k4yt3x / wg-meshconf Goto Github PK

I installed wg-meshconf using a venv for testing on my machine.

When I created the output files, they appeared under the site-packages/wg_meshconf folder.

$ python3 -m venv wg-meshconf
$ . wg-meshconf/bin/activate
$ wg-meshconf addpeer ...

$ wg-meshconf genconfig
Creating output directory: /home/user/wg-meshconf/lib/python3.8/site-packages/wg_meshconf/output

Thank you for your script.
It would be great if you add an descpription field to peers, that would be very helpful (to fill in common name).
cu Peje

Is it possible to use FQDN rather than ip for the public IP?

which wg

Response:

/usr/local/bin/wg

Adding peer

wg-meshconf addpeer Name --address 10.1.0.1/16 --endpoint xx.xx.xx.xx

Response:

Traceback (most recent call last):
  File "/usr/local/bin/wg-meshconf", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/wg_meshconf/wg_meshconf.py", line 161, in main
    args.saveconfig,
  File "/usr/local/lib/python3.7/site-packages/wg_meshconf/database_manager.py", line 120, in addpeer
    privatekey = self.wireguard.genkey()
  File "/usr/local/lib/python3.7/site-packages/wg_meshconf/wireguard.py", line 47, in genkey
    stdout=subprocess.PIPE,
  File "/usr/local/Cellar/[email protected]/3.7.9_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 488, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/local/Cellar/[email protected]/3.7.9_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 800, in __init__
    restore_signals, start_new_session)
  File "/usr/local/Cellar/[email protected]/3.7.9_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 1551, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/wg': '/usr/bin/wg'

What is the status/future of wg-meshconf re Is it considered "ready-for-use" ?

Thanks
Brian

Here is a sample database.csv file:

"Name","Address","Endpoint","AllowedIPs","ListenPort","PersistentKeepalive","FwMark","PrivateKey","DNS","MTU","Table","PreUp","PostUp","PreDown","PostDown","SaveConfig"
"alpha","10.0.0.1","alpha.example.com","","51820","","","aCqUml43tjjw3SBVM+M9IyrApZ5pthzrFBMxWKnLPE0=","","","","","","","",""
"beta","10.0.0.2","beta.example.com","","51820","","","cJE+l3HYxY5eHzxUfvNP7i5nbR7TjaSVYwqxvjW4Hl4=","","","","","","","",""
"gamma","10.0.0.3","","","51820","25","","4B6WZu3OyCXIOWyuN7dFKh/FGsVIFzkSuGsszdMsLlg=","","","","","","","",""

This generates the following config:

alpha:

[Interface]
# Name: alpha
Address = 10.0.0.1
PrivateKey = aCqUml43tjjw3SBVM+M9IyrApZ5pthzrFBMxWKnLPE0=
ListenPort = 51820

[Peer]
# Name: beta
PublicKey = PBFFzDSLOn0CyxF2d0SWo8F0xktozEQFflmIYgYDg14=
Endpoint = beta.example.com:51820
AllowedIPs = 10.0.0.2

[Peer]
# Name: gamma
PublicKey = HV5qryi3YcrhKQd/4A0h6xxWr+ARlncT06K+BY9XsCU=
AllowedIPs = 10.0.0.3
PersistentKeepalive = 25

beta:

[Interface]
# Name: beta
Address = 10.0.0.2
PrivateKey = cJE+l3HYxY5eHzxUfvNP7i5nbR7TjaSVYwqxvjW4Hl4=
ListenPort = 51820

[Peer]
# Name: alpha
PublicKey = KE5NYiNewB3VwoIHGPXBCDxGphf6m3gGUyLyhy7Vd2A=
Endpoint = alpha.example.com:51820
AllowedIPs = 10.0.0.1

[Peer]
# Name: gamma
PublicKey = HV5qryi3YcrhKQd/4A0h6xxWr+ARlncT06K+BY9XsCU=
AllowedIPs = 10.0.0.3
PersistentKeepalive = 25

gamma:

[Interface]
# Name: gamma
Address = 10.0.0.3
PrivateKey = 4B6WZu3OyCXIOWyuN7dFKh/FGsVIFzkSuGsszdMsLlg=
ListenPort = 51820

[Peer]
# Name: alpha
PublicKey = KE5NYiNewB3VwoIHGPXBCDxGphf6m3gGUyLyhy7Vd2A=
Endpoint = alpha.example.com:51820
AllowedIPs = 10.0.0.1

[Peer]
# Name: beta
PublicKey = PBFFzDSLOn0CyxF2d0SWo8F0xktozEQFflmIYgYDg14=
Endpoint = beta.example.com:51820
AllowedIPs = 10.0.0.2

I have read all I could find about PersistentKeepalive (which is not a lot), and it sounds to me like it should only be specified in the config of the node which is behind NAT, which is gamma in this case. But in the above example, it's specified everywhere except in gamma's config.

Is the bug in wg-meshconf, or in my understanding of PersistentKeepalive?

My use case is to have a VPN of VMs, some of which are behind NAT, without public IPs, but most of which have public IPs. The servers without the public IPs should route traffic through one of the servers which DO have public IPs to reach other servers with don't have public IPs.

And yes, I'm trying to replace tinc :)

Hi, what a great tool! So convenient.

How can I specify the interface name? For if I want to use something other than wg0.

edit Oh never mind. I see it is done by renaming the config to /etc/wireguard/ifname.conf.

But before I close this, I do wonder about something else: how do I route a subnet with this script? For example, let the host get the IP 10.20.30.1/24 and route 10.20.30.0/24 to it. If you specify the IP then wg-quick on the remote host will complain:
Warning: AllowedIP has nonzero host part: 10.30.0.1/24

Thanks!

The PersistentKeepalive field is in the showpeers table but it is not possible to modify it using addpeer or updatepeer.

Is it in the roadmap to add this option?

Was getting errors when pip installing the requirements.

libncurses5-dev is needed on Debian Stretch.

(Oh and thank you very much for the fast response to my previous request, and this tool)

Any chance pre-shared key generation can be added tor each pair of mesh nodes? (Further security improvement)

I get communication only between node2 and node3.
node1 does not want to cooperate.

Can someone give me a hand to understand why this is happening?

All nodes are behind public ip x.x.x.x with port forwarding 1311, 1312, 1313
My local lan is 192.168.11.x/24 with DG 192.168.11.254
Using single FQDN that resolves to my public ip for setup of all nodes public ip.

Following are the configs and status of each node:

node1:

root@node1:~# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = uM8T9tFu20Awui5fczv7eUEEDj9CvjiRZi7CgSmaBFc=
Address = 10.10.1.1/24
ListenPort = 1311

[Peer]
PublicKey = lihIj2OjgdIAghaNG+jZrID+AxG+5kbdUsS72mG1ESw=
AllowedIPs = 10.10.1.2/24
Endpoint = my.domain.com:1312
PersistentKeepalive = 25

[Peer]
PublicKey = w6xdVeOs2BQS+peFmD5GNVyUWleT68GTzTd2xcyedV0=
AllowedIPs = 10.10.1.3/24
Endpoint = my.domain.com:1313
PersistentKeepalive = 25
root@node1:~# wg
interface: wg0
public key: tkfaR8L2UkzaDdEWREcw1+rsIeE5GbOdG8HHEDmPOEk=
private key: (hidden)
listening port: 1311

peer: lihIj2OjgdIAghaNG+jZrID+AxG+5kbdUsS72mG1ESw=
endpoint: x.x.x.x:1312
allowed ips: (none)
latest handshake: 28 seconds ago
transfer: 156 B received, 180 B sent
persistent keepalive: every 25 seconds

peer: w6xdVeOs2BQS+peFmD5GNVyUWleT68GTzTd2xcyedV0=
endpoint: x.x.x.x:1313
allowed ips: 10.10.1.0/24
latest handshake: 28 seconds ago
transfer: 156 B received, 180 B sent
persistent keepalive: every 25 seconds

node2:

root@node2:~# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = EOBFsx/cK6oeZo/cE0h2W1g2EE4fUnN4gBOxfKoNgXQ=
Address = 10.10.1.2/24
ListenPort = 1312

[Peer]
PublicKey = tkfaR8L2UkzaDdEWREcw1+rsIeE5GbOdG8HHEDmPOEk=
AllowedIPs = 10.10.1.1/24
Endpoint = my.domain.com:1311
PersistentKeepalive = 25

[Peer]
PublicKey = w6xdVeOs2BQS+peFmD5GNVyUWleT68GTzTd2xcyedV0=
AllowedIPs = 10.10.1.3/24
Endpoint = my.domain.com:1313
PersistentKeepalive = 25

root@node2:~# wg
interface: wg0
public key: lihIj2OjgdIAghaNG+jZrID+AxG+5kbdUsS72mG1ESw=
private key: (hidden)
listening port: 1312

peer: tkfaR8L2UkzaDdEWREcw1+rsIeE5GbOdG8HHEDmPOEk=
endpoint: 192.168.11.254:1311
allowed ips: (none)
latest handshake: 2 minutes, 33 seconds ago
transfer: 796 B received, 51.31 KiB sent
persistent keepalive: every 25 seconds

peer: w6xdVeOs2BQS+peFmD5GNVyUWleT68GTzTd2xcyedV0=
endpoint: x.x.x.x:1313
allowed ips: 10.10.1.0/24
transfer: 0 B received, 61.14 KiB sent
persistent keepalive: every 25 seconds

node3:

root@node3:~# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = AF8IWDUX7+Mz8Wx94Z6uYPFhojNfrjQVM7TWZhtZUmo=
Address = 10.10.1.3/24
ListenPort = 1313

[Peer]
PublicKey = tkfaR8L2UkzaDdEWREcw1+rsIeE5GbOdG8HHEDmPOEk=
AllowedIPs = 10.10.1.1/24
Endpoint = x.x.x.x:1311
PersistentKeepalive = 25

[Peer]
PublicKey = lihIj2OjgdIAghaNG+jZrID+AxG+5kbdUsS72mG1ESw=
AllowedIPs = 10.10.1.2/24
Endpoint = x.x.x.x:1312
PersistentKeepalive = 25

root@perikleousHP:~# wg
interface: wg0
public key: w6xdVeOs2BQS+peFmD5GNVyUWleT68GTzTd2xcyedV0=
private key: (hidden)
listening port: 1313

peer: tkfaR8L2UkzaDdEWREcw1+rsIeE5GbOdG8HHEDmPOEk=
endpoint: 192.168.11.254:1311
allowed ips: (none)
latest handshake: 1 minute, 4 seconds ago
transfer: 3.17 KiB received, 277.21 KiB sent
persistent keepalive: every 25 seconds

peer: lihIj2OjgdIAghaNG+jZrID+AxG+5kbdUsS72mG1ESw=
endpoint: x.x.x.x:1312
allowed ips: 10.10.1.0/24
transfer: 0 B received, 315.37 KiB sent
persistent keepalive: every 25 seconds

trying to use this app and I'm not seeing results like screenshots indicate.

sudo pip3 install -r requirements.txt
Requirement already satisfied: avalon_framework in /usr/lib/python3.8/site-packages (from -r requirements.txt (line 1)) (1.8.2)
Requirement already satisfied: readline in /usr/lib/python3.8/site-packages (from -r requirements.txt (line 2)) (6.2.4.1)
Requirement already satisfied: netaddr in /usr/lib/python3.8/site-packages (from -r requirements.txt (line 3)) (0.7.19)

python3 wireguard_mesh_configurator.py int
WireGuard Mesh Configurator 1.2.0
(C) 2018-2019 K4YT3X
Licensed under GNU GPL v3
[WGC]> new
[!] WARNING: This will flush the currently loaded profile!
[WGC]>

running arch linux
python3 --version
Python 3.8.1

database.csv

root@debian:~# wg-meshconf init
Traceback (most recent call last):
  File "/usr/local/bin/wg-meshconf", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/wg_meshconf/wg_meshconf.py", line 144, in main
[database.csv](https://github.com/k4yt3x/wg-meshconf/files/12407899/database.csv)

    database_manager.init()
  File "/usr/local/lib/python3.9/dist-packages/wg_meshconf/database_manager.py", line 98, in init
    database = self.read_database()
  File "/usr/local/lib/python3.9/dist-packages/wg_meshconf/database_manager.py", line 134, in read_database
    elif KEY_TYPE[key] == list:
KeyError: 'Name;Address;Endpoint;AllowedIPs;ListenPort;PersistentKeepalive;FwMark;PrivateKey;DNS;MTU;Table;PreUp;PostUp;PreDown;PostDown;SaveConfig'

Here is an example config: example.zip

It has two nodes with public IPs, called alpha and beta, and two nodes without public IPs and behind NATs, called gamma and delta. In this configuration, the mesh works well, except for the connection between gamma and delta. (Note that gamma can talk to alpha and beta and vice versa without issues. The same with delta.)

I can tweak the generated config manually to get everything to work. The required changes are:

• comment out the AllowedIPs line under the delta peer in the gamma config file
• comment out the AllowedIPs line under the gamma peer in the delta config file

This tells wireguard that gamma can't reach delta directly, so it uses alpha or beta as a relay server, which is exactly what I want.

Can this be done in wg-meshconf without post-processing the generated config files?

I see in your readme you make reference to wg-dynamic. Is it known what has happened to development of wg-dynamic?

Seems to be no activity on the git repo since 2019

Hi,

I am wondering if I can assign a peer as exit-node? Is this something which wg-meshconf can already do and I missed it or does it not support it yet? Any chance you can add a support for exit node ?

Thanks!

I don't understand why Endpoint is mandatory in the CSV? It is not mandatory when adding via command line.

Also, Wireguard itself doesn't need the endpoint to work correctly. At least I've never needed it, in my limited experience.

Hi,

I'm experimenting to see how I can make this work in my environment.

On first passs it is very good, allowing for site to site (multiple subnet) mesh plus individual enpoints (e.g. phone, laptop).

I tried to add multiple iptables commands, but no luck. The pre/post actions seem to be single command using either csv or command line.

Could they be treated in a similar fashion to the addresses ( a comma separated list)?

Thanks!

Title says all.

But not everyone has experience with python/pip3.

wondering if there's a solution with this tool like the one I outlined here.

Hello,

I tried to add new hosts after some time and the program fails everytime with error "The value of Address cannot be automatically generated".

Steps to reproduce:

1. Create .csv file via "wg-meshconf init"
2. Open .csv file and add hosts
3. Use command "wg-meshconf init" -> everything works fine and missing data is added automatically
4. Open .csv file with Excel again and add a new host with only Name, Address and Endpoint and save it
5. Use command "wg-meshconf init" -> Error message "The value of Address cannot be automatically generated" appears.

Is there any workaround for this except adding all hosts at the beginning?

Thanks