[WireGuard] Which protocol to get network configuration from gateway to clients.

Jason A. Donenfeld Jason at zx2c4.com
Wed Jul 6 16:28:02 CEST 2016

Hi Frédéric,

The beauty is: you can use whatever protocol you want. Use
TLS/HTTP/REST/JSON if that's your style. Use SSH if it suits your
fancy. Hand code preshared substitution tables onto carrier pigeon
parchment, if you're feeling ancient. Slip Senator Vandenberg your
public key and desired IP on microfilm during a secret senate floor
handshake too subtle for early film cameras to catch. You can do a
million different things to integrate it directly into your
infrastructure and how you like doing things.

After WireGuard gets stabilized, I have some plans of my own for
making upper layer tools for that. But I sort of suspect others will
make things like that before I get to it, and you shouldn't hesitate
to integrate it into your infrastructure how you like.

There's also the out-of-band extension idea from this thread [1], that
could at some point grow into something interesting.

Of course, if you can, it's probably superior to use more static
configuration, leaving distribution of that to your ordinary
configuration management system. For example, while you're at it
having puppet/ansiable/chef/whatever push the ordinary networking
config and pre-verified SSH host keys, have it push your wireguard
configuration too. Or maybe this isn't your cup of tea.

By leaving these concerns out of wireguard directly, we aim to make
the core of the project a lot more usable and integratable. I manage
quite a few systems myself, so I'm happy to put on my
sysadmin/devops/sre hat and help you come up with something that fits
your environment. And I'm sure others on this list have their set of
opinions and advice too.

So, what's your environment like? What do you want to do? Let's
theorize potential solutions for you. And maybe in the exercise of
doing that, we'll figure out new ways to both use WireGuard and
improve it to be more robust and fitting for your environment.


[1] https://lists.zx2c4.com/pipermail/wireguard/2016-June/000038.html

More information about the WireGuard mailing list