Run wgmesh on top of an existing wireguard configuration
and it'll update Endpoint parameters automatically as they change.
That's all it does.
- hub server: used only for coordination, untrusted, needs public ip address
- a malicious hub should only be able to cause DoS
- node: connects to the hub to obtain the public addresses of other nodes
- a node connects to other nodes directly using the public addresses obtained from the hub
- the hub is untrusted, access control is performed by each node separately
- no central config file; use something like
cdistorpuppetto config each node
- run wireguard +
wgmesh-hubon the hub machine - open the hub port in the wg interface on the hub machine
- run wireguard on the actual nodes and have it make wg tunnels to the hub.
You need normal wireguard config files, just the
Endpointfields of edge nodes will be filled in at runtime bywgmesh-update.py. - wgmesh uses the connection to the hub only to get information about other nodes
- Run
wgmesh-update.pyperiodically on each node. This will obtain other nodes' public addresses from the hub and set them in the local wg config. - Now the nodes can (hopefully) talk to one another.
- Since the hub is untrusted, nodes should also probably firewall the wg connection to the hub. Or not. Up to your threat model. A good compromise could be leaving port 22 open to have relayed ssh access if p2p edges are broken and firewall everything else.
-
meshub is a roll-your-own version of this kind of VPN from the era before wireguard.
-
see meshub#related-projects for other related work