How does it work?

[innerop]

Hi,

I assume nodes peer through one central server?

I'm not sure if we're supposed to run the first command you mention on a publicly accessible host or if it has to be run on every node? How does the token convey to the other nodes the IP address of the publicly accessible host? how do nodes peer if they're behind NAT?

<<

First lets create a new network

NETWORK_TOKEN=$(docker run -it --rm --net=host --privileged segator/wireguard-dynamic init)

Not clear how this is supposed to work.

[segator]

the magic here happens on the configuration service, by default I use kvdb.io (a free Key/value database service)

the init command only need to execute 1 single time, and whatever node you want, this generate the ID where nodes will try to find other nodes in the key value database.

ideally here we should have something like Torrent DHT or IPFS DHT pub&sub. but as first version it works, I also implemented the posibility to use consul/zookeeper.. etc services if you don't want to use a public service like kvdb.io

[innerop]

Still how do nodes find each other if they are behind NAT? Is there a STUN server somewhere that will reveal their actual IPv4 address and port?

How do you add and remove peers from the wg interface? Do you simply use the wg cli command or some other way? I know Jason D (wg author) has been prototyping a way to update peers based on the conf using syncconf (setconf with ability to update) ... I do need this functionality to work on both AMD64 and AARCH64 so for me using the CLI option is easier than compiling an app that uses wg netlink interface, and I honestly haven’t looked into netlink.

Could you provide more technical details on how your system works? Maybe in the wiki section?

In my case the nodes may come and go frequently so I need a way to keep the mesh config updated. I don’t mind using OpenDHT or even start out with kvetch.io

Thank you for sharing your knowledge with us. :)

[segator]

There are no support now "behind a nat", unless you map a port to the host. I would like to set Stun Server and Udp hole punching support :)

to add peers simple execute the command as described in the readme :)

what the systems work is publish your node info to kvdb.io using your previously generated token. then other nodes are pulling every x seconds to detect if new nodes and if existing nodes already are online, so the system automatically add/update/delete peers.

[innerop]

<< I would like to set Stun Server and Udp hole punching support :)

That would work for cone NATs but not for symmetric NATs. The world is still not ready for pure P2P, at least not in practice. But don't let me discourage you!

<< the init command only need to execute 1 single time

you may want to note that the init command should be executed just once, on any node, to get the unique key for the mesh

<< the system automatically add/update/delete peers.

cmd.Command("wg","set",localPeer.DeviceName,"peer",peer.PublicKey,"remove")

Ok, I see. This is using 'wg' command, not Wireguard netlink interface. I wasn't aware that there is a "remove" parameter.

Cool.