This repository is a collection of simple scripts intended for Python 3.9+, designed to aid in the quick establishment and gentle maintenance and management of Wireguard clients in a traditional VPN architecture.
MIT license, see ./LICENSE
.
Within these scripts, there are three distinct kinds of files being worked with. Please note that the contents of all of these files should be regarded as sensitive and should not be exposed to interception.
These are JSON files which contain details regarding the server or client on the opposite side of the connection. For servers, a series of client identity files should reside server-side when building the server's Wireguard configuration file. For clients, the server's identity file should be present client-side when building the client's Wireguard configuration file.
These are server-specific JSON files which contain all the data from server initialization, and are necessary for rebuilding the server's Wireguard configuration files when clients identities are being added or removed.
These are the real-deal - they are the configuration files that Wireguard expects for client configuration.
The order of execution is roughly as follows:
- Run the
./init_server.py
file on your intended Wireguard server to initialize the Wireguard server configuration, providing all arguments necessary to execute the script. - Capture the server identity file (specified by the
--server-identity-path
argument) generated by the above step. You will need this for client configuration. - Copy the server identity file to your clients, then run the
./build_client_config.py
script, providing all arguments necessary to execute the script. - Capture the client identity files generated by each client (specified by the
--client-identity-path
argument). You will need these for the server configuration. - Copy the client identity files to the same directory on your server, then run the
./build_server_config.py
script, providing all arguments necessary to execute the script. - Start the
wg-quick@wg0.service
systemd service on your server. - Start the Wireguard client on your client systems.
Readers are highly encouraged to run each script with the -h
or --help
flags in order to review the autogenerated help text for each script.
- Deploy Wireguard config files (specified by the
--wg-conf-path
argument) to/etc/wireguard/
, and note the filename (default iswg0.conf
). This is useful as thewg-quick@.service
systemd service will accept the base name of the file (wg0
) as an argument when starting the namespaced service when provided after the@
sign. - Specify the
--use-dns
flag for client systems that are not acting as intranet services being exposed over the VPN. - Do not specify the
--use-dns
flag for client systems that are supposed to be intranet-available. - BACK UP ALL JSON FILES! You don't want to have to regenerate VPN configuration if you fumble a command, do you?
- Ignore the
./migrate-identities.py
script, it's there only as a workaround for a prior provisioning script I did in bash.