[WireGuard] Which protocol to get network configuration from gateway to clients.

Frédéric Gloannec frederic.gloannec at thegreenbow.com
Thu Jul 7 11:16:19 CEST 2016 

Hi Jason,

Thanks for your reply.

We are not looking for a VPN solution, we are actually editing VPN Clients Software.
So, at this time, we are just interested to know how mature the WireGuard technology is.
If it becomes a standard and embedded in VPN Gateways, for sure we will adapt our VPN Clients to support it.

>From our customer experience, we think it's important to have this upper layer. Large companies use Mode Config/CP to ease the deployment (the VPN Client configuration is the same for all machines, network infrastructure changes impact only the Gateway...).

Yes, out-of-band extension could be a solution too (like OpenVPN).

Regards,

F.Gloannec.

-----Message d'origine-----
De : Jason A. Donenfeld [mailto:Jason at zx2c4.com] 
Envoyé : mercredi 6 juillet 2016 16:28
À : Frédéric Gloannec
Cc : WireGuard mailing list
Objet : Re: [WireGuard] Which protocol to get network configuration from gateway to clients.

Hi Frédéric,

The beauty is: you can use whatever protocol you want. Use TLS/HTTP/REST/JSON if that's your style. Use SSH if it suits your fancy. Hand code preshared substitution tables onto carrier pigeon parchment, if you're feeling ancient. Slip Senator Vandenberg your public key and desired IP on microfilm during a secret senate floor handshake too subtle for early film cameras to catch. You can do a million different things to integrate it directly into your infrastructure and how you like doing things.

After WireGuard gets stabilized, I have some plans of my own for making upper layer tools for that. But I sort of suspect others will make things like that before I get to it, and you shouldn't hesitate to integrate it into your infrastructure how you like.

There's also the out-of-band extension idea from this thread [1], that could at some point grow into something interesting.

Of course, if you can, it's probably superior to use more static configuration, leaving distribution of that to your ordinary configuration management system. For example, while you're at it having puppet/ansiable/chef/whatever push the ordinary networking config and pre-verified SSH host keys, have it push your wireguard configuration too. Or maybe this isn't your cup of tea.

By leaving these concerns out of wireguard directly, we aim to make the core of the project a lot more usable and integratable. I manage quite a few systems myself, so I'm happy to put on my sysadmin/devops/sre hat and help you come up with something that fits your environment. And I'm sure others on this list have their set of opinions and advice too.

So, what's your environment like? What do you want to do? Let's theorize potential solutions for you. And maybe in the exercise of doing that, we'll figure out new ways to both use WireGuard and improve it to be more robust and fitting for your environment.

Jason

[1] https://lists.zx2c4.com/pipermail/wireguard/2016-June/000038.html

More information about the WireGuard mailing list