[WireGuard] Pull-based peer configuration

Baptiste Jonglez baptiste at bitsofnetworks.org
Tue Nov 22 14:08:05 CET 2016


Right now, the only method for configuring peers is "push-based",
i.e. using `wg` to push the public key and AllowedIPs for each peer to the
running wireguard instance.

I'm toying with the idea of a pull-based model, for instance storing peer
configuration in a Radius or SQL database.  But it seems like an
incredibly bad idea to integrate a Radius or SQL library inside the

What about having a userspace daemon that wireguard can query from
kernelspace when a new peer connects?  Wireguard would basically ask "Is
this public key allowed to connect, and what are its AllowedIPs?".  The
daemon would then use whatever method it wants (flat file, SQL/Radius
database, LDAP…) to determine whether the peer is allowed and its

I guess it looks a bit like the IKE daemon in IPsec (though not exactly,
since wireguard handles rekeying itself), which I'm not sure is a good
sign :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20161122/381e91a0/attachment.asc>

More information about the WireGuard mailing list