Does anyone know anything about Wireguard-p2p?
It's a tool for automatic management of endpoints and NAT-traversal for wireguard. It was announced on FOSDEM 2018[0]. Main repo[1] is stale, unfortunately.
Some tool that would augment WG with more features a-la Tinc would be awesome.
I have heard this before (that wireguard does p2p), but have yet to see any examples of how to run this. Is it theoretical or just not fully implemented...?
I also want to point out that Manuel Schoelling been working on and released a p2p [1] distributed hash table [2] work on top of WireGuard to build a VPN mesh. He talked about this recently [3] at FOSSEM.
Cool to see this done by hand. I’m running IPSec on my Edgerouter but am about to redo my home network and lab environment and will likely implement WireGuard.
There’s also a more plug-n-play tool called Algo that is highly spoken of, which automates a lot of this: https://github.com/trailofbits/algo
Most of tinc's functionality could be implemented in userspace using the wireguard kernel module, and so wireguard itself won't really need to grow.
The one thing I wish wireguard had was overlapping AllowedIPs with 'ip route via' to distinguish (although this isn't a tinc feature either, unless you run it as an ethernet segment). The same result can be achieved using a separate interface for every peer and 0/0 at each end, but it's a bit unwieldy.
Welp, I have no idea if anyone will read this as its been a little while since it was put up and is in a flagged comment, but hey I'll do a lil explanation of some of the issues I ran in to, and how it works.
How it works:
In short, Wag adds an eBPF program to a WireGuard device that it instantiates. The eBPF program uses a number of hash maps and LPM (longest prefix matching trie) maps to determine the policies that are applied traffic coming in on the wireguard device.
These policies based on the ACLs defined per user/group, and contain MFA/Allow/Deny rules which require mfa, allow without auth and deny always respectively.
Wag also watches all the wireguard peers ingress IP addresses, and when an address changes it deauthenticates the user and requires the user to complete a login challenge. This is done by basically setting a bit in the maps exposed to eBPF that says "unauthorised"
Challenges:
First and foremost with WireGuard there is no good way of determining if an "external ip" i.e where the user is connecting from has changed.
There was a patch set submitted for review in 2022~ that was never actually added to the kernel that would have added netlink compatibility and thus event based notification that things had changed, but alas that was never reviewed by Jason Donenfeld and has quietly died the death.
Secondly was defining multiple policies per route was quite difficult as eBPF doesnt do dynamic memory even in userland exposed maps and I wanted multiple rules per route, i.e you might allow port 80/tcp when MFA has passed but otherwise always allow 22/tcp. So to do that I had to define a maximum number of rules that could be inserted as one memory blob into the LPM map that the ebpf program would then linearly search to make its decision.
Thirdly has been making everything highly available which has been a bit of an on-going battle with ETCd mainly around how it manages cluster certificates as they dont (as of 2024 but it may be coming soon) expose the right structures to allow for dyanmic certificate creation, so you have to kind of make a wrapper around that in order to get everything going.
Im sure there are other things that I've had struggles with, but these are what come to mind immediately!
I started off using tinc before wireguard existed, and now use both. Tinc provides a guaranteed full connectivity graph with indirect routing, nat punching, and local subnet discovery as needed. Wireguard is much more performant (eg it can be used to secure nfs without kerberos). Eventually someone will write a daemon for wireguard that provides tinc's features, but until then they are complimentary. I use wireguard between routers to carry full subnets, and tinc is setup on individual hosts to provide fallback access.
Indeed, this is why I won't use it either. I settled on Slack's Nebula [0] instead of wireguard because it handles direct p2p communication between nodes automatically.
There also exists an open source implementation of the tailscale control server [1] that you could self host.
is a building block that can be used to achieve something similar, minus TURN-like NAT traversal fallback. The peer discovery leverages DNS and UDP hole punching uses WireGuard itself.
One suggestion would be to submit a feature request to Tinc to add detection / support of Wireguard. Tinc could still handle the mesh routing and just hand off the encryption bits to WG. There have been some brief discussion in email threads [1] Probably more, have not checked all the archives.
With WireGuard there is not necessarily a central server.
There are many peers and any peer can connect to any other
peer assuming they have the correct authentication
credentials. Every peer has a private and public
key used to identify its self.
Tinc could still make sense as a control plane for the WireGuard VPN though. There have been talks about WireGuard as a backend for tinc [0], hope that sees some progress.
Aside from the cryptorouting concept and some convenience functions in wg-quick, Wireguard doesn't really have strong opinions on routing. It's perfectly legitimate to setup an interface with a single peer and global (0.0.0.0/0, ::/0) routes then use BGP to announce networks across it and manage the kernel route tables.
I use tinc myself and like it. I like that I only have to update a single node and all the other nodes will accept those peers from that node. I've been playing with wireguard, and having the other nodes discover and communicate with each other directly doesn't happen without you adding the other's public key to both peers.
I remember there was talk about switching the backend for Wireguard for security and speed, but it seems to be on the backburner: https://github.com/gsliepen/tinc/issues/179
These things aren't WireGuard's job any more than they were IPSEC's job. What's supposed to happen for people who care a lot about these things is for systems to get built on top of WireGuard to provide them. That's happened for the commercial market, where things like roaming and NAT traversal are key features, and so we have Tailscale. It sounds like you're identifying an open source privacy project built on WireGuard that want to exist. Why not try to put one together?
But can it traverse a NAT. IPSec for all of its benefits is a huge PITA to circumvent a NAT, often requiring either the NAT to have native support or for IPSec to be configured to use UDP encapsulation. Seems like the Wireguard people thought of this:
Reading their web site in general has made me nothing but impressed, they seem to be building a VPN tunneling protocol designed for the real world but with several improvements over existing solutions. It is incomplete, but definitely something I'm going to check in on.
Some tool that would augment WG with more features a-la Tinc would be awesome.
[0] https://archive.fosdem.org/2018/schedule/event/bulletinboard... [1] https://github.com/manuels/wireguard-p2p
reply