WireGuard Archive on lore.kernel.org
 help / Atom feed
* how would one go about building an admin frontend?
@ 2019-01-11  0:14 John Accoun
  2019-01-11 11:17 ` Steve Gilberd
  2019-01-16 20:25 ` Tharre
  0 siblings, 2 replies; 5+ messages in thread
From: John Accoun @ 2019-01-11  0:14 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 938 bytes --]

I need to provision a large number of linux devices on multiple locations
and put them all on a VPN.
Configuring each device manually is too tedious. I was thinking of spinning
up a server with a small HTTP api to exchange keys and configure wireguard
on both sides. Then each device would call this server to register itself.
And while I am a it I thought I could throw together a minimal admin ui
that I could use for example to manually remove peers.

I red the 'Web App provisioning Server' which I believe describes a
possible solution for this use case. But I am confused with the whole data
storage thing. Where do configuarations live? Are the configuration files
at /etc/whireguard/ the source of truth? If I edit these when is the list
of peers refreshed?

The above mentioned document suggests shelling out to command line tools.
Is this the recommended way. Does a general purpose library for managing
wireguard config exist?

[-- Attachment #1.2: Type: text/html, Size: 1026 bytes --]

<div dir="ltr">I need to provision a large number of linux devices on multiple locations and put them all on a VPN.<div>Configuring each device manually is too tedious. I was thinking of spinning up a server with a small HTTP api to exchange keys and configure wireguard on both sides. Then each device would call this server to register itself. And while I am a it I thought I could throw together a minimal admin ui that I could use for example to manually remove peers.</div><div><br></div><div>I red the &#39;Web App provisioning Server&#39; which I believe describes a possible solution for this use case. But I am confused with the whole data storage thing. Where do configuarations live? Are the configuration files at /etc/whireguard/ the source of truth? If I edit these when is the list of peers refreshed?</div><div><br></div><div>The above mentioned document suggests shelling out to command line tools. Is this the recommended way. Does a general purpose library for managing wireguard config exist?</div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how would one go about building an admin frontend?
  2019-01-11  0:14 how would one go about building an admin frontend? John Accoun
@ 2019-01-11 11:17 ` Steve Gilberd
  2019-01-13  0:09   ` John Accoun
  2019-01-16 20:25 ` Tharre
  1 sibling, 1 reply; 5+ messages in thread
From: Steve Gilberd @ 2019-01-11 11:17 UTC (permalink / raw)
  To: John Accoun; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1517 bytes --]

Why not use an existing solution (e.g. puppet et al)? The capability is
already there, unless you need a GUI.

Cheers,
Steve

On Fri, 11 Jan 2019, 21:09 John Accoun, <jsonacc@gmail.com> wrote:

> I need to provision a large number of linux devices on multiple locations
> and put them all on a VPN.
> Configuring each device manually is too tedious. I was thinking of
> spinning up a server with a small HTTP api to exchange keys and configure
> wireguard on both sides. Then each device would call this server to
> register itself. And while I am a it I thought I could throw together a
> minimal admin ui that I could use for example to manually remove peers.
>
> I red the 'Web App provisioning Server' which I believe describes a
> possible solution for this use case. But I am confused with the whole data
> storage thing. Where do configuarations live? Are the configuration files
> at /etc/whireguard/ the source of truth? If I edit these when is the list
> of peers refreshed?
>
> The above mentioned document suggests shelling out to command line tools.
> Is this the recommended way. Does a general purpose library for managing
> wireguard config exist?
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
-- 

Cheers,

*Steve Gilberd*
Erayd LTD *·* Consultant
*Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
*PO Box 10019, The Terrace, Wellington 6143, NZ*

[-- Attachment #1.2: Type: text/html, Size: 2464 bytes --]

Why not use an existing solution (e.g. puppet et al)? The capability is already there, unless you need a GUI. <div><br></div><div>Cheers,</div><div>Steve<br><br><div class="gmail_quote"><div dir="ltr">On Fri, 11 Jan 2019, 21:09 John Accoun, &lt;<a href="mailto:jsonacc@gmail.com">jsonacc@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I need to provision a large number of linux devices on multiple locations and put them all on a VPN.<div>Configuring each device manually is too tedious. I was thinking of spinning up a server with a small HTTP api to exchange keys and configure wireguard on both sides. Then each device would call this server to register itself. And while I am a it I thought I could throw together a minimal admin ui that I could use for example to manually remove peers.</div><div><br></div><div>I red the &#39;Web App provisioning Server&#39; which I believe describes a possible solution for this use case. But I am confused with the whole data storage thing. Where do configuarations live? Are the configuration files at /etc/whireguard/ the source of truth? If I edit these when is the list of peers refreshed?</div><div><br></div><div>The above mentioned document suggests shelling out to command line tools. Is this the recommended way. Does a general purpose library for managing wireguard config exist?</div></div>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><p dir="ltr">Cheers,</p>
<p dir="ltr"><b>Steve Gilberd</b><br>
<span style="color:rgb(102,102,102)">Erayd LTD </span><span style="color:rgb(102,102,102)"><b>·</b></span><span style="color:rgb(102,102,102)"> Consultant</span><br>
<span style="color:rgb(102,102,102)"><i>Phone: +64 4 974-4229 </i></span><span style="color:rgb(102,102,102)"><i><b>·</b></i></span><span style="color:rgb(102,102,102)"><i> Mob: +64 27 565-3237</i></span><br>
<span style="color:rgb(102,102,102)"><i>PO Box 10019, The Terrace, Wellington 6143, NZ</i></span></p>
</div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how would one go about building an admin frontend?
  2019-01-11 11:17 ` Steve Gilberd
@ 2019-01-13  0:09   ` John Accoun
  0 siblings, 0 replies; 5+ messages in thread
From: John Accoun @ 2019-01-13  0:09 UTC (permalink / raw)
  To: Steve Gilberd; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 2144 bytes --]

> Why not use an existing solution (e.g. puppet et al)? The capability is
already there,

No. It's not. Notice that I did mention that the devices would call a
server to register themselves. In fact, the whole problem I am trying to
solve is providing connectivity to peers behind NATs and connected from
unknown locations. Being able to just ssh'ing into a peer is the end goal
itself, not the starting point.

But let's please not get off topic. I think I was clear in what I asked.



On Fri, Jan 11, 2019 at 12:17 PM Steve Gilberd <steve@erayd.net> wrote:

> Why not use an existing solution (e.g. puppet et al)? The capability is
> already there, unless you need a GUI.
>
> Cheers,
> Steve
>
> On Fri, 11 Jan 2019, 21:09 John Accoun, <jsonacc@gmail.com> wrote:
>
>> I need to provision a large number of linux devices on multiple locations
>> and put them all on a VPN.
>> Configuring each device manually is too tedious. I was thinking of
>> spinning up a server with a small HTTP api to exchange keys and configure
>> wireguard on both sides. Then each device would call this server to
>> register itself. And while I am a it I thought I could throw together a
>> minimal admin ui that I could use for example to manually remove peers.
>>
>> I red the 'Web App provisioning Server' which I believe describes a
>> possible solution for this use case. But I am confused with the whole data
>> storage thing. Where do configuarations live? Are the configuration files
>> at /etc/whireguard/ the source of truth? If I edit these when is the list
>> of peers refreshed?
>>
>> The above mentioned document suggests shelling out to command line tools.
>> Is this the recommended way. Does a general purpose library for managing
>> wireguard config exist?
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>
> --
>
> Cheers,
>
> *Steve Gilberd*
> Erayd LTD *·* Consultant
> *Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
> *PO Box 10019, The Terrace, Wellington 6143, NZ*
>

[-- Attachment #1.2: Type: text/html, Size: 3403 bytes --]

<div dir="ltr">&gt; Why not use an existing solution (e.g. puppet et al)? The capability is already there, <div><br></div><div>No. It&#39;s not. Notice that I did mention that the devices would call a server to register themselves. In fact, the whole problem I am trying to solve is providing connectivity to peers behind NATs and connected from unknown locations. Being able to just ssh&#39;ing into a peer is the end goal itself, not the starting point.</div><div><br></div><div>But let&#39;s please not get off topic. I think I was clear in what I asked.</div><div><br><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jan 11, 2019 at 12:17 PM Steve Gilberd &lt;<a href="mailto:steve@erayd.net">steve@erayd.net</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Why not use an existing solution (e.g. puppet et al)? The capability is already there, unless you need a GUI. <div><br></div><div>Cheers,</div><div>Steve<br><br><div class="gmail_quote"><div dir="ltr">On Fri, 11 Jan 2019, 21:09 John Accoun, &lt;<a href="mailto:jsonacc@gmail.com" target="_blank">jsonacc@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I need to provision a large number of linux devices on multiple locations and put them all on a VPN.<div>Configuring each device manually is too tedious. I was thinking of spinning up a server with a small HTTP api to exchange keys and configure wireguard on both sides. Then each device would call this server to register itself. And while I am a it I thought I could throw together a minimal admin ui that I could use for example to manually remove peers.</div><div><br></div><div>I red the &#39;Web App provisioning Server&#39; which I believe describes a possible solution for this use case. But I am confused with the whole data storage thing. Where do configuarations live? Are the configuration files at /etc/whireguard/ the source of truth? If I edit these when is the list of peers refreshed?</div><div><br></div><div>The above mentioned document suggests shelling out to command line tools. Is this the recommended way. Does a general purpose library for managing wireguard config exist?</div></div>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail-m_2888020393656552780gmail_signature"><div dir="ltr"><p dir="ltr">Cheers,</p>
<p dir="ltr"><b>Steve Gilberd</b><br>
<span style="color:rgb(102,102,102)">Erayd LTD </span><span style="color:rgb(102,102,102)"><b>·</b></span><span style="color:rgb(102,102,102)"> Consultant</span><br>
<span style="color:rgb(102,102,102)"><i>Phone: +64 4 974-4229 </i></span><span style="color:rgb(102,102,102)"><i><b>·</b></i></span><span style="color:rgb(102,102,102)"><i> Mob: +64 27 565-3237</i></span><br>
<span style="color:rgb(102,102,102)"><i>PO Box 10019, The Terrace, Wellington 6143, NZ</i></span></p>
</div></div>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how would one go about building an admin frontend?
  2019-01-11  0:14 how would one go about building an admin frontend? John Accoun
  2019-01-11 11:17 ` Steve Gilberd
@ 2019-01-16 20:25 ` Tharre
  2019-01-21 18:40   ` Vincent Wiemann
  1 sibling, 1 reply; 5+ messages in thread
From: Tharre @ 2019-01-16 20:25 UTC (permalink / raw)
  To: John Accoun; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1308 bytes --]

On 01/11, John Accoun wrote:
> I red the 'Web App provisioning Server' which I believe describes a
> possible solution for this use case. But I am confused with the whole data
> storage thing. Where do configuarations live? Are the configuration files
> at /etc/whireguard/ the source of truth? If I edit these when is the list
> of peers refreshed?

I assume you're referring to [0]?

/etc/wireguard is only relevant for wg-quick, if you edit files there
your changes will only take effect once you down/up your interface with
wg-quick.

So you obviously don't want to do it that way.

> The above mentioned document suggests shelling out to command line tools.
> Is this the recommended way. Does a general purpose library for managing
> wireguard config exist?

I'm not sure where you read that? In any case, you can control wireguard
via netlink[1], and there is also a embeddable library[2] in C
available.

There also probably exists a netlink library for $YOUR_FAVORITE_LANG.

Regards,
Tharre

[0] https://docs.google.com/document/d/1_3Id-0vVXlXHFB7eT6fnfXoe9ppJoS8pY7R_uCtEZG4
[1] See man 7 rtnetlink
[2] https://git.zx2c4.com/WireGuard/tree/contrib/examples/embeddable-wg-library/wireguard.c

-- 
PGP fingerprint: 42CE 7698 D6A0 6129 AA16  EF5C 5431 BDE2 C8F0 B2F4

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how would one go about building an admin frontend?
  2019-01-16 20:25 ` Tharre
@ 2019-01-21 18:40   ` Vincent Wiemann
  0 siblings, 0 replies; 5+ messages in thread
From: Vincent Wiemann @ 2019-01-21 18:40 UTC (permalink / raw)
  Cc: wireguard

If you don't want to fiddle with setting up connections by yourself and
have a clean network design, use systemd-networkd.
https://en.nullday.de/it-sec/2018/02/22/wireguard-with-systemd/

Regards,

Vincent Wiemann

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-11  0:14 how would one go about building an admin frontend? John Accoun
2019-01-11 11:17 ` Steve Gilberd
2019-01-13  0:09   ` John Accoun
2019-01-16 20:25 ` Tharre
2019-01-21 18:40   ` Vincent Wiemann

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox