[-- Attachment #1.1: Type: text/plain, Size: 938 bytes --] I need to provision a large number of linux devices on multiple locations and put them all on a VPN. Configuring each device manually is too tedious. I was thinking of spinning up a server with a small HTTP api to exchange keys and configure wireguard on both sides. Then each device would call this server to register itself. And while I am a it I thought I could throw together a minimal admin ui that I could use for example to manually remove peers. I red the 'Web App provisioning Server' which I believe describes a possible solution for this use case. But I am confused with the whole data storage thing. Where do configuarations live? Are the configuration files at /etc/whireguard/ the source of truth? If I edit these when is the list of peers refreshed? The above mentioned document suggests shelling out to command line tools. Is this the recommended way. Does a general purpose library for managing wireguard config exist? [-- Attachment #1.2: Type: text/html, Size: 1026 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[-- Attachment #1.1: Type: text/plain, Size: 1517 bytes --] Why not use an existing solution (e.g. puppet et al)? The capability is already there, unless you need a GUI. Cheers, Steve On Fri, 11 Jan 2019, 21:09 John Accoun, <jsonacc@gmail.com> wrote: > I need to provision a large number of linux devices on multiple locations > and put them all on a VPN. > Configuring each device manually is too tedious. I was thinking of > spinning up a server with a small HTTP api to exchange keys and configure > wireguard on both sides. Then each device would call this server to > register itself. And while I am a it I thought I could throw together a > minimal admin ui that I could use for example to manually remove peers. > > I red the 'Web App provisioning Server' which I believe describes a > possible solution for this use case. But I am confused with the whole data > storage thing. Where do configuarations live? Are the configuration files > at /etc/whireguard/ the source of truth? If I edit these when is the list > of peers refreshed? > > The above mentioned document suggests shelling out to command line tools. > Is this the recommended way. Does a general purpose library for managing > wireguard config exist? > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > -- Cheers, *Steve Gilberd* Erayd LTD *·* Consultant *Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237* *PO Box 10019, The Terrace, Wellington 6143, NZ* [-- Attachment #1.2: Type: text/html, Size: 2464 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[-- Attachment #1.1: Type: text/plain, Size: 2144 bytes --] > Why not use an existing solution (e.g. puppet et al)? The capability is already there, No. It's not. Notice that I did mention that the devices would call a server to register themselves. In fact, the whole problem I am trying to solve is providing connectivity to peers behind NATs and connected from unknown locations. Being able to just ssh'ing into a peer is the end goal itself, not the starting point. But let's please not get off topic. I think I was clear in what I asked. On Fri, Jan 11, 2019 at 12:17 PM Steve Gilberd <steve@erayd.net> wrote: > Why not use an existing solution (e.g. puppet et al)? The capability is > already there, unless you need a GUI. > > Cheers, > Steve > > On Fri, 11 Jan 2019, 21:09 John Accoun, <jsonacc@gmail.com> wrote: > >> I need to provision a large number of linux devices on multiple locations >> and put them all on a VPN. >> Configuring each device manually is too tedious. I was thinking of >> spinning up a server with a small HTTP api to exchange keys and configure >> wireguard on both sides. Then each device would call this server to >> register itself. And while I am a it I thought I could throw together a >> minimal admin ui that I could use for example to manually remove peers. >> >> I red the 'Web App provisioning Server' which I believe describes a >> possible solution for this use case. But I am confused with the whole data >> storage thing. Where do configuarations live? Are the configuration files >> at /etc/whireguard/ the source of truth? If I edit these when is the list >> of peers refreshed? >> >> The above mentioned document suggests shelling out to command line tools. >> Is this the recommended way. Does a general purpose library for managing >> wireguard config exist? >> _______________________________________________ >> WireGuard mailing list >> WireGuard@lists.zx2c4.com >> https://lists.zx2c4.com/mailman/listinfo/wireguard >> > -- > > Cheers, > > *Steve Gilberd* > Erayd LTD *·* Consultant > *Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237* > *PO Box 10019, The Terrace, Wellington 6143, NZ* > [-- Attachment #1.2: Type: text/html, Size: 3403 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[-- Attachment #1.1: Type: text/plain, Size: 1308 bytes --] On 01/11, John Accoun wrote: > I red the 'Web App provisioning Server' which I believe describes a > possible solution for this use case. But I am confused with the whole data > storage thing. Where do configuarations live? Are the configuration files > at /etc/whireguard/ the source of truth? If I edit these when is the list > of peers refreshed? I assume you're referring to [0]? /etc/wireguard is only relevant for wg-quick, if you edit files there your changes will only take effect once you down/up your interface with wg-quick. So you obviously don't want to do it that way. > The above mentioned document suggests shelling out to command line tools. > Is this the recommended way. Does a general purpose library for managing > wireguard config exist? I'm not sure where you read that? In any case, you can control wireguard via netlink[1], and there is also a embeddable library[2] in C available. There also probably exists a netlink library for $YOUR_FAVORITE_LANG. Regards, Tharre [0] https://docs.google.com/document/d/1_3Id-0vVXlXHFB7eT6fnfXoe9ppJoS8pY7R_uCtEZG4 [1] See man 7 rtnetlink [2] https://git.zx2c4.com/WireGuard/tree/contrib/examples/embeddable-wg-library/wireguard.c -- PGP fingerprint: 42CE 7698 D6A0 6129 AA16 EF5C 5431 BDE2 C8F0 B2F4 [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
If you don't want to fiddle with setting up connections by yourself and have a clean network design, use systemd-networkd. https://en.nullday.de/it-sec/2018/02/22/wireguard-with-systemd/ Regards, Vincent Wiemann _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard