Yeah, that's the biggest pain point I think. Syncing configs once changes are made (new peers, new access rules, pre shared key rotation etc).

It's one of the reasons I'm working on wirehub[0], as a way to distribute configs to both end users (share a link) and machines (have a script to periodically pull from wirehub).

Not the perfect solution, but one that does not require additional clients/agents/software to be installed.

[0] https://wirehub.org

▲

feurio 7 months ago | parent [-]

I've built a proof-of-concept WireGuard VPN for work (SSO with mTLD portal/OIDC, BGP/WG tunnels to link edge servers into the network) and the team love it - better than the Cisco VPN they'd have to use otherwise.

Only problem is the config - I'd love a simple alternate WG app (for macOS/Windows) that could pull a config from a remote endpoint (checking signing) and bring up a WG tunnel with the config presented.

I've written a Golang client which shows up in the macOS menu bar and handles all this, but it's using the Brew WireGuard command line tools and needs sudo, etc., etc., so it's not really suitable for the average user.

	▲	rudasn 7 months ago \| parent [-]
		There are quite a few open source wg clients out there, maybe you can get some ideas from those. Defguard, netbird come to mind. I just want to avoid all that custom client stuff. I don't have a solution, but I was experimenting on having a unique network url that would show different content depending if you're hitting it via the wireguard connection or not. Pretty basic stuff, just firewall rules and nginx proxying. Add the (hub) endpoint to client's AllowedIPs and route traffic on the hub depending on the networ interface and port the traffic is coming from. So the client would connect to the wg network and open up the network page (eg. home.rudasn.wirehub.org). If the connection is established, they would see a welcome message or whatever (if they need to update their config maybe a link to get their new one). If the connection is not via the wg tunnel, they would see a message to first connect to the wireguard vpn. And if it's their first time, directions on how to install the official client and get their config from their admin (via wirehub.org or whatnot). It's nice to have that automated via a custom client, but I don't think it's such a huge issue - if you would only update configs for client devices sporadically and have the server peers polling for updates every x seconds. The downside of custom client apps is another security layer to consider, which nobody has the time for.