Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/utilitywarehouse/wiresteward

Wireguard peer manager
https://github.com/utilitywarehouse/wiresteward

oauth2 uw-owner-system wireguard

Last synced: about 2 months ago
JSON representation

Wireguard peer manager

Awesome Lists containing this project

README 

        
# Wiresteward






---



Wiresteward is a WireGuard peer manager with oauth2 authentication. It is

comprised of two components: server and agent.



The design is for Wiresteward server to run on a remote machine in a private

network, to which users will connect with WireGuard in order to access the

private network.



The agent runs on the user's machine and is responsible for authenticating with

the server and retrieving WireGuard configuration.



Both components will configure their local WireGuard devices and route tables

as needed to enable access to a private network.



## Installation



### Binary



Download the latest binary from:

https://github.com/utilitywarehouse/wiresteward/releases



### Homebrew



If you're on macOS or Linux and have [Homebrew](https://brew.sh/) installed,

getting Wiresteward is as simple as running:



```

brew install utilitywarehouse/tap/wiresteward

```



## Agent



The Wiresteward agent is responsible for:



- creating network tun devices

- fetching oauth tokens to pass server authentication

- registering WireGuard keys with the Wiresteward server and retrieving configuration

- configuring WireGuard peers

- configuring routes for the subnets allowed by the server



It is recommended that the agent is run as a Systemd (Linux) / launchd (macOS)

service.



But you can also run the executable directly:



```console

# wiresteward -agent -config=path-to-config.json

```



Please note that because `wiresteward` will create and manage network devices

and network routes, it requires `NET_ADMIN` capabilities. You can run it as

root with `sudo`.



See [`examples/server.json`](./examples/server.json) and

[`examples/agent.json`](./examples/agent.json) for example configuration.



### Configuration



The agent can take a config file as an argument or look for it under the

default location:



```

/etc/wiresteward/config.json

```



The config contains details about the oauth server and the local devices that

we need the agent to manage.



An example, where the config format can be found in

[`examples/agent.json`](./examples/agent.json).



#### MTU



The default MTU for the interfaces created via the agent is `1420` and it comes

from the [default value of wireguard-go

package](https://git.zx2c4.com/wireguard-go/tree/device/tun.go#n14).

Optionally, MTU can be set explicitly per wg device created by the agent via

the configuration file (using the "MTU" key under device config)



### Running as Systemd service (Linux)



The agent is designed to run as a Systemd service. An example working service

is described in

[`examples/wiresteward.service`](./examples/wiresteward.service).



A typical location for user defined systemd service is

`/etc/systemd/system/wiresteward.service` so you'll need to copy the unit file

to that location and then run:



```console

# systemctl daemon-reload

# systemctl enable --now wiresteward.service

```



To look at its logs:



```console

$ journalctl -u wiresteward.service

```



### Running as a launchd service (macOS)



An example working service for launchd is described in

[`examples/uk.co.uw.wiresteward.plist`](./examples/uk.co.uw.wiresteward.plist).



You need to copy the file under `/Library/LaunchDaemons/` and then set the

ownership to root:



```console

# chown root:admin /Library/LaunchDaemons/uk.co.uw.wiresteward.plist

```



Then need to load the service:



```console

# sudo launchctl load /Library/LaunchDaemons/uk.co.uw.wiresteward.plist

```



This will allow the service to run as root, which is required to operate on the

network devices and routing table.



Logs are stored in `/var/log/wirestward.log` as defined in the service file. To

view the logs you can:



```console

$ tail -f /var/log/wiresteward.log

```



You might want to setup log rotation as well if you find that the log file

grows too large.



### Authentication



The agent runs a local server on port 7773 and expects the user to visit

`http://localhost:7773/` in order to authenticate. Once authenticated, the

agent will be able to continue operating until the token retrieved is expired,

at which point the user needs to authenticate again.



Visiting `http://localhost:7773/` will cause the agent to immediately configure

the local WireGuard devices. If it already has a valid token, it will not prompt

the user to re-authenticate but it will re-configure the system.



## Server



The Wiresteward server is responsible for:



- creating new network WireGuard device

- registering new peers and allocating ip addresses for them

- configuring WireGuard peers

- revoking access for expired address leases



It is recommended that the agent is run as a systemd service.



### Configuration



The server can take a config file as an argument or look for it under the

default location `/etc/wiresteward/config.json`. The config contains details

about the oauth server and the network subnets that need to be exposed, as well

as the network subnet from which peer addresses are leased to agents.



An example, where the config format can be found in

[`examples/server.json`](./examples/server.json).



### Operating



There are Terraform modules defined under [`terraform/`](./terraform) which

describe the recommended deployment method in AWS and GCP. See the more specific

[README](./terraform/README.md) file for details.