netbird/README.md

78 lines
3.8 KiB
Markdown
Raw Normal View History

2021-05-06 13:53:58 +02:00
# Wiretrustee
A WireGuard®-based mesh network that connects your devices into a single private network.
2021-05-06 13:57:21 +02:00
### Why using Wiretrustee?
2021-05-06 13:53:58 +02:00
2021-05-06 14:40:51 +02:00
* Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
2021-05-06 13:57:21 +02:00
* No need to open ports and expose public IPs on the device.
2021-05-06 14:40:51 +02:00
* Automatically reconnects in case of network failures or switches.
2021-05-06 13:57:21 +02:00
* Automatic NAT traversal.
2021-05-06 14:40:51 +02:00
* Relay server fallback in case of an unsuccessful peer-to-peer connection.
2021-05-06 13:57:21 +02:00
* Private key never leaves your device.
* Works on ARM devices (e.g. Raspberry Pi).
2021-05-06 13:53:58 +02:00
2021-05-06 13:57:21 +02:00
### A bit on Wiretrustee internals
2021-05-06 14:40:51 +02:00
* Wiretrustee uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between devices.
* A connection session negotiation between peers is achieved with the Wiretrustee Signalling server [signal](signal/)
* Contents of the messages sent between peers through the signalling server are encrypted with Wireguard keys, making it impossible to inspect them.
2021-05-06 13:53:58 +02:00
The routing of the messages on a Signalling server is based on public Wireguard keys.
2021-05-06 14:40:51 +02:00
* Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier grade NAT).
2021-05-12 20:02:07 +02:00
For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server.
2021-05-06 13:53:58 +02:00
[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in Wiretrustee setups.
2021-05-06 13:57:21 +02:00
### What Wiretrustee is not doing:
* Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step.
2021-05-06 14:40:51 +02:00
* Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee
2021-05-06 13:53:58 +02:00
### Client Installation
2021-05-06 14:40:51 +02:00
1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases)
2021-05-06 13:53:58 +02:00
2. Download the latest release:
```shell
wget https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.4/wiretrustee_0.0.4_linux_amd64.rpm
```
3. Install the package
```shell
sudo dpkg -i wiretrustee_0.0.4_linux_amd64.deb
2021-05-06 13:53:58 +02:00
```
### Client Configuration
1. Initialize Wiretrustee:
2021-05-06 13:53:58 +02:00
```shell
sudo wiretrustee init \
--stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
--turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468 \
--signalAddr signal.wiretrustee.com:10000 \
--wgLocalAddr 10.30.30.1/24 \
--log-level info
```
2021-05-06 14:40:51 +02:00
It is important to mention that the ```wgLocalAddr``` parameter has to be unique across your network.
E.g. if you have Peer A with ```wgLocalAddr=10.30.30.1/24``` then another Peer B can have ```wgLocalAddr=10.30.30.2/24```
2021-05-06 13:53:58 +02:00
2021-05-06 14:40:51 +02:00
If for some reason, you already have a generated Wireguard key, you can specify it with the ```--wgKey``` parameter.
If not specified, then a new one will be generated, and its corresponding public key will be output to the log.
2021-05-06 13:53:58 +02:00
A new config will be generated and stored under ```/etc/wiretrustee/config.json```
2. Add a peer to connect to.
```shell
2021-05-06 13:53:58 +02:00
sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
```
3. Restart Wiretrustee to reload changes
```shell
sudo systemctl restart wiretrustee.service
sudo systemctl status wiretrustee.service
```
### Running the Signal service
We have packed the signal into docker images. You can pull the images from the Github registry and execute it with the following commands:
````shell
docker pull ghcr.io/wiretrustee/wiretrustee:signal-latest
docker run -d --name wiretrustee-signal -p 10000:10000 ghcr.io/wiretrustee/wiretrustee:signal-latest
````
The default log-level is set to INFO, if you need you can change it using by updating the docker cmd as followed:
````shell
docker run -d --name wiretrustee-signal -p 10000:10000 ghcr.io/wiretrustee/wiretrustee:signal-latest --log-level DEBUG
````
### Roadmap
2021-05-06 13:53:58 +02:00
* Android app
2021-05-12 20:02:07 +02:00