how would one go about building an admin frontend?

how would one go about building an admin frontend?

[John Accoun]

[-- Attachment #1.1: Type: text/plain, Size: 938 bytes --]

I need to provision a large number of linux devices on multiple locations
and put them all on a VPN.
Configuring each device manually is too tedious. I was thinking of spinning
up a server with a small HTTP api to exchange keys and configure wireguard
on both sides. Then each device would call this server to register itself.
And while I am a it I thought I could throw together a minimal admin ui
that I could use for example to manually remove peers.

I red the 'Web App provisioning Server' which I believe describes a
possible solution for this use case. But I am confused with the whole data
storage thing. Where do configuarations live? Are the configuration files
at /etc/whireguard/ the source of truth? If I edit these when is the list
of peers refreshed?

The above mentioned document suggests shelling out to command line tools.
Is this the recommended way. Does a general purpose library for managing
wireguard config exist?

[-- Attachment #1.2: Type: text/html, Size: 1026 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: how would one go about building an admin frontend?

[Steve Gilberd]

[-- Attachment #1.1: Type: text/plain, Size: 1517 bytes --]

Why not use an existing solution (e.g. puppet et al)? The capability is
already there, unless you need a GUI.

Cheers,
Steve

On Fri, 11 Jan 2019, 21:09 John Accoun, <jsonacc@gmail.com> wrote:

> I need to provision a large number of linux devices on multiple locations
> and put them all on a VPN.
> Configuring each device manually is too tedious. I was thinking of
> spinning up a server with a small HTTP api to exchange keys and configure
> wireguard on both sides. Then each device would call this server to
> register itself. And while I am a it I thought I could throw together a
> minimal admin ui that I could use for example to manually remove peers.
>
> I red the 'Web App provisioning Server' which I believe describes a
> possible solution for this use case. But I am confused with the whole data
> storage thing. Where do configuarations live? Are the configuration files
> at /etc/whireguard/ the source of truth? If I edit these when is the list
> of peers refreshed?
>
> The above mentioned document suggests shelling out to command line tools.
> Is this the recommended way. Does a general purpose library for managing
> wireguard config exist?
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
-- 

Cheers,

*Steve Gilberd*
Erayd LTD *·* Consultant
*Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
*PO Box 10019, The Terrace, Wellington 6143, NZ*

[-- Attachment #1.2: Type: text/html, Size: 2464 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: how would one go about building an admin frontend?

[John Accoun]

[-- Attachment #1.1: Type: text/plain, Size: 2144 bytes --]

> Why not use an existing solution (e.g. puppet et al)? The capability is
already there,

No. It's not. Notice that I did mention that the devices would call a
server to register themselves. In fact, the whole problem I am trying to
solve is providing connectivity to peers behind NATs and connected from
unknown locations. Being able to just ssh'ing into a peer is the end goal
itself, not the starting point.

But let's please not get off topic. I think I was clear in what I asked.



On Fri, Jan 11, 2019 at 12:17 PM Steve Gilberd <steve@erayd.net> wrote:

> Why not use an existing solution (e.g. puppet et al)? The capability is
> already there, unless you need a GUI.
>
> Cheers,
> Steve
>
> On Fri, 11 Jan 2019, 21:09 John Accoun, <jsonacc@gmail.com> wrote:
>
>> I need to provision a large number of linux devices on multiple locations
>> and put them all on a VPN.
>> Configuring each device manually is too tedious. I was thinking of
>> spinning up a server with a small HTTP api to exchange keys and configure
>> wireguard on both sides. Then each device would call this server to
>> register itself. And while I am a it I thought I could throw together a
>> minimal admin ui that I could use for example to manually remove peers.
>>
>> I red the 'Web App provisioning Server' which I believe describes a
>> possible solution for this use case. But I am confused with the whole data
>> storage thing. Where do configuarations live? Are the configuration files
>> at /etc/whireguard/ the source of truth? If I edit these when is the list
>> of peers refreshed?
>>
>> The above mentioned document suggests shelling out to command line tools.
>> Is this the recommended way. Does a general purpose library for managing
>> wireguard config exist?
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>
> --
>
> Cheers,
>
> *Steve Gilberd*
> Erayd LTD *·* Consultant
> *Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
> *PO Box 10019, The Terrace, Wellington 6143, NZ*
>

[-- Attachment #1.2: Type: text/html, Size: 3403 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: how would one go about building an admin frontend?

[Tharre]

[-- Attachment #1.1: Type: text/plain, Size: 1308 bytes --]

On 01/11, John Accoun wrote:
> I red the 'Web App provisioning Server' which I believe describes a
> possible solution for this use case. But I am confused with the whole data
> storage thing. Where do configuarations live? Are the configuration files
> at /etc/whireguard/ the source of truth? If I edit these when is the list
> of peers refreshed?

I assume you're referring to [0]?

/etc/wireguard is only relevant for wg-quick, if you edit files there
your changes will only take effect once you down/up your interface with
wg-quick.

So you obviously don't want to do it that way.

> The above mentioned document suggests shelling out to command line tools.
> Is this the recommended way. Does a general purpose library for managing
> wireguard config exist?

I'm not sure where you read that? In any case, you can control wireguard
via netlink[1], and there is also a embeddable library[2] in C
available.

There also probably exists a netlink library for $YOUR_FAVORITE_LANG.

Regards,
Tharre

[0] https://docs.google.com/document/d/1_3Id-0vVXlXHFB7eT6fnfXoe9ppJoS8pY7R_uCtEZG4
[1] See man 7 rtnetlink
[2] https://git.zx2c4.com/WireGuard/tree/contrib/examples/embeddable-wg-library/wireguard.c

-- 
PGP fingerprint: 42CE 7698 D6A0 6129 AA16  EF5C 5431 BDE2 C8F0 B2F4

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: how would one go about building an admin frontend?

[Vincent Wiemann]

If you don't want to fiddle with setting up connections by yourself and
have a clean network design, use systemd-networkd.
https://en.nullday.de/it-sec/2018/02/22/wireguard-with-systemd/

Regards,

Vincent Wiemann

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard