Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/utilitywarehouse/wiresteward
Wireguard peer manager
https://github.com/utilitywarehouse/wiresteward
oauth2 uw-owner-system wireguard
Last synced: about 2 months ago
JSON representation
Wireguard peer manager
- Host: GitHub
- URL: https://github.com/utilitywarehouse/wiresteward
- Owner: utilitywarehouse
- License: mit
- Created: 2019-09-13T14:08:40.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-08-01T10:39:47.000Z (5 months ago)
- Last Synced: 2024-08-02T02:15:01.903Z (5 months ago)
- Topics: oauth2, uw-owner-system, wireguard
- Language: Go
- Homepage:
- Size: 1.51 MB
- Stars: 71
- Watchers: 14
- Forks: 6
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-wireguard - Wiresteward - A WireGuard peer manager with OAuth2 authentication. (Projects / User Interface)
README
# Wiresteward
---
Wiresteward is a WireGuard peer manager with oauth2 authentication. It is
comprised of two components: server and agent.The design is for Wiresteward server to run on a remote machine in a private
network, to which users will connect with WireGuard in order to access the
private network.The agent runs on the user's machine and is responsible for authenticating with
the server and retrieving WireGuard configuration.Both components will configure their local WireGuard devices and route tables
as needed to enable access to a private network.## Installation
### Binary
Download the latest binary from:
https://github.com/utilitywarehouse/wiresteward/releases### Homebrew
If you're on macOS or Linux and have [Homebrew](https://brew.sh/) installed,
getting Wiresteward is as simple as running:```
brew install utilitywarehouse/tap/wiresteward
```## Agent
The Wiresteward agent is responsible for:
- creating network tun devices
- fetching oauth tokens to pass server authentication
- registering WireGuard keys with the Wiresteward server and retrieving configuration
- configuring WireGuard peers
- configuring routes for the subnets allowed by the serverIt is recommended that the agent is run as a Systemd (Linux) / launchd (macOS)
service.But you can also run the executable directly:
```console
# wiresteward -agent -config=path-to-config.json
```Please note that because `wiresteward` will create and manage network devices
and network routes, it requires `NET_ADMIN` capabilities. You can run it as
root with `sudo`.See [`examples/server.json`](./examples/server.json) and
[`examples/agent.json`](./examples/agent.json) for example configuration.### Configuration
The agent can take a config file as an argument or look for it under the
default location:```
/etc/wiresteward/config.json
```The config contains details about the oauth server and the local devices that
we need the agent to manage.An example, where the config format can be found in
[`examples/agent.json`](./examples/agent.json).#### MTU
The default MTU for the interfaces created via the agent is `1420` and it comes
from the [default value of wireguard-go
package](https://git.zx2c4.com/wireguard-go/tree/device/tun.go#n14).
Optionally, MTU can be set explicitly per wg device created by the agent via
the configuration file (using the "MTU" key under device config)### Running as Systemd service (Linux)
The agent is designed to run as a Systemd service. An example working service
is described in
[`examples/wiresteward.service`](./examples/wiresteward.service).A typical location for user defined systemd service is
`/etc/systemd/system/wiresteward.service` so you'll need to copy the unit file
to that location and then run:```console
# systemctl daemon-reload
# systemctl enable --now wiresteward.service
```To look at its logs:
```console
$ journalctl -u wiresteward.service
```### Running as a launchd service (macOS)
An example working service for launchd is described in
[`examples/uk.co.uw.wiresteward.plist`](./examples/uk.co.uw.wiresteward.plist).You need to copy the file under `/Library/LaunchDaemons/` and then set the
ownership to root:```console
# chown root:admin /Library/LaunchDaemons/uk.co.uw.wiresteward.plist
```Then need to load the service:
```console
# sudo launchctl load /Library/LaunchDaemons/uk.co.uw.wiresteward.plist
```This will allow the service to run as root, which is required to operate on the
network devices and routing table.Logs are stored in `/var/log/wirestward.log` as defined in the service file. To
view the logs you can:```console
$ tail -f /var/log/wiresteward.log
```You might want to setup log rotation as well if you find that the log file
grows too large.### Authentication
The agent runs a local server on port 7773 and expects the user to visit
`http://localhost:7773/` in order to authenticate. Once authenticated, the
agent will be able to continue operating until the token retrieved is expired,
at which point the user needs to authenticate again.Visiting `http://localhost:7773/` will cause the agent to immediately configure
the local WireGuard devices. If it already has a valid token, it will not prompt
the user to re-authenticate but it will re-configure the system.## Server
The Wiresteward server is responsible for:
- creating new network WireGuard device
- registering new peers and allocating ip addresses for them
- configuring WireGuard peers
- revoking access for expired address leasesIt is recommended that the agent is run as a systemd service.
### Configuration
The server can take a config file as an argument or look for it under the
default location `/etc/wiresteward/config.json`. The config contains details
about the oauth server and the network subnets that need to be exposed, as well
as the network subnet from which peer addresses are leased to agents.An example, where the config format can be found in
[`examples/server.json`](./examples/server.json).### Operating
There are Terraform modules defined under [`terraform/`](./terraform) which
describe the recommended deployment method in AWS and GCP. See the more specific
[README](./terraform/README.md) file for details.