Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Haven't seen it mentioned here yet, so this might be useful to someone getting into WireGuard:

https://github.com/subspacecloud/subspace

This is a tool that helps you generate and manage configurations for WireGuard, generate qr code for configuring mobile devices and it even integrates into SAML for authentication.

It's not as fancy as some other VPN management tools but this is an easy way to get WireGuard set up without too much messing with configs



I'm also working on something like this

https://github.com/place1/wireguard-access-server

It's mostly a hobby project but it'll run a userspace wireguard implementation (boringtun) and a webapp to configure it.

You can run it in docker

    docker run \
      -it \
      --rm \
      --name wg \
      --cap-add NET_ADMIN \
      --device /dev/net/tun:/dev/net/tun \
      -p 8000:8000/tcp \
      -p 51820:51820/udp \
      place1/wireguard-access-server:0.0.5


I've been eyeing this, but I'm a bit concerned that this is a code dump, and not a real project.

The project consists of a grand total of 7 commits, which were posted 6 months ago. Since then there's been no activity, and pull requests opened since May have seen no maintainer activity either.


You're right about that but as far as I've seen the project is pretty much feature complete for basic usage and I couldn't find any problems with the code that warranted much work.

The project seems to have stagnated but in its current state it's usable enough. I probably wouldn't expose the web application itself to the outside world anyway (I usually only expose applications to my home + VPN networks) so in the limited context that I use it it's fine.

If you want, you can also use it to generate configs and QR codes once, copy the server config to an independent server and then shut down the application. It doesn't do anything special to WireGuard itself, it just generates config files and QR codes and that's it.

Kind of sad to see such a simple but practical application fall into the abandon ware hole, but such is life when dealing with open source side projects from small companies.


Thanks, I did the whole thing manually a few weeks ago and this looks like a good solution at least for mobile devices!


A fancy webapp is not the best for a security critical thing like generating VPN confs!

I'd rather have a simple script and push updates to a "read-only" webapp.


If you manually set read only permissions on the right data folder after generating the configs, you can turn it into a readonly app. You can probably manually connect your own configs to the right user accounts as well but then that's a lot of work for a site that only generates QR codes and download links.

This project isn't much more than a script to generate and manage configs with an optional layer of SAML accounts on top. Especially with WireGuard's simple configuration it doesn't need to do any more than that. There are no security parameters with unsafe defaults, complicated configuration processes, certificate generation and signing process that other VPN systems fall victim to. There's a 6 line config file containing a private key generated by the official WireGuard tool and that's it.

While I've always avoided many complicated openvpn config tools like the plague (that of pfsense for one), I think WireGuard is simple enough to be configured like this.


Thanks for linking this, I hadn't heard of subspace before.

Does it handle IP assignment/configuration as well?


That’s the real question.

I wrote a little script that creates the configuration files, and shows a QR code in the terminal to easily add new clients.

The problem I ran into is dynamic IP allocation, without extra logging, or storing the client config files after they’ve been distributed. If I want to avoid assigning a used IP, I need to know what I’ve already given out.

I mocked up a few things then decided the perfect was becoming the enemy of the good. Since I’ll only ever have a few peers, I ultimately just decided randomize the 4th octet, each time I create a new client config. Obviously, this opens me up to a potential conflict in the future (prayers to St. YAGNI for benevolence).

I suppose I could/should be pre-generating all the configs, handing one out at random, then deleting it.


This script[0] gets that part right by having a `lastip` file containing the latest assigned IP, so the script counts up for new clients. You can add a line for qrencode to the end to get the QR[1].

0: https://gist.github.com/Belphemur/b014a11f9ae6c20203276f214e...

1: https://gist.github.com/judge2020/e9631be086ea105005614c70a8...


Thank you!! This is very close to what I’m doing.


Yes, although it's not very configurable in a Docker environment without editing the Dockerfile yourself (hardcoded IP ranges and all that, though it does assign a new IP to each new profile you generate). You can still modify the Dockerfile if you wish to have more control over things like IP ranges and the DNS server used by clients but you'd have to rebuild the container after modifying.

You will also likely need to make some changes to your iptables and/or sysctl depending on your server config and firewall.

Nothing too shocking per se; you need to do all that with any other kind of VPN as well.


I’ve made a http json service that allocates IPs and configures WireGuard. Not sure if it can be used for this project but here it is: https://github.com/balboah/wireguard-operator




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: