Wirey

Tool to manage local wireguard interfaces in a distributed system.

By using a remote distributed backend, wirey can synchronize wireguard peers among a cluster of machines in order to let them share the same tunnel without having to manually configure them by hand.

Each machine should be able to see the same distributed backend in order to join the pool.

Implemented backends

• etcd
• consul
• http(s) - with optional basic auth

ETCD

The etcd backend is useful when you want to use etcd to synchronize wireguard peers.

Example usage:

• endpoint: the listen ip address on the current machine
• ipaddr: the ip address you want to assign to the interface
• etcd comma seprated list of etcd servers

./bin/wirey --endpoint 192.168.33.11 --ipaddr 172.30.0.4 --etcd 192.168.33.10:2379

CONSUL

The consul backend is useful when you want to use consul to synchronize wireguard peers.

Example usage:

• endpoint: the listen ip address on the current machine
• ipaddr: the ip address you want to assign to the interface
• consul ip from the consul server
• consul-port is the port from consul server
• consul-address overrides consul ip and port
• consul-token is the token used for consul authentication

./bin/wirey --endpoint 192.168.33.11 --ipaddr 172.30.0.4 --consul 192.168.33.10

HTTP(s) with optional basic auth

The http backend is useful when you want to write your own implementation.

The only suppported auth mechanism for now is Basic Authentication.

Example usage:

• endpoint: the listen ip address on the current machine
• ipaddr: the ip address you want to assign to the interface
• http: the http endpoint where to reach the server without trailing slash (/)
• httpbasicauth: username and password to use if the server implements basic auth, in the form username:password

./bin/wirey --endpoint 192.168.33.12 --ipaddr 10.30.0.80 --http http://192.168.33.10:8080 --httpbasicauth "time:series"

Example usage using env variables:

export WIREY_ENDPOINT="192.168.33.12"
export WIREY_IPADDR="10.30.0.80"
export WIREY_HTTP="http://192.168.33.10:8080"
export WIREY_HTTPBASICAUTH="time:series"
./bin/wirey

HTTP Server endpoints

You can find an example of http server in examples/httpbackend

Starting from the endpoint you provide you provide to wirey, the expected routes are:

POST /{ifname}/{publickeysha}

URL parameters:

• ifname: interface name, wirey defaults to wg0
• publickeysha: the sha256 of the public key, this is just used as a key and as of now it's not matched with anything in wirey since the real public key is embedded in the body.

URL Example:

https://myservice.com/wireguard-discovery/wg0/234sfkske03kdssk32

Request Body example:

{
    "Endpoint": "192.168.33.11:2345",
    "IP": "10.30.0.10",
    "PublicKey": "T053azhMRW1sV2tQbjVISUgycnZtQWt5bDdKN3hJL3IwMjhDWG1zNVRpbz0K"
}

Expected status codes:

• 201 Created
• 401 Unauthorized (for basic auth)

GET /{ifname}

URL Example:

https://myservice.com/wireguard-discovery/wg0

URL parameters:

• ifname: interface name, wirey defaults to wg0

Description:

Returns all the peers for the provided interface.

Expected status codes:

• 200 OK
• 401 Unauthorized (for basic auth)

Response body example:

[
    {
        "Endpoint": "192.168.33.11:2345",
        "IP": "10.30.0.10",
        "PublicKey": "T053azhMRW1sV2tQbjVISUgycnZtQWt5bDdKN3hJL3IwMjhDWG1zNVRpbz0K"
    },
    {
        "Endpoint": "192.168.33.12:2345",
        "IP": "10.30.0.80",
        "PublicKey": "ZlE5a005ZDV1enpGei8xc25STXpnb3U4MVJkYVFmTXczL0NRR2svdEFpRT0K"
    },
    {
        "Endpoint": "192.168.33.13:2345",
        "IP": "10.30.0.60",
        "PublicKey": "WUp2cDFPb0FhTkU5UC9vdlQrb0tIK29XRGtxVDhQenlzZnR1R1p4eEF5OD0K"
    }
]

Local Development

Due to the nature of this project (networking on the root namespace) the easiest way to test if wirey works is by using Vagrant.

A brave person could transpile that to a set of rootless runc containers, or even a set of docker containers with the network namespace transposed from root to the container itself.

BTW, to use vagrant:

The machines available are:

• discovery-server
• net-1
• net-2
• net-3

1. Start the vagrant machines and the sync

vagrant up
vagrant rsync-auto

2. Compile wirey and execute it on both the machines

make

on net-1

vagrant ssh net-1
sudo su -
cd /vagrant
./bin/wirey --endpoint 192.168.33.11 --ipaddr 172.30.0.4 --etcd 192.168.33.10:2379

on net-2

vagrant ssh net-2
sudo su -
cd /vagrant
./bin/wirey --endpoint 192.168.33.12 --ipaddr 172.30.0.5 --etcd 192.168.33.10:2379

on net-3

vagrant ssh net-2
sudo su -
cd /vagrant
./bin/wirey --endpoint 192.168.33.13 --ipaddr 172.30.0.6 --etcd 192.168.33.10:2379

Verify that the interfaces are up

vagrant ssh net-1
ping 172.30.0.11

Result:

PING 172.30.0.11 (172.30.0.11) 56(84) bytes of data.
64 bytes from 172.30.0.11: icmp_seq=1 ttl=64 time=0.414 ms
64 bytes from 172.30.0.11: icmp_seq=2 ttl=64 time=2.54 ms

Check the wg status in a machine

vagrant ssh net-1
wg show

Result:

interface: wg0
  public key: 12XP/T4UEfLx6REuFxZWNPrrmrox5xgSRMNExCeNEws=
  private key: (hidden)
  listening port: 2345

peer: 59Je0kMsYkWkQ52Rt7o9Ss60QP3fTcoTQgJgsWDW/QQ=
  endpoint: 192.168.33.12:2345
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 55 seconds ago
  transfer: 820 B received, 764 B sent

Check the etcd store

vagrant ssh discovery-server
docker exec -e ETCDCTL_API=3 -e ETCDCTL_ENDPOINTS=http://192.168.33.10:2379  -ti etcd etcdctl get --prefix=true /wirey

Result:

/wirey/wg0/12XP/T4UEfLx6REuFxZWNPrrmrox5xgSRMNExCeNEws=

{"PublicKey":"MTJYUC9UNFVFZkx4NlJFdUZ4WldOUHJybXJveDV4Z1NSTU5FeENlTkV3cz0K","Endpoint":"192.168.33.11:2345","IP":"172.30.0.4"}
/wirey/wg0/59Je0kMsYkWkQ52Rt7o9Ss60QP3fTcoTQgJgsWDW/QQ=

{"PublicKey":"NTlKZTBrTXNZa1drUTUyUnQ3bzlTczYwUVAzZlRjb1RRZ0pnc1dEVy9RUT0K","Endpoint":"192.168.33.12:2345","IP":"172.30.0.11"}

Sample configuration file

wirey.json

{
    "endpoint": "{{ GetPrivateIP }}",
    "endpoint-port": "51820",
    "etcd": "",
    "etcd-port": "",
    "consul": "",
    "consul-port": "",
    "consul-address": "",
    "consul-token": "",
    "http": "",
    "http-port": "",
    "httpbasicauth": "",
    "ifname": "wg0",
    "ipaddr": "172.30.0.1",
    "discover": "",
    "allowedips": ""
}