Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nickpegg/meshmash

A Wireguard mesh network manager service
https://github.com/nickpegg/meshmash

Last synced: 2 months ago
JSON representation

A Wireguard mesh network manager service

Host: GitHub
URL: https://github.com/nickpegg/meshmash
Owner: nickpegg
License: mit
Created: 2020-04-01T05:00:04.000Z (almost 5 years ago)
Default Branch: main
Last Pushed: 2024-10-26T20:16:52.000Z (2 months ago)
Last Synced: 2024-10-26T22:20:23.962Z (2 months ago)
Language: Python
Size: 209 KB
Stars: 7
Watchers: 2
Forks: 0
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Meshmash - A Wireguard mesh network manager

This is a simple web service which keeps track of nodes in a Wireguard mesh.

Nodes can register themselves and retreive the Wireguard config with all of the

nodes as peers.

Warning: This is for my personal use and hasn't been battle-tested in a

production enviornment.

## Flow

1. An operator, with a pre-shared key, makes a request to `/allocation` which

   returns a new allocation token.

2. During node provisioning, the allocation token is injected into the node

   being provisioned

3. The configuration management system running on the new node installs

   Wireguard and generates a keypair.

4. The configuration management system reads the allocation token and makes a

   request to `/register` with its hostname, public IP, and public key. The API

   allocates and returns a private VPN IP address.

5. The configuration management system configures a `wg0` interface with this

   private IP and creates a configuration file with a Wireguard `[Interface]`

   configuration section (with ListenPort and PrivateKey).

6. The configuration management system, using the Wireguard public key as auth,

   makes a request to `/config` to get the config with the `[Peer]` config

   sections and stores that on disk.

## Caveats

Authenticating to `/config` with a public key like this is pretty weak.  This

is really only to stop drive-by people from reading your peer config and

learning your network topology. If you have access to one of these public keys,

you're likely already trusted to be on the network.

The persistence for Meshmash is currently a JSON file on disk, which makes it

hard to run it in a highly-available way. When the complexity is warranted,

meaning I don't want Chef runs to fail if Meshmash is down, I'll add

persistence to some data store (database? Consul? etcd?).