| There are (at least) two pieces to WireGuard. The wireguard "wire" protocol itself, which is implemented in the kernel. And the authentication and key exchange, that are done by userspace tools. Right now there exist the "default" tools, which require a manual exchange of key pairs and do only very rudimentary user mapping and authorization. However: It is perfectly possible to implement much more complex authorization schemes, with all the two step auth, logging, etc. you desire. Somebody has to write the tools for that, still. But the nice thing is, that this is a pretty much independent task, which you could do over any transport/protocol you desire (HTTPS, SSH, custom made, etc.). An idea I've had for a longer time, but don't have the time to actually invest developing it, is using wireguard for a pure IPv6 mesh VPN. - The ULA network part would be the key-id (lower bits) of the mesh public key (i.e. with knowledge of the mesh private key you can join the mesh), used for the mesh setup. - The Host part would be each individual host's key-id (again lower bits of the public key). Since wireguard uses Cryptokey Routing (https://www.wireguard.com/#cryptokey-routing) this would directly map. |
> IP addresses are derived from cryptographic keys, to reduce the need for public key infrastructure