It will configure server and clients independent of the OS it's running at. Steps to install WG are provided in the Wiki.
On Ubuntu server with pre-installed WG, the quick setup option will make a ready to use server. You can quickly edit the variables to change things up.
TLDR: WireHub is a tool that helps you generate WireGuard configurations and easily share those with your end-users - instead of emailing configs around, you can just share a link to WireHub.
--
So if you want a secure private network for your devices and you choose WireGuard as the protocol for it, there a few ways to get there depending on your needs.
As is often the case, it's a question of convenience Vs security & trust.
In general, I think there are three categories of tools:
1) CLIs - Command line tools where you run a couple of commands and you get a folder of wireguard config files.
2) Self-hosted Admin UIs - `git clone ... && docker-compose up` (or something to that effect) in a server of yours and you get an admin UI to control a WireGuard interface and its peers.
3) All-in-One - tools that control the whole stack, from using/recreating WireGuard in userspace with custom agents to SSO, RBAC, etc etc.
With CLIs, its easy to generate configurations but then there's a lot of fiddling to main them. Multiple networks? New peers? Rotating keys? Securing Keys? Ugh.
With self-hosted admin UIs, like wg-easy, subspace, et al, you can get to 90% quite easily especially if you're up to to some open source hacking yourself, and the GUI aspect makes it kind of easier to maintain your network.
Yet, the issue of securing the PrivateKeys remains - they are all kept on the server running the admin UI and are then distributed to peers.
All-in-One solutions, like tailscale, netbird, netmaker, et al, solve the PrivateKey problem by providing agents - their own software you have to install on each of your devices. Their software securely handles PrivateKeys on each client so they are not stored in a single place and never leave the device they were created on. You get to 100% pretty quickly, but you're somehow left wondering about the layers and layers of pure magic (in a good way!) going on behind the scenes.
WireHub tries to strike a balance between convenience and security in all three categories by:
- Making PrivateKeys optional. For maximum security, just don't share them with WireHub. For convenience however, WireHub can encrypt your PrivateKeys in browser (using WebCrypto) with a password of your choice (that is never stored, anywhere). WireHub can also generate the keys in browser, using Jason's javascript implementation.
- Not running any servers. For maximum security, bring your own cloud. For convenience, you can use `curl` to download the relevant WireGuard config on each server.
- Relying on stock WireGuard apps and not providing clients or other software to install. Jason is just better at writing secure software :)
So these choices place a hard limit on what WireHub can and will try to do.
You can also integrate it into other deployment/key managements solutions by reading in config values from files/commands. I added sections to detail that here:
Hmm didn’t know Algo used WireGuard under the hood. That’s cool but there’s no UI for adding clients, so I would still have to ssh into the server to download certificates and there’s a lot of commands to run, so at that point might as well just install wireguard manually. Wish they had a docker image and bundled something like WireGuard-access-server.
And what I like about Wireguard is that you can't port scan for it. The protocol is designed in such a way that the wireguard server won't respond unless you know the right key.
This is too bad, but, really, WireGuard is incredibly easy to get set up regardless. I've had harder times with SSH configurations than with rolling out WireGuard. It's a pretty amazing piece of software.
WireHub is like wgeasy in regards to the UI (a nice list of devices and some buttons on the right), but different in that it doesn't run WireGuard, it just generates the configs.
So if you find yourself a bit worried of the single point of failure that is wgeasy (all the private keys are kept in plain text on the server running wgeasy), and you want more flexibility in your WireGuard routing (not just 0.0.0.0/24, per device rules), and the ability to securely share any of your configs with others, then maybe give WireHub a try.
No future plans as of yet. This is just a side project.
Yep, that's what I'm asking for... right now wireguard can only look at configuration text files AFAIK. If it had a way to invoke a command/script to lookup a key/ip, any number of external management systems could be created!
It sounds like we could have a generic userspace tool that proxies any connection to a WireGuard server. Similar to ssh -L, it would listen on a TCP/UDP port locally (or talk the SOCKS protocol) and convert that to IP packets over the WireGuard connection (using a userspace TCP or UDP implementation for that side).
It looks like Fly.io has all the bits, they just need to be packaged as a stand-alone tool rather than built into flyctl and only talk SSH.
Which can have a passphrase and an agent, all sorts of MFA. One benefit to wireguard though is it's using UDP with a much less noisy handshake, you will never even know if the port you tried connecting to runs it (if your firewall is configured correctly). It's much more stealthy, an ssh server will pronounce it's version banner and public host key to literally anyone.
Could someone please explain what a meaningful example usage of WireGuard might be? The intro seems to imply something that could be duplicated with a terminal + SSH forwarding + a VPS. How is this better and/or different?
Thank you :-)
Wireguard doesn't need to change at the protocol level to add those features and I think thats the point. Userspace programs can be written to fetch keys from a server based on SSO or w/e.
Does anyone know anything about Wireguard-p2p?
It's a tool for automatic management of endpoints and NAT-traversal for wireguard. It was announced on FOSDEM 2018[0]. Main repo[1] is stale, unfortunately.
Some tool that would augment WG with more features a-la Tinc would be awesome.
Wireguard config is few lines (interface addresses, keys, AllowedIPs, post up and down). Simpler than SSH. You can run it on a cloud instance close to users.
Tailscale is still simpler and provides additional features. A small team or startup will appreciate Tailscale’s access controls.
As you essentially say, WireGuard is great. I firewall off direct SSH and first use WireGuard to connect to the server instead.
I still configure SSH to best practices just in case a configuration blunder causes the firewall to accept connections.
One advantage is that if your firewall is setup right it's completely invisible, as unauthenticated UDP packets are dropped, as is the case with any other, unused, UDP port.
Agreed. You're already setting up SSH and deleting it soon so why bother setting up the IPs, adding your public key, getting the server's public key, configuring iptables, and configuring wireguard locally when you could just SSH?
Only benefit I'd see is wireguard would be easier to use on a mobile device, but the setup requires the ability to run ansible and do ssh already so... that's not really practical.
You just run it on your server and it does most of things, including generating WireGuard keys for clients and showing QR codes.
reply