README
¶
Wirebox
Dynamic WireGuard tunnel configuration daemon.
Unmaintained: The project is not in active development. Existing code works (hopefully), but no further improvements or bugfixes will be made.
Both client & server are Linux-only now.
Features
- Clients need no configuration other than ed25519 key pair and server endpoint (IP + port).
- Multicast-friendly thanks to PtP mode.
- Can assign IPs dynamically if you do not care.
- Centralized configuration at a single node (server).
Server
Acts as a router between connected clients (and possibly other networks), sends client configurations on request using WGDCP protocol.
Installation & configuration
Install Go toolchain and run the following to install its executable:
$ env GO111MODULE=on go get github.com/foxcpp/wirebox/cmd/wboxd@latest
Grab example configuration file here.
wboxd looks for the configuration file named wboxd.toml in the current
directory. This can be changed using -config command line option.
Do not forget to enable IP forwarding and adjust your firewall configuration appropriately:
# sysctl net.ipv4.ip_forward=1
Client
CLI utility that requests configuration from the server using WGDCP protocol, configures the WireGuard tunnel appropriately and exits.
Installation & configuration
Mostly the same as Server, just replace wboxd in the go get command.
And the example configuration is here: [cmd/wbox/wbox.example.toml].
WGDCP
WireGuard Dynamic Configuration Protocol
Simple ProtoBuf-based protocol running on top of UDP/IPv6 inside "configuration" WireGuard tunnel. Intended as a specialized minimal DHCP replacement.
The configuration received from the server is authenticated because it is received over WireGuard tunnel.
The server uses strict "Allowed IPs" options for all tunnels and therefore will not allow IP spoofing to happen. Filtering is applied to prevent clients from peeking at configuration of other clients, but it is not bullet-proof.
TODO: Protocol documentation/specification is non-existent.
Documentation
¶
Index ¶
Constants ¶
const ( SolictPort = 22434 RouteProto = linkmgr.RouteProto )
Variables ¶
var SolictIPv6 net.IP = net.ParseIP("fe80:5747:4443:5000::1")
Functions ¶
func IPv6LLForClient ¶
IPv6LLForClient generates the IPv6 link-local client will use for negotiation on the configuration tunnel.
It is determistic and based on the client public key. However, it does not authenticate the client in any way and nor is collision-safe since it coerces 256-bit key into 128-bit IPv6 address with two reserved bytes.
Determistic assignment is needed for tunnel configuration at the server side. WG's "Allowed IPs" cannot say "any IP" for multiple peers on the same interface.
Types ¶
type PeerKey ¶
func NewPeerKey ¶
func (PeerKey) AsPrivateKey ¶
func (k PeerKey) AsPrivateKey() ed25519.PrivateKey
AsPrivateKey converts the ed25519 private key stored in PeerKey to ed25519.PrivateKey.
func (PeerKey) AsPublicKey ¶
AsPrivateKey converts the ed25519 *public* key stored in PeerKey to ed25519.PublicKey.
Source Files
Directories