Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
Go to file
Maycon Santos 1323a74db0
fix: avoid failing and extra error messages (#136)
* avoid failing and extra error messages

* avoid extra error messages when executed after pre_remove.sh

* remove extra output and avoid failure on minor errors

* ensure the steps will run only on remove
2021-10-20 11:51:32 +02:00
.github/workflows enhancement: Support new architectures and auto upload packages to repo (#128) 2021-10-12 12:15:45 +02:00
client fix: service hanging when error on startup has been encountered (#135) 2021-10-18 13:29:26 +02:00
docs docs: update readme (#132) 2021-10-16 16:53:39 +02:00
encryption feature: basic auth0 support (#78) 2021-08-07 12:26:07 +02:00
iface abstract peer channel (#101) 2021-08-29 17:48:31 +02:00
infrastructure_files docs: fix docker-compose management image 2021-09-25 20:17:01 +02:00
management fix: service hanging when error on startup has been encountered (#135) 2021-10-18 13:29:26 +02:00
release_files fix: avoid failing and extra error messages (#136) 2021-10-20 11:51:32 +02:00
signal fix: graceful shutdown (#134) 2021-10-17 22:15:38 +02:00
util feature: add logging to a file (#112) 2021-09-07 09:53:18 +02:00
.gitignore self-hosting guide (#121) 2021-09-25 19:12:05 +02:00
.goreleaser.yaml Enhance up command (#133) 2021-10-17 21:34:07 +02:00
AUTHORS add end of line 2021-05-11 22:40:09 +05:00
go.mod Enhance up command (#133) 2021-10-17 21:34:07 +02:00
go.sum Enhance up command (#133) 2021-10-17 21:34:07 +02:00
LICENSE license: correct license text 2021-05-11 14:38:41 +02:00
README.md Enhance up command (#133) 2021-10-17 21:34:07 +02:00

Start using Wiretrustee at app.wiretrustee.com
See Documentation
Join our Slack channel


Wiretrustee is an open-source VPN platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.

It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, vpn gateways, and so forth.

There is no centralized VPN server with Wiretrustee - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.

Secure peer-to-peer VPN in minutes

Note: The main branch may be in an unstable or even broken state during development. For stable versions, see releases.

Hosted demo version: https://app.wiretrustee.com/.

UI Dashboard Repo

Why using Wiretrustee?

  • Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
  • No need to open ports and expose public IPs on the device, routers etc.
  • Uses Kernel Wireguard module if available.
  • Automatic network change detection. When a new peer joins the network others are notified and keys are exchanged automatically.
  • Automatically reconnects in case of network failures or switches.
  • Automatic NAT traversal.
  • Relay server fallback in case of an unsuccessful peer-to-peer connection.
  • Private key never leaves your device.
  • Automatic IP address management.
  • Intuitive UI Dashboard.
  • Works on ARM devices (e.g. Raspberry Pi).
  • Open-source (including Management Service)

A bit on Wiretrustee internals

  • Wiretrustee features a Management Service that offers peer IP management and network updates distribution (e.g. when new peer joins the network).
  • Wiretrustee uses WebRTC ICE implemented in pion/ice library to discover connection candidates when establishing a peer-to-peer connection between devices.
  • Peers negotiate connection through Signal Service.
  • Signal Service uses public Wireguard keys to route messages between peers. Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them.
  • Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT). When this occurs the system falls back to relay server (TURN), and a secure Wireguard tunnel is established via TURN server. Coturn is the one that has been successfully used for STUN and TURN in Wiretrustee setups.

Product Roadmap

Client Installation

Linux

APT/Debian

  1. Add the repository:
    sudo apt-get update
    sudo apt-get install ca-certificates curl gnupg -y
    curl -L https://pkgs.wiretrustee.com/debian/public.key | sudo apt-key add -
    echo 'deb https://pkgs.wiretrustee.com/debian stable main' | sudo tee /etc/apt/sources.list.d/wiretrustee.list
    
  2. Install the package
    sudo apt-get update
    sudo apt-get install wiretrustee
    

RPM/Red hat

  1. Add the repository:
    cat <<EOF | sudo tee /etc/yum.repos.d/wiretrustee.repo
    [Wiretrustee]
    name=Wiretrustee
    baseurl=https://pkgs.wiretrustee.com/yum/
    enabled=1
    gpgcheck=0
    gpgkey=https://pkgs.wiretrustee.com/yum/repodata/repomd.xml.key
    repo_gpgcheck=1
    EOF
    
  2. Install the package
    sudo yum install wiretrustee
    

MACOS

Brew install

  1. Download and install Brew at https://brew.sh/
  2. Install the client
brew install wiretrustee/client/wiretrustee

Installation from binary

  1. Checkout Wiretrustee releases
  2. Download the latest release (Switch VERSION to the latest):
curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
  1. Decompress
tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
sudo mv wiretrusee /usr/local/bin/wiretrustee
chmod +x /usr/local/bin/wiretrustee

After that you may need to add /usr/local/bin in your MAC's PATH environment variable:

export PATH=$PATH:/usr/local/bin

Windows

  1. Checkout Wiretrustee releases
  2. Download the latest Windows release installer wiretrustee_installer_<VERSION>_windows_amd64.exe (Switch VERSION to the latest):
  3. Proceed with installation steps
  4. This will install the client in the C:\Program Files\Wiretrustee and add the client service
  5. After installing, you can follow the Client Configuration steps.

To uninstall the client and service, you can use Add/Remove programs

Client Configuration

  1. Login to the Management Service. You need to have a setup key in hand (see ).

For Unix systems:

sudo wiretrustee up --setup-key <SETUP KEY>

For Windows systems, start powershell as administrator and:

wiretrustee up --setup-key <SETUP KEY>

Alternatively, if you are hosting your own Management Service provide --management-url property pointing to your Management Service:

sudo wiretrustee up --setup-key <SETUP KEY> --management-url https://localhost:33073

You could also omit --setup-key property. In this case the tool will prompt it the key.

  1. Check your IP: For MACOS you will just start the service:
sudo ipconfig getifaddr utun100

For Linux systems:

ip addr show wt0

For Windows systems:

netsh interface ip show config name="wt0"
  1. Repeat on other machines.

Running Dashboard, Management, Signal and Coturn

Wiretrustee uses Auth0 for user authentication and authorization, therefore you will need to create a free account and configure Auth0 variables in the compose file (dashboard) and in the management config file. We chose Auth0 to "outsource" the user management part of our platform because we believe that implementing a proper user auth is not a trivial task and requires significant amount of time to make it right. We focused on connectivity instead. It is worth mentioning that dependency to Auth0 is the only one that cannot be self-hosted.

Configuring Wiretrustee Auth0 integration:

Under infrastructure_files we have a docker-compose example to run Dashboard, Wiretrustee Management and Signal services, plus an instance of Coturn, it also provides a turnserver.conf file as a simple example of Coturn configuration. You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to proper credentials.

The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in Running the Signal service, the management in Management, and the Coturn official documentation here.

Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.

Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow Certbot's official documentation to generate one from Lets Encrypt, or, we found that the example provided by BigBlueButton covers the basics to configure Coturn with Let's Encrypt certs.

The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.

Simple docker-composer execution:

cd infrastructure_files
docker-compose up -d

You can check logs by running:

cd infrastructure_files
docker-compose logs signal
docker-compose logs management
docker-compose logs coturn

If you need to stop the services, run the following:

cd infrastructure_files
docker-compose down

WireGuard is a registered trademark of Jason A. Donenfeld.