Fearless green WireGuard configuration manager
Go to file
Shiz 06c33c839f doc: update README 2022-01-18 09:42:12 +01:00
misc misc: add OpenRC service file 2021-12-12 21:01:56 +01:00
weegee core: fix mishap in PublicInterface vs Interface 2022-01-01 14:34:46 +01:00
.gitignore epoch 2021-12-05 20:52:12 +01:00
Dockerfile Add preliminary dockerfile 2021-12-05 23:56:46 +01:00
README.md doc: update README 2022-01-18 09:42:12 +01:00
pyproject.toml build: add basic build infrastructure 2021-12-12 13:44:40 +01:00
setup.cfg build: add jinja2 dependency to setup.cfg 2021-12-12 21:30:28 +01:00
setup.py build: add setup.py for legacy compatibility 2021-12-12 14:49:00 +01:00

README.md

weegee

Fearless green WireGuard config manager.

Goals

  • One central place to declaratively configure your WireGuard installs from;
  • Automatic peer management, for local and remote hosts (if autosync is enabled);
  • Automatic interface management, for local and remote hosts (if automanage is enabled);
  • Automatable manual management, for other hosts;
  • Solid and flexible foundation, transparent data model, hookable;

Non-goals

  • Automagic firewall configuration: this is better off planned by the user and automated through the use of hooks;

Quickstart

  1. Setup:
weegee system setup
  1. Either add a remote host:
weegee host create --type linux --host elisha.projectflower.eu --auto-sync --auto-manage my-host

Or configure the built-in local host:

weegee host configure --type linux --auto-manage local
  1. (optional) Configure forwarding hooks for your host, if your firewall is restrictive or you're using IPv6 on Linux. An example that allows every WireGuard client to access 10.57.0.0/16, 10.58.0.0/16, 10.59.0.0/16, 10.60.0.0/16 and fd10:573:1df::/48:
weegee host configure \
    --add-post-hook interface_add 'iptables  -A FORWARD -i %i -d 10.57.0.0/16,10.58.0.0/16,10.59.0.0/16,10.60.0.0/16 -j ACCEPT' \
    --add-post-hook interface_add 'iptables  -A FORWARD -o %i -s 10.57.0.0/16,10.58.0.0/16,10.59.0.0/16,10.60.0.0/16 -j ACCEPT' \
    --add-pre-hook  interface_del 'iptables  -D FORWARD -i %i -d 10.57.0.0/16,10.58.0.0/16,10.59.0.0/16,10.60.0.0/16 -j ACCEPT' \
    --add-pre-hook  interface_del 'iptables  -D FORWARD -o %i -s 10.57.0.0/16,10.58.0.0/16,10.59.0.0/16,10.60.0.0/16 -j ACCEPT' \
    --add-post-hook interface_add 'ip6tables -A FORWARD -i %i -d fd10:573:1df::/48 -j ACCEPT' \
    --add-post-hook interface_add 'ip6tables -A FORWARD -o %i -s fd10:573:1df::/48 -j ACCEPT' \
    --add-pre-hook  interface_del 'ip6tables -D FORWARD -i %i -d fd10:573:1df::/48 -j ACCEPT' \
    --add-pre-hook  interface_del 'ip6tables -D FORWARD -o %i -s fd10:573:1df::/48 -j ACCEPT' \
    my-host

You can also add per-client entries using the route_ipv4_add and route_ipv6_add hooks.

  1. Create a server for your host, in this example reachable on 10.60.0.1/24 and fd10:573:1df:5000::1/64, and announcing routes for 10.57.0.0/16, 10.58.0.0/16, 10.59.0.0/16, 10.60.0.0/16 and fd10:573:1df::/48, named eagle and publically connectable through vpn.eagle.pm:7574:
weegee server create \
    -H my-host \
    -a 10.60.0.1/24 -a fd10:573:1df:5000::1/64 \
    -r 10.57.0.0/16 -r 10.58.0.0/16 -r 10.59.0.0/16 -r 10.60.0.0/16 -r fd10:573:1df::/48 \
    eagle \
    vpn.eagle.pm 7574
  1. Create a client, in this example reachable on 10.60.99.1/24 and fd10:573:1df:5063::1/64, named dev-arcade:
weegee client create \
    -a 10.60.99.1/24 -a fd10:573:1df:5063::1/64 \
    eagle/dev-arcade
  1. Get client configuration:
weegee client print-config eagle/dev-arcade

Tips

  • You can configure the data directory per-user, to not be in the current directory: weegee configure -u -d /path/to/data Or even globally: weegee configure -s -d /path/to/data
  • There's an OpenRC and a systemd service!
  • weegee is runnable in Docker: docker run --cap-add=NET_ADMIN --cap-add=NET_RAW --network host -v ~/weegee/data:/weegee-data --rm weegee weegee ...

License

WTFPL