Wireguard Management System - Concept Introduction

Introduction

Wireguard is a beautiful thing :sob:. But one thing that I have found to be a point of contention is the lack of a simple interface for managing an existing Wireguard server. From some light browsing, I have found a couple of solutions that are mainly geared towards enterprise use or paid services but no simple FOSS CLI alternatives. Therefore, I feel that it would be nice to have a simple Bash script or Python script to accomplish this task. I’ll keep it short and just share my early development notes below:


To-Do

Features

Enhancements


Development Notes

Example servers.conf

[wg0]
# Path to the server configuration file
server_conf=/etc/wireguard/neuron/wg0.conf

# Public key of the server
server_pubkey=U29TZWN1cmVNdWNoV293ISEhcXdlcnR5MTIzNA==

# Where will we store client configuration files?
clients_directory=/etc/wireguard/neuron/clients

[wg#]
# ...
# Normal typical server configuration
[Interface]
Address = 192.168.5.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 42387
PrivateKey = iMa3i2nmks1A3j2kn3VaRWuIto23DFasxk4=

# Peer name
[Peer]
PublicKey = FS/HMHIMrihc+37tVR816pjh2WcoNg4cqgeGGhC8SyM=
AllowedIPs = 192.168.5.2

# ...
# Server configuration *with* wg-man entries
[Interface]
Address = 192.168.5.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 42387
PrivateKey = iMa3i2nmks1A3j2kn3VaRWuIto23DFasxk4=

# Peer name
# Random custom comments
[Peer]
PublicKey = FS/HMHIMrihc+37tVR816pjh2WcoNg4cqgeGGhC8SyM=
AllowedIPs = 192.168.5.2

####################
## WG-MAN ENTRIES ##
####################

# Example_Client_Name
NOTE ANNOTATION - The items below are to be used by wg-man as client properties
# Date Added: 2019.01.05
[Peer]
PublicKey = FS/HMHIMrihc+37tVR816pjh2WcoNg4cqgeGGhC8SyM=
AllowedIPs = 192.168.5.3

Script Structure

  1. wg-man - Master management script. Other scripts will be used inside this one but ultimately this should be the only thing the user has to use
  2. scripts/ - Additional scripts used with wg-man that supplement it.
  3. ./servers.conf

Server command usage

* Required parameter
(-x) Synonym to long parameter
# Parameters

## Specifying configuration file
wg-man ... # With configuration file in working directory
wg-man --config (-c) /path/to/config/file.conf ...

# Subcommands

## Description: Initialize a new server and add entry to servers.conf
## Parameters:
## --interface (-i)*:   Name of interface
## --name (-n):         Name of server		    (Default: Random UUID)
## --ip (-a):           IP of server            (Default: 192.168.1.1)
## --privkey (-k):      Private key of server   (Default: Generated from wg)
wg-man init --name "Server_Nickname"

## Description: Add clients (existing or not) to a server configuration
## Parameters:
## --ip (-a)*:     IP of client
## --cat (-l):     Display client entry
## --name (-n):    Name of client         (Default: Random UUID)
## --pubkey (-k):  Public key of client   (Default: Generated from wg)
wg-man add --name "Client_Nickname" --ip  "192.168.5.2" --pubkey "EQWEF234fbi234bfawSEFqi3jh4bFq==" --cat

## Description: Create a client configuration for a server configuration and add them to the server configuration
## Parameters:
## --ip (-a)*:     IP of client
## --cat (-l):     Display client entry
## --name (-n):    Name of client         (Default: Random UUID)
wg-man create --name "Client_Nickname" --ip "192.168.5.65"
* Making this beautiful spec is making me want to do this proper and not just make it a bash script lol