{"id":22004694,"url":"https://github.com/davidcoles/wgvpn","last_synced_at":"2026-05-05T11:32:40.181Z","repository":{"id":110330146,"uuid":"597476089","full_name":"davidcoles/wgvpn","owner":"davidcoles","description":"A managed WireGuard VPN client","archived":false,"fork":false,"pushed_at":"2023-04-30T11:36:27.000Z","size":37,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-14T11:05:36.586Z","etag":null,"topics":["macos","vpn","wireguard"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/davidcoles.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-04T17:09:45.000Z","updated_at":"2023-02-04T17:13:53.000Z","dependencies_parsed_at":"2025-01-28T12:46:49.844Z","dependency_job_id":"85309ccd-a4c9-4f68-a28a-7314c73a9c96","html_url":"https://github.com/davidcoles/wgvpn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/davidcoles/wgvpn","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidcoles%2Fwgvpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidcoles%2Fwgvpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidcoles%2Fwgvpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidcoles%2Fwgvpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/davidcoles","download_url":"https://codeload.github.com/davidcoles/wgvpn/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidcoles%2Fwgvpn/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268554912,"owners_count":24269064,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-03T02:00:12.545Z","response_time":2577,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["macos","vpn","wireguard"],"created_at":"2024-11-30T00:16:48.693Z","updated_at":"2026-05-05T11:32:35.156Z","avatar_url":"https://github.com/davidcoles.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WGVPN\n\nA proof-of-concept macOS client for a simple managed WireGuard VPN service\n\n## Introduction\n\nA server implementation provides a simple API for clients to discover\nVPN configuration data. Each client uses a TLS client certificate to\naccess the API and, based on the CommonName presented, the server can\nselect and activate respective IP address/public key bindings on the\nWireGuard server.\n\nAn endpoint can be used to send the end user to an OIDC authentication\nflow (possibly using 2FA) which, when passed, will add the device's IP\naddress to firewall rules. Tokens tracked by the server may be\nperiodically refreshed to keep the client active - failure to receive\na refreshed token, or client certificate invalidation via OSCP can\nblock access to the client.\n\nServer implementation is not currently openly available, but you can\nbuild your own. Or raise an issue if interested.\n\n## Usage\n\nNeeds the wireguard-tools/wireguard-go packages from Homebrew.\n\nTwo processes need to be run.\n\n* A WireGuard management process - `sudo make wg` - this needs sudo access to create utun devices\n* A menu bar based client process - `make vpn` - see the [Makefile](Makefile) for overrides to make this work with your infrastructure \n\nThe client process will search the keychain for a matching client\ncertificate (can be overridden with a PEM file on the command line)\nand create a keychain password entry with a generated private key and\nserver public key if it does not exist. It will then poll the server\nfor status information.\n\n## API endpoints\n\n### /api/1/status\n\nReturns key:value pairs indicating the status of the user's\nconnection. Can be used to indicate that the user may need to\nauthenticate via, eg., an OIDC flow.\n\n```\n{\"active\":true}\n```\n\n### /api/1/beacon\n\nReturns a 200 status code when the VPN is fully working. Could be\nimplemented as a redirect to an internal service, or another port on\nthe VPN server bound to a port on an internal address.\n\n### /api/1/config\n\nAccepts a POST of the client's public key - optionally may add\ntemporary access if the client does not yet have a registered\nkey. Returns the settings that the client should use to access the\nVPN. Server's public key is stored on first use along with generated\nprivate key and subsequently is compared with the returned value to\ndetect spoofing - in which case the tunnel is not brought up and the\nstored keychain entry should be deleted in case of a genuine need to\nre-key.\n\nServer returns the client's public key such the the client can detect\nthat server has an incorrect key stored and alert the user to the need\nto contact support to re-key the device.\n\nPOST:\n\n```\n{\"PublicKey\": \"+Njc296qpzKNXtkMcdbvCYAObhhg1C0o/dU2b1fu6GI=\"}\n```\n\nReturns:\n\n```\n{\n \"Interface\": {\n  \"PublicKey\": \"+Njc296qpzKNXtkMcdbvCYAObhhg1C0o/dU2b1fu6GI=\",\n  \"Address\": \"10.1.2.3\",\n  \"MTU\": 1400,\n  \"DNS\": [\n   \"8.8.8.8\",\n   \"1.1.1.1\"\n  ]\n },\n \"Peer\": {\n  \"PublicKey\": \"nEQMporDAX28HB0rTMrozOPnYSdYnbkYhmS7uG5CdQg=\",\n  \"AllowedIPs\": [\n   \"10.0.0.0/8\",\n   \"172.16.0.0/12\"\n  ],\n  \"Endpoint\": \"vpn.example.com:51820\"\n }\n}\n```\n\n\n## Native macOS client\n\nThis is a PoC. The intention would be to build a first-class macOS\nimplementation in Swift with appropriate entitlements. Alas, I am not\nan Apple developer.\n\nA native client would need/implement:\n\n* WireGuardKit / NEPacketTunnelProvider integration - Network Extensions Entitlement\n* Keychain access for certificate/private key\n* Access the simple API via HTTP with client cert\n* Ability to launch browser window for AD auth, etc.\n* A Simple UI - status menu item, dropdown options\n* Generate private key on first use and save along with server public key\n* Check server key against stored entry when connecting - alert user of mismatch\n* Post pubkey when connecting to generate notification server side in case of mismatch\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidcoles%2Fwgvpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdavidcoles%2Fwgvpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidcoles%2Fwgvpn/lists"}