Comments (11)
Howdy, in review of this I think adding this as a qol improvement is fine, folk who dont want to use it wont!
from wag.
I may not always be right, but I'm never wrong :)
Thanks for the consideration.
from wag.
On my end I have a deployment script that does more advanced things with split DNS that the DNS=
setting wouldnt be able to replicate.
Could you give me a bit more insight into your rollout/deployment process?
I may be able to suggest alternatives
from wag.
This is an all new process for us. The current OpenVPN setup works well, but is problematic on Linux with OTP.
I'm looking at making it as seamless as possible for end users. I actually started writing up notes on how we would do this.
Authentication Process
The sysadmin registers a user and is given a registration key.
$ sudo ./wag registration -add -username dominic
token,username
RegistrationToken1234567890,dominic
The user is given their registration code as part of a URL.
https://otp.domain.tld/register_device?key=5e56461cfa3abcb14569e8581e2836944b02394d1974e66ff7b07e6e906865fd
When the users visit this URL a wg0.conf
file is downloaded that contains their details to logon with. This file should be installed in /etc/wireguard
or imported into the mobile WireGuard app.
A development I would like to see here is it both downloads the config, and presents a QR code that can be scanned by the mobile app.
Once the registration is successful the token is consumed and is no longer valid to download the config again.
When the user brings up the WireGuard tunnel using the app or on Linux using sudo wg-quick wg0
. The basic connection is made.
To gain further access the user must visit http://otp which will present them with a QR code and a secure key to use to register with an OTP app like FreeOTP or Google Authenticator.
Using FreeOTP to generate the OTP the user then types, or pastes, the OTP into the web page and WAG authenticates them, granting the user a 12-hour session. The user can then visit any of the systems they have been given access to, until they have to reauthenticate in 12 hours time.
from wag.
Ha, funny enough thats almost exactly our use case as well. So, what I do is I get the machine UUID (Mac), then use the optional -token
parameter to make it into a registration token.
Then with JAMF I push out a script which effectively queries the endpoint with the various machines UUIDs, installs wireguard and away you go.
from wag.
E.g
sudo ./wag registration -add -username dominic -token $UUID_HERE
Then
curl https://your.wag.public.endpoint/register_device?key=$UUID_HERE
That way you can do it with centralized management.
from wag.
I will probably automate the deployment using ansible for wireguard and even the wg0.conf, it's jsut the DNS part that I would "fix" with ansible too. I just thought by adding a dns into the config.json it could push it out too, and also add the firewall rule to allow it.
from wag.
My suggestion would be to append the DNS setting you want with your deployment process into the wg0.conf
that is generated.
Reason being, is I'd prefer people to be able to define their own ACLs/Routes so it's very explicit as to what is allowed.
Adding a DNS option to wag becomes challenging from two standpoints.
First, what happens if you update the DNS server? I have the ability to regenerate and supply the routes to the client through the /routes/
api.
Second, its a question of what I, or we, want wag
to be I want it to be a simple solution that governs network access.
I may change my mind later on once I've had a bit more of a think about it. But I think for the moment this is outside (but only slightly) what I want wag to be.
from wag.
My suggestion would be to append the DNS setting you want with your deployment process into the
wg0.conf
that is generated. Reason being, is I'd prefer people to be able to define their own ACLs/Routes so it's very explicit as to what is allowed.Adding a DNS option to wag becomes challenging from two standpoints. First, what happens if you update the DNS server? I have the ability to regenerate and supply the routes to the client through the
/routes/
api. Second, its a question of what I, or we, wantwag
to be I want it to be a simple solution that governs network access.
The DNS part sorts out the resolv.conf
changes when the user connects/disconnects. Without it, I'm guessing you're using something that handles calls for internal addresses and external?
I may change my mind later on once I've had a bit more of a think about it. But I think for the moment this is outside (but only slightly) what I want wag to be.
Of course, and it's not out of the realms of people like me easily manipulating how things are done with other tools, The core part that makes me smile is the ACL's and firewall. Much of the actual admin and user interaction parts can be customised and done other ways.
from wag.
Yep, for us we're effectively using split dns and an internal domain that directs all traffic to the internal (over wireguard) dns servers.
from wag.
Sweet, this is now here: https://github.com/NHAS/wag/releases/tag/v1.0.5
Or in the main branch, enjoy!
from wag.
Related Issues (20)
- Expose port range HOT 7
- DNS IP issue HOT 9
- Site to site HOT 3
- Change totp secret from gui HOT 4
- internal DNS question HOT 2
- Duplicates in AllowedIPs HOT 1
- Wag host IP is not accessible HOT 1
- WebAuthn is not supported on sites with TLS certificate errors. HOT 2
- Port 80 already in use error HOT 2
- Custom templates not working HOT 4
- 2FA for Admin portal HOT 2
- Restore server-side persistent keepalive for logged-in users for a specified time frame HOT 3
- unable to render change password page: template: menus.html:192:56: executing "menus.html" at <.Message>: range can't iterate over HOT 4
- Proxy for the tunnel webserver - MFA portal HOT 1
- connection issues with MS Edge browser, Firefox OK HOT 6
- Unstable network causes wag logout HOT 4
- Performance issue on wag gui HOT 9
- Unable to access Tunnel webserver HOT 23
- Skip unresolvable dns entry on policy creation HOT 2
- Help needed with mfa HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wag.