netbird/README.md

155 lines
7.4 KiB
Markdown
Raw Normal View History

2021-05-06 13:53:58 +02:00
# Wiretrustee
A WireGuard®-based mesh network that connects your devices into a single private network.
2021-05-06 13:57:21 +02:00
### Why using Wiretrustee?
2021-05-06 13:53:58 +02:00
2021-05-06 14:40:51 +02:00
* Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
2021-05-06 13:57:21 +02:00
* No need to open ports and expose public IPs on the device.
2021-05-06 14:40:51 +02:00
* Automatically reconnects in case of network failures or switches.
2021-05-06 13:57:21 +02:00
* Automatic NAT traversal.
2021-05-06 14:40:51 +02:00
* Relay server fallback in case of an unsuccessful peer-to-peer connection.
2021-05-06 13:57:21 +02:00
* Private key never leaves your device.
* Works on ARM devices (e.g. Raspberry Pi).
2021-05-06 13:53:58 +02:00
2021-05-06 13:57:21 +02:00
### A bit on Wiretrustee internals
2021-05-06 14:40:51 +02:00
* Wiretrustee uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between devices.
* A connection session negotiation between peers is achieved with the Wiretrustee Signalling server [signal](signal/)
2021-05-15 08:58:59 +02:00
* Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them.
2021-05-06 13:53:58 +02:00
The routing of the messages on a Signalling server is based on public Wireguard keys.
2021-05-15 08:58:59 +02:00
* Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT).
2021-05-12 20:02:07 +02:00
For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server.
2021-05-06 13:53:58 +02:00
[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in Wiretrustee setups.
2021-05-06 13:57:21 +02:00
### What Wiretrustee is not doing:
* Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step.
2021-05-06 14:40:51 +02:00
* Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee
2021-05-06 13:53:58 +02:00
2021-06-02 21:30:19 +02:00
### Product Roadmap
2021-06-02 21:31:37 +02:00
- [Public Roadmap](https://github.com/wiretrustee/wiretrustee/projects/2)
2021-06-02 21:30:19 +02:00
- [Public Roadmap Progress Tracking](https://github.com/wiretrustee/wiretrustee/projects/1)
### Client Installation
#### Linux
2021-05-06 14:40:51 +02:00
1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases)
2021-05-30 12:35:18 +02:00
2. Download the latest release (**Switch VERSION to the latest**):
**Debian packages**
2021-05-06 13:53:58 +02:00
```shell
wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.deb
2021-05-06 13:53:58 +02:00
```
3. Install the package
```shell
sudo dpkg -i wiretrustee_<VERSION>_linux_amd64.deb
```
**Fedora/Centos packages**
```shell
wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.rpm
```
3. Install the package
```shell
sudo rpm -i wiretrustee_<VERSION>_linux_amd64.rpm
```
#### MACOS
1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases/latest)
2021-05-30 12:35:18 +02:00
2. Download the latest release (**Switch VERSION to the latest**):
```shell
curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
```
3. Decompress
```shell
tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
sudo mv wiretrusee /usr/local/bin/wiretrustee
chmod +x /usr/local/bin/wiretrustee
2021-05-06 13:53:58 +02:00
```
After that you may need to add /usr/local/bin in your MAC's PATH environment variable:
````shell
export PATH=$PATH:/usr/local/bin
````
### Client Configuration
1. Initialize Wiretrustee:
For **MACOS**, you need to create the configuration directory:
````shell
sudo mkdir /etc/wiretrustee
````
Then, for all systems:
2021-05-06 13:53:58 +02:00
```shell
sudo wiretrustee init \
--stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
--turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468 \
--signalAddr signal.wiretrustee.com:10000 \
--wgLocalAddr 10.30.30.1/24 \
--log-level info
```
2021-05-06 14:40:51 +02:00
It is important to mention that the ```wgLocalAddr``` parameter has to be unique across your network.
E.g. if you have Peer A with ```wgLocalAddr=10.30.30.1/24``` then another Peer B can have ```wgLocalAddr=10.30.30.2/24```
2021-05-06 13:53:58 +02:00
2021-05-06 14:40:51 +02:00
If for some reason, you already have a generated Wireguard key, you can specify it with the ```--wgKey``` parameter.
If not specified, then a new one will be generated, and its corresponding public key will be output to the log.
2021-05-06 13:53:58 +02:00
A new config will be generated and stored under ```/etc/wiretrustee/config.json```
2. Add a peer to connect to.
```shell
2021-05-06 13:53:58 +02:00
sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
```
3. Restart Wiretrustee to reload changes
For **MACOS** you will just start the service:
````shell
sudo wiretrustee up --log-level info
# or
2021-05-30 12:35:18 +02:00
sudo wiretrustee up --log-level info & # to run it in background
````
For **Linux** systems:
```shell
sudo systemctl restart wiretrustee.service
sudo systemctl status wiretrustee.service
```
### Running the Signal service
2021-05-15 08:58:59 +02:00
After installing the application, you can run the signal using the command below:
````shell
2021-05-15 08:58:59 +02:00
/usr/local/bin/wiretrustee signal --log-level INFO
````
2021-05-30 12:35:18 +02:00
This will launch the Signal server on port 10000, in case you want to change the port, use the flag --port.
2021-05-15 08:58:59 +02:00
#### Docker image
2021-05-30 12:35:18 +02:00
We have packed the Signal server into docker image. You can pull the image from Docker Hub and execute it with the following commands:
2021-05-15 08:58:59 +02:00
````shell
docker pull wiretrustee/wiretrustee:signal-latest
docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest
````
The default log-level is set to INFO, if you need you can change it using by updating the docker cmd as followed:
````shell
2021-05-15 08:58:59 +02:00
docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG
````
### Running Signal and Coturn
2021-05-30 12:35:18 +02:00
Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Signal server and an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration.
You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**.
The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#Running the Signal service) and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).
2021-05-30 09:29:30 +02:00
> Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.
2021-05-30 09:29:30 +02:00
Also, if you have an SSL certificate you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
to generate one from [Lets Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs.
Simple docker-composer execution:
````shell
cd infrastructure_files
docker-compose up -d
````
You can check logs by running:
````shell
cd infrastructure_files
docker-compose logs signal
docker-compose logs coturn
````
If you need to stop the services, run the following:
````shell
cd infrastructure_files
docker-compose down
````
2021-06-02 21:30:19 +02:00
2021-05-12 20:02:07 +02:00