[schoolornot]

I understand WG is meant to be no frills but for my company to use it, we need a standardized authentication framework around it like Xauth that can handle usernames/passwords/certificates (X509, not just keys)/MFA/etc. and server side tracking to allow for termination of sessions when people leave. It's not something I want to build myself. I would prefer that it be standardized and added to the official clients. Even if it's as simple as an OAuth flow that returns a key.

[Fnoord]

Wireguard doesn't support MFA so it isn't complaint to the frameworks we require (I guess Tailscale is). Tho you can make a SSH proxy with MFA if you enforce MFA via PAM (e.g. FIDO2 or TOTP are both possible).

[tptacek]

FWIW: WireGuard isn't supposed to support MFA. You're meant to do MFA at a level above WireGuard. WireGuard sessions are keyed directly with Curve25519.

[zxcvbn4038]

We created a web portal with SAML authentication that provisions and manages wireguard profiles on our edge locations. Employees have to log into the portal to obtain a wireguard configuration, and their configuration(s) are removed when their profile is deprovisioned in the IDP. It’s much easier to support then OpenVPN was - much easier to support and the wireguard client for mobile (at least iOS) just works, whereas the OpenVPN client for iOS was a nightmare to setup.

[anderspitman]

WG is rather low-level. Projects and companies like Tailscale are tackling what you describe, and I'm confident we'll eventually have open standards as well.

[nine_k]

You look exactly the target audience of Tailscale.

[acd]

Checkout Tailscale