Hacker News new | ask | show | jobs
Wg-access-server: WireGuard VPN server and web UI for device management (github.com)
178 points by Zdh4DYsGvdjJ 1609 days ago
10 comments
paulkon 1608 days ago
What is the recommend wireguard mesh solution where peers can easily join and leave and shortest connection paths are automatically determined?

I want to setup a way to access my mobile home office subnet (behind cellular which doesn't allow incoming) and two other subnets sites and some mobile devices which come and go.

link
lima 1608 days ago
Tailscale works perfectly for this.

There's a third party open source server, too: https://github.com/juanfont/headscale

(I just use the free hosted backend, obviously you trust them to do the key exchange)

link
xoa 1608 days ago
Have you taken a look at Nebula [0]? Might fit your needs. It also uses the Noise Protocol Framework but adds the bells and whistles on top needed to synthesize an overlay network like you want. MIT licensed too fwiw, full self hosting. Worth a look at any rate, WireGuard is much lower level though I'm sure it could be built upon for the same purpose.

----

0: https://github.com/slackhq/nebula

link
mike_d 1608 days ago
https://zerotier.com/

The managed backend/NAT broker is free up to 50 machines, or you can run the open source server yourself.

link
2Gkashmiri 1608 days ago
i have been running zerotier for over 2 years now. brilliant. works without problems
link
Youden 1608 days ago
WireGuard on its own doesn't do that. WireGuard only sets up tunnels between peers. If you want something like you describe, you need another product that integrates WireGuard.

It's a bit boring but in a situation like yours the most straightforward way would be to set up WireGuard gateways at each of your sites and have them talk to each other and the mobile devices.

link
afeiszli 1608 days ago
Check out Netmaker if you're looking for something WireGuard based. We had a post about it a couple weeks ago:

https://news.ycombinator.com/item?id=29809830

link
klysm 1608 days ago
I don’t think wireguard will do that shortest path routing for you. Look into babel routing protocol and friends.
link
weejewel 1608 days ago
Also check out wg-easy: https://github.com/weejewel/wg-easy.

Much more beautiful imo.

link
johnchristopher 1608 days ago
> Gravatar support.

What ? Yeah, no.

edit: or at least it should be opt-in for client

link
tyingq 1608 days ago
There's not much to it:

    if (client.name.includes('@') && client.name.includes('.')) {
          client.avatar = `https://www.gravatar.com/avatar/${md5(client.name)}?d=blank`;
link
BHSPitMonkey 1608 days ago
I think people might not like this since it causes your clients to "phone home" to Gravatar unnecessarily/expectedly. It's a little out of place for what is essentially a network security application.
link
nousrnm 1608 days ago
Installed on my home server few days ago. Very good and easy to manage
link
Zdh4DYsGvdjJ 1608 days ago
But does it support multi tenant?
link
gravypod 1609 days ago
This would be great if it automatically generated `<device>.<user>.search.domain.vpn` DNS names for all of the devices.
link
easton 1609 days ago
This is a thing in Netmaker, another WireGuard server that is being built by a YC startup: https://github.com/gravitl/netmaker
link
TheGoliath 1609 days ago
You can create a new issue with the feature request. Alternatively PRs are always welcome :P
link
dhc02 1608 days ago
Tailscale does a version of this.
link
encryptluks2 1609 days ago
Something like this would be amazing.
link
wpietri 1608 days ago
Well this is not the kind of thing I want to see in a tool I'm using to secure my networks:

> This is a fork of the original work of place1. Since the upstream is currently poorly maintained, we try to add new features and keep the project up to date and in a working state.

link
gurjeet 1608 days ago
So ask the developer how you can pay them to get the support you want.
link
wpietri 1607 days ago
I think it's ok that there are things I don't want. There's no reason for me to offer money for it to be something different than the author intends.
link
KennyBlanken 1608 days ago
Looks very neat. What's userland wireguard performance like? I can't seem to find much talking about this, just that it's "slower". My guess is that it's probably not an issue for a 5-10Mbit-upstream home connection?
link
daemoens 1608 days ago
Shout-out to PiVPN. It doesn't have a web ui but it's incredibly quick to setup and any commands are extremely basic. Took me less than 5m to setup and haven't had to touch it in almost a year.
link
Zdh4DYsGvdjJ 1609 days ago
Also see: https://github.com/freifunkMUC/wg-access-server/blob/master/...
link
rythmshifter03 1608 days ago
I’d love to know how to deploy this with WireHole
link
nvr219 1608 days ago
I decided to just use adguard dns for my wireguard and it's Good Enough for my needs.
link
dynamohk 1608 days ago
I find tailscale simple and setup exit node easy
link
teddyh 1609 days ago
Note: This is not about WireGuard itself, but about wg-access-server, which “is a single binary file that contains a WireGuard VPN server and a web user interface for device management.”
link
ape4 1609 days ago
WireGuard itself has supported IPv6 since the start
link
dang 1609 days ago
Ok, title changed to that from "WireGuard Access server now supports IPv6". Thanks!
link
tehbeard 1609 days ago
Also of note is that this is a fork of wg-access-server from the looks of it.
link
Zdh4DYsGvdjJ 1609 days ago
Yes, it's a fork as the original project is dead for a year already.
link
TheGoliath 1609 days ago
We used the Upstream project for a while, but we were missing some features like IPv6, so we started this fork and added them ourselves, hoping it would be useful for a few others as well.
link