{"id":20259999,"url":"https://github.com/influxdata/wirey","last_synced_at":"2025-03-16T10:13:00.961Z","repository":{"id":32104663,"uuid":"130880787","full_name":"influxdata/wirey","owner":"influxdata","description":"Manage local wireguard interfaces in a distributed system","archived":false,"fork":false,"pushed_at":"2024-09-12T16:13:28.000Z","size":9791,"stargazers_count":67,"open_issues_count":9,"forks_count":6,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-03-03T02:44:00.884Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/influxdata.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-24T16:06:04.000Z","updated_at":"2024-11-27T07:55:38.000Z","dependencies_parsed_at":"2024-06-19T00:05:02.364Z","dependency_job_id":"8c7076bc-329d-496d-a14e-8e13ae15ec78","html_url":"https://github.com/influxdata/wirey","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/influxdata%2Fwirey","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/influxdata%2Fwirey/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/influxdata%2Fwirey/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/influxdata%2Fwirey/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/influxdata","download_url":"https://codeload.github.com/influxdata/wirey/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243852499,"owners_count":20358271,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T11:17:34.340Z","updated_at":"2025-03-16T10:13:00.936Z","avatar_url":"https://github.com/influxdata.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Wirey\n\nTool to manage local [wireguard](https://www.wireguard.com/) interfaces in a distributed system.\n\nBy using a remote distributed backend, wirey can synchronize wireguard peers among a cluster of machines\nin order to let them share the same tunnel without having to manually configure them by hand.\n\nEach machine should be able to see the same distributed backend in order to join the pool.\n\n## Implemented backends\n\n- etcd\n- consul\n- http(s) - with optional basic auth\n\n### ETCD\n\nThe etcd backend is useful when you want to use etcd to synchronize wireguard peers.\n\nExample usage:\n\n- endpoint: the listen ip address on the current machine\n- ipaddr: the ip address you want to assign to the interface\n- etcd comma seprated list of etcd servers\n\n```bash\n./bin/wirey --endpoint 192.168.33.11 --ipaddr 172.30.0.4 --etcd 192.168.33.10:2379\n```\n\n### CONSUL\n\nThe consul backend is useful when you want to use consul to synchronize wireguard peers.\n\nExample usage:\n\n- endpoint: the listen ip address on the current machine\n- ipaddr: the ip address you want to assign to the interface\n- consul ip from the consul server\n- consul-port is the port from consul server\n- consul-address overrides consul ip and port\n- consul-token is the token used for consul authentication\n\n```bash\n./bin/wirey --endpoint 192.168.33.11 --ipaddr 172.30.0.4 --consul 192.168.33.10\n```\n\n### HTTP(s) with optional basic auth\n\nThe http backend is useful when you want to write your own implementation.\n\nThe only suppported auth mechanism for now is Basic Authentication.\n\nExample usage:\n\n- endpoint: the listen ip address on the current machine\n- ipaddr: the ip address you want to assign to the interface\n- http: the http endpoint where to reach the server without trailing slash (/)\n- httpbasicauth: username and password to use if the server implements basic auth, in the form `username:password`\n\n```bash\n./bin/wirey --endpoint 192.168.33.12 --ipaddr 10.30.0.80 --http http://192.168.33.10:8080 --httpbasicauth \"time:series\"\n```\n\nExample usage using env variables:\n\n```bash\nexport WIREY_ENDPOINT=\"192.168.33.12\"\nexport WIREY_IPADDR=\"10.30.0.80\"\nexport WIREY_HTTP=\"http://192.168.33.10:8080\"\nexport WIREY_HTTPBASICAUTH=\"time:series\"\n./bin/wirey\n```\n\n#### HTTP Server endpoints\nYou can find an example of http server in [examples/httpbackend](examples/httpbackend)\n\nStarting from the endpoint you provide you provide to wirey, the expected routes are:\n\n#### POST `/{ifname}/{publickeysha}`\n\n**URL parameters:**\n\n- ifname: interface name, wirey defaults to `wg0`\n- publickeysha: the sha256 of the public key, this is just used as a key and as of now it's not matched with anything in `wirey` since the real public key is embedded in the body.\n\n**URL Example:**\n\n```\nhttps://myservice.com/wireguard-discovery/wg0/234sfkske03kdssk32\n```\n\n**Request Body example:**\n\n```json\n{\n    \"Endpoint\": \"192.168.33.11:2345\",\n    \"IP\": \"10.30.0.10\",\n    \"PublicKey\": \"T053azhMRW1sV2tQbjVISUgycnZtQWt5bDdKN3hJL3IwMjhDWG1zNVRpbz0K\"\n}\n```\n\n**Expected status codes:**\n\n- 201 Created\n- 401 Unauthorized (for basic auth)\n\n#### GET `/{ifname}`\n\n**URL Example:**\n\n```\nhttps://myservice.com/wireguard-discovery/wg0\n```\n\n**URL parameters:**\n\n- ifname: interface name, wirey defaults to `wg0`\n\n**Description:**\n\nReturns all the peers for the provided interface.\n\n\n**Expected status codes:**\n\n- 200 OK\n- 401 Unauthorized (for basic auth)\n\n**Response body example:**\n\n```json\n[\n    {\n        \"Endpoint\": \"192.168.33.11:2345\",\n        \"IP\": \"10.30.0.10\",\n        \"PublicKey\": \"T053azhMRW1sV2tQbjVISUgycnZtQWt5bDdKN3hJL3IwMjhDWG1zNVRpbz0K\"\n    },\n    {\n        \"Endpoint\": \"192.168.33.12:2345\",\n        \"IP\": \"10.30.0.80\",\n        \"PublicKey\": \"ZlE5a005ZDV1enpGei8xc25STXpnb3U4MVJkYVFmTXczL0NRR2svdEFpRT0K\"\n    },\n    {\n        \"Endpoint\": \"192.168.33.13:2345\",\n        \"IP\": \"10.30.0.60\",\n        \"PublicKey\": \"WUp2cDFPb0FhTkU5UC9vdlQrb0tIK29XRGtxVDhQenlzZnR1R1p4eEF5OD0K\"\n    }\n]\n```\n\n\n## Local Development\n\nDue to the nature of this project (networking on the root namespace) the easiest way to test if wirey works is by using Vagrant.\n\nA brave person could transpile that to a set of rootless runc containers, or even a set of docker containers with the network namespace transposed from root to the container itself.\n\nBTW, to use vagrant:\n\nThe machines available are:\n\n- discovery-server\n- net-1\n- net-2\n- net-3\n\n1. Start the vagrant machines and the sync\n\n```bash\nvagrant up\nvagrant rsync-auto\n```\n\n2. Compile wirey and execute it on both the machines\n\n```bash\nmake\n```\n\n### on net-1\n\n```bash\nvagrant ssh net-1\nsudo su -\ncd /vagrant\n./bin/wirey --endpoint 192.168.33.11 --ipaddr 172.30.0.4 --etcd 192.168.33.10:2379\n```\n\n### on net-2\n\n```bash\nvagrant ssh net-2\nsudo su -\ncd /vagrant\n./bin/wirey --endpoint 192.168.33.12 --ipaddr 172.30.0.5 --etcd 192.168.33.10:2379\n```\n\n### on net-3\n\n```bash\nvagrant ssh net-2\nsudo su -\ncd /vagrant\n./bin/wirey --endpoint 192.168.33.13 --ipaddr 172.30.0.6 --etcd 192.168.33.10:2379\n```\n\n### Verify that the interfaces are up\n\n```bash\nvagrant ssh net-1\nping 172.30.0.11\n```\n\nResult:\n```\nPING 172.30.0.11 (172.30.0.11) 56(84) bytes of data.\n64 bytes from 172.30.0.11: icmp_seq=1 ttl=64 time=0.414 ms\n64 bytes from 172.30.0.11: icmp_seq=2 ttl=64 time=2.54 ms\n```\n\n### Check the wg status in a machine\n\n```bash\nvagrant ssh net-1\nwg show\n```\n\nResult:\n```\ninterface: wg0\n  public key: 12XP/T4UEfLx6REuFxZWNPrrmrox5xgSRMNExCeNEws=\n  private key: (hidden)\n  listening port: 2345\n\npeer: 59Je0kMsYkWkQ52Rt7o9Ss60QP3fTcoTQgJgsWDW/QQ=\n  endpoint: 192.168.33.12:2345\n  allowed ips: 0.0.0.0/0\n  latest handshake: 1 minute, 55 seconds ago\n  transfer: 820 B received, 764 B sent\n```\n\n\n### Check the etcd store\n\n```bash\nvagrant ssh discovery-server\ndocker exec -e ETCDCTL_API=3 -e ETCDCTL_ENDPOINTS=http://192.168.33.10:2379  -ti etcd etcdctl get --prefix=true /wirey\n```\n\nResult:\n```\n/wirey/wg0/12XP/T4UEfLx6REuFxZWNPrrmrox5xgSRMNExCeNEws=\n\n{\"PublicKey\":\"MTJYUC9UNFVFZkx4NlJFdUZ4WldOUHJybXJveDV4Z1NSTU5FeENlTkV3cz0K\",\"Endpoint\":\"192.168.33.11:2345\",\"IP\":\"172.30.0.4\"}\n/wirey/wg0/59Je0kMsYkWkQ52Rt7o9Ss60QP3fTcoTQgJgsWDW/QQ=\n\n{\"PublicKey\":\"NTlKZTBrTXNZa1drUTUyUnQ3bzlTczYwUVAzZlRjb1RRZ0pnc1dEVy9RUT0K\",\"Endpoint\":\"192.168.33.12:2345\",\"IP\":\"172.30.0.11\"}\n```\n\n### Sample configuration file\n\nwirey.json\n```\n{\n    \"endpoint\": \"{{ GetPrivateIP }}\",\n    \"endpoint-port\": \"51820\",\n    \"etcd\": \"\",\n    \"etcd-port\": \"\",\n    \"consul\": \"\",\n    \"consul-port\": \"\",\n    \"consul-address\": \"\",\n    \"consul-token\": \"\",\n    \"http\": \"\",\n    \"http-port\": \"\",\n    \"httpbasicauth\": \"\",\n    \"ifname\": \"wg0\",\n    \"ipaddr\": \"172.30.0.1\",\n    \"discover\": \"\",\n    \"allowedips\": \"\"\n}\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfluxdata%2Fwirey","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfluxdata%2Fwirey","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfluxdata%2Fwirey/lists"}