https://github.com/the-maldridge/locksmith

A tool for managing wireguard VPN keys.
https://github.com/the-maldridge/locksmith

Last synced: about 2 months ago
JSON representation

A tool for managing wireguard VPN keys.

• Host: GitHub
• URL: https://github.com/the-maldridge/locksmith
• Owner: the-maldridge
• License: mit
• Created: 2019-03-16T22:13:13.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2020-06-16T16:55:13.000Z (over 4 years ago)
• Last Synced: 2024-06-03T01:34:41.077Z (4 months ago)
• Language: Go
• Size: 85 KB
• Stars: 39
• Watchers: 2
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Locksmith

Who better to manage keys?

Locksmith bolts on a more "enterprise" friendly management layer on

top of the amazingly capable WireGuard VPN.  The basic idea here is

that keys can be registered via a self-service system, approved

asyncronously, and activated for limited time spans.

## Life of a Peer

The peer initially posts their key off to a server where they are

pre-approved.  The idea here is that pre-approval saves everyone time

by cancelling registrations outright that won't be approved.  Think

about the cases where someone who won't be approved VPN access has

access to the form to request a key.

After pre-approval, the key is considered staged.  In this stage keys

cannot be activated for use.  To move from staged to approved one of

two conditions must be satisfied.  Either the network must have

auto-approval enabled where keys are truly self service, or an

appropriately approved user must approve the key.  A network may

specify an approval lifetime which can be used to drive periodic

review of keys.

Once approved the key is ready for use and a peer can request

activation of their key.  A network may also specify that activation

is automatic after approval.  To request activation the peer must send

an activation request to the server after which time the key will be

activated for a configured amount of time.  For some networks this

will be an infinite period of time, but the intention is that keys are

validated for a bit longer than the average work day.

## How it Works

There are two components, there is the locksmith service which handles

lifecycle management for keys and generally provides the access

control, and there is the keyhole service which is a privileged

process that actually modifies the wireguard interface.

Keyhole runs as root on Linux systems in order to modify the

interface, but Locksmith can and should run as an unprivileged user.

## State of the project

All of the critical parts work, but this is not production ready code,

see below.

## Want to Help?

This is an open project, feel free to send your PRs and to get

involved!

The following areas are currently highly desired modules.  Please open

an issue and discuss if you're interested in working on any of these:

  * Tests.  This is arguably security critical code, and so test

    coverage is important.  I do not have the bandwidth right now to

    write good tests as this started out as a toy project to see what

    was possible.  Now that it is worth working on and finishing, some

    tests should be written.  I would accept changes that alter

    interfaces if they do not break overal functionality if they

    improve test coverage.

  * HA Storage backend.  It would be nice to have multiple locksmith

    instances, which would use the same storage backend.

  * Keyhole authentication.  Currently keyhole blindly accepts

    changes.  This is obviously not right.  Some means for locksmith

    to authenticate to keyhole would be ideal.  This is likely just a

    simple token, but I will entertain all options.

  * Frontend webapp.  For the vast majority of users, a frontend

    webapp is critical as it is how they will interact with the

    system.  This will need to be able to generate configuration

    fragments for users, perform administrative functions, and provide

    an interface to request key activation.  I'd like something simple

    here, but I'm not opposed to a VueJS or EmberJS style application.

  * CLI Tool.  Anything the webapp can do the CLI should be able to do

    as well.  I'd like this to be built with cobra so that it can read

    the configuration values in the same way.