS database?
It would be great if Tailscale had its independent 2-fa that I fan use through any hardware key (for compliance reasons), rather than go through Google.
Tailscale looks like it's creating a mesh network - he's not asking for end-users to have VPN connections between each other (what Tailscale is doing).
He's asking for a central server where he can retrieve/update/manage end-user keys, likely: because helpdesk.
You could in theory do this with any number of the existing team password managers, but I think he'd like integration directly to wireguard.
Edit: care to reply rather than just downvote? All of their documentation and examples state exactly what I'm saying. They're turning all the devices into endpoints and creating a mesh - he doesn't want users bypassing his SINGLE VPN endpoint into the company or talking directly to each other based on his description. He wants Cisco Anyconnect - only wireguard.
It doesnt look like a nail/hammer/screw at all. Tailscale isnt configured how he wants out of the box, but using SSO to control access isnt a massively complex hurdle. Anyone with Office 365 will be able to use their Office account to authenticate, which is basically Cloud Active Directory, and way better (if its something you have) than maintaining a separate username/password database for the VPN.
We get this question about ZeroTier from time to time and the answer is the same: set rules (or ACLs in Tailscale) so as to allow only traffic to/from what you want users to communicate with.
Sure - you can block access but the fundamental problem you're appearing to target isn't what he's after. Heck to even get the user-auth he's asking for you have to use tailscale + some third party app whether that's okta or azure or google. I'm not saying he can't sort-of accomplish what he's trying to do but it very much feels like you've got a hammer and think his screw looks like a nail.
