diff --git a/README.md b/README.md index a0b0161c7..d7eb35baf 100644 --- a/README.md +++ b/README.md @@ -7,26 +7,31 @@ A WireGuard®-based mesh network that connects your devices into a single privat ### Why using Wiretrustee? * Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else. -* No need to open ports and expose public IPs on the device. +* No need to open ports and expose public IPs on the device, routers etc. +* Uses Kernel Wireguard module if available. +* Automatic network change detection. When a new peer joins the network others are notified and keys are exchanged automatically. * Automatically reconnects in case of network failures or switches. * Automatic NAT traversal. * Relay server fallback in case of an unsuccessful peer-to-peer connection. * Private key never leaves your device. +* Automatic IP address management. +* Intuitive UI Dashboard. * Works on ARM devices (e.g. Raspberry Pi). +* Open-source (including Management Service) + +### Secure peer-to-peer VPN in minutes +![animation](media/peers.gif) ### A bit on Wiretrustee internals +* Wiretrustee features a Management Service that offers peer IP management and network updates distribution (e.g. when new peer joins the network). * Wiretrustee uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between devices. -* A connection session negotiation between peers is achieved with the Wiretrustee Signalling server [signal](signal/) -* Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them. - The routing of the messages on a Signalling server is based on public Wireguard keys. +* Peers negotiate connection through [Signal Service](signal/). +* Signal Service uses public Wireguard keys to route messages between peers. + Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them. * Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT). - For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server. + When this occurs the system falls back to relay server (TURN), and a secure Wireguard tunnel is established via TURN server. [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in Wiretrustee setups. -### What Wiretrustee is not doing: -* Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step. This feature is on the roadmap. -* Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee. This feature is on the roadmap. - ### Product Roadmap - [Public Roadmap](https://github.com/wiretrustee/wiretrustee/projects/2) - [Public Roadmap Progress Tracking](https://github.com/wiretrustee/wiretrustee/projects/1) @@ -88,50 +93,31 @@ cd C:\path\to\wiretrustee\bin ```` ### Client Configuration -1. Initialize Wiretrustee: +1. Login to the Management Service. You need to have a `setup key` in hand (see ). For **Unix** systems: ```shell -sudo wiretrustee init \ - --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \ - --turnURLs :@turn:stun.wiretrustee.com:3468 \ - --signalAddr signal.wiretrustee.com:10000 \ - --wgLocalAddr 10.30.30.1/24 \ - --log-level info +sudo wiretrustee login --setup-key ``` For **Windows** systems: ```shell -.\wiretrustee.exe init ` - --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 ` - --turnURLs :@turn:stun.wiretrustee.com:3468 ` - --signalAddr signal.wiretrustee.com:10000 ` - --wgLocalAddr 10.30.30.1/24 ` - --log-level info +.\wiretrustee.exe login --setup-key ``` - -It is important to mention that the ```wgLocalAddr``` parameter has to be unique across your network. -E.g. if you have Peer A with ```wgLocalAddr=10.30.30.1/24``` then another Peer B can have ```wgLocalAddr=10.30.30.2/24``` -If for some reason, you already have a generated Wireguard key, you can specify it with the ```--wgKey``` parameter. -If not specified, then a new one will be generated, and its corresponding public key will be output to the log. -A new config will be generated and stored under ```/etc/wiretrustee/config.json``` +Alternatively, if you are hosting your own Management Service provide `--management-url` property pointing to your Management Service: +```shell +sudo wiretrustee login --setup-key --management-url https://localhost:33073 +``` + +You could also omit `--setup-key` property. In this case the tool will prompt it the key. + +2. Start Wiretrustee: -2. Add a peer to connect to. - -For **Unix** systems: -```shell -sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '' -``` -For **Windows** systems: -```shell -.\wiretrustee.exe add-peer --allowedIPs 10.30.30.2/32 --key '' -``` -3. Restart Wiretrustee to reload changes For **MACOS** you will just start the service: ````shell -sudo wiretrustee up --log-level info +sudo wiretrustee up # or -sudo wiretrustee up --log-level info & # to run it in background +sudo wiretrustee up & # to run it in background ```` For **Linux** systems: ```shell @@ -144,6 +130,22 @@ For **Windows** systems: ``` > You may need to run Powershell as Administrator +3. Check your IP: +For **MACOS** you will just start the service: +````shell +sudo ipconfig getifaddr utun100 +```` +For **Linux** systems: +```shell +ip addr show wt0 +``` +For **Windows** systems: +```shell +netsh interface ip show config name="wt0" +``` + +4. Repeat on other machines. + ### Running Management, Signal and Coturn Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Management and Signal services, plus an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**. diff --git a/media/peers.gif b/media/peers.gif new file mode 100644 index 000000000..c6edfbcc0 Binary files /dev/null and b/media/peers.gif differ