# weegee
Fearless green [WireGuard ](https://wireguard.com ) config manager.
## Goals
* One central place to *declaratively* configure your WireGuard installs from;
* Automatic peer management, for local and remote hosts (if `autosync` is enabled);
* Automatic interface management, for local and remote hosts (if `automanage` is enabled);
* Automatable manual management, for other hosts;
* Solid and flexible foundation, transparent data model, hookable;
## Non-goals
* Automagic firewall configuration: this is better off planned by the user and automated through the use of hooks;
## Quickstart
1. Setup:
```sh
weegee system setup
```
2. Either add a remote host:
```sh
weegee host create --type linux --host elisha.projectflower.eu --auto-sync --auto-manage my-host
```
Or configure the built-in local host:
```sh
weegee host configure --type linux --auto-manage local
```
3. *(optional)* Configure forwarding hooks for your host, if your firewall is restrictive or you're [using IPv6 on Linux ](https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html#proc-sys-net-ipv6-variables ). An example that allows every WireGuard client to access `10.57.0.0/16` , `10.58.0.0/16` , `10.59.0.0/16` , `10.60.0.0/16` and `fd10:573:1df::/48` :
```sh
weegee host configure \
--add-post-hook interface_add 'iptables -A FORWARD -i %i -d 10.57.0.0/16,10.58.0.0/16,10.59.0.0/16,10.60.0.0/16 -j ACCEPT' \
--add-post-hook interface_add 'iptables -A FORWARD -o %i -s 10.57.0.0/16,10.58.0.0/16,10.59.0.0/16,10.60.0.0/16 -j ACCEPT' \
--add-pre-hook interface_del 'iptables -D FORWARD -i %i -d 10.57.0.0/16,10.58.0.0/16,10.59.0.0/16,10.60.0.0/16 -j ACCEPT' \
--add-pre-hook interface_del 'iptables -D FORWARD -o %i -s 10.57.0.0/16,10.58.0.0/16,10.59.0.0/16,10.60.0.0/16 -j ACCEPT' \
--add-post-hook interface_add 'ip6tables -A FORWARD -i %i -d fd10:573:1df::/48 -j ACCEPT' \
--add-post-hook interface_add 'ip6tables -A FORWARD -o %i -s fd10:573:1df::/48 -j ACCEPT' \
--add-pre-hook interface_del 'ip6tables -D FORWARD -i %i -d fd10:573:1df::/48 -j ACCEPT' \
--add-pre-hook interface_del 'ip6tables -D FORWARD -o %i -s fd10:573:1df::/48 -j ACCEPT' \
my-host
```
You can also add per-client entries using the `route_ipv4_add` and `route_ipv6_add` hooks.
4. Create a server for your host, in this example reachable on `10.60.0.1/24` and `fd10:573:1df:5000::1/64` , and announcing routes for `10.57.0.0/16` , `10.58.0.0/16` , `10.59.0.0/16` , `10.60.0.0/16` and `fd10:573:1df::/48` , named `eagle` and publically connectable through `vpn.eagle.pm:7574` :
```sh
weegee server create \
-H my-host \
-a 10.60.0.1/24 -a fd10:573:1df:5000::1/64 \
-r 10.57.0.0/16 -r 10.58.0.0/16 -r 10.59.0.0/16 -r 10.60.0.0/16 -r fd10:573:1df::/48 \
eagle \
vpn.eagle.pm 7574
```
5. Create a client, in this example reachable on `10.60.99.1/24` and `fd10:573:1df:5063::1/64` , named `dev-arcade` :
```sh
weegee client create \
-a 10.60.99.1/24 -a fd10:573:1df:5063::1/64 \
eagle/dev-arcade
```
6. Get client configuration:
```sh
weegee client print-config eagle/dev-arcade
```
## Tips
* You can configure the data directory per-user, to not be in the current directory:
`weegee configure -u -d /path/to/data`
Or even globally:
`weegee configure -s -d /path/to/data`
* There's an [OpenRC ](misc/weegee.rc ) and a [systemd ](misc/weegee.service ) service!
* weegee is runnable [in Docker ](Dockerfile ): `docker run --cap-add=NET_ADMIN --cap-add=NET_RAW --network host -v ~/weegee/data:/weegee-data --rm weegee weegee ...`
## License
[WTFPL ](http://www.wtfpl.net/txt/copying/ )
