Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
Go to file
2021-08-20 15:01:57 +02:00
.github/workflows Peer management login (#83) 2021-08-15 16:56:26 +02:00
client Merge branch 'main' into setup-key-http-api 2021-08-20 14:18:25 +02:00
encryption feature: basic auth0 support (#78) 2021-08-07 12:26:07 +02:00
iface Peer management login (#83) 2021-08-15 16:56:26 +02:00
infrastructure_files Self contained signal cmd build (#82) 2021-08-13 08:46:30 +02:00
management test: add setup key tests 2021-08-20 15:01:57 +02:00
release_files chore: use config.json in teh service definition instead of wiretrustee.json 2021-05-06 13:54:20 +02:00
signal add wiretrustee LOGIN command (#90) 2021-08-18 13:35:42 +02:00
util feature: basic management service implementation (#44) 2021-07-17 14:38:59 +02:00
.gitignore feature: basic auth0 support (#78) 2021-08-07 12:26:07 +02:00
.goreleaser.yaml Peer management login (#83) 2021-08-15 16:56:26 +02:00
AUTHORS add end of line 2021-05-11 22:40:09 +05:00
go.mod Add cors headers (#85) 2021-08-16 11:29:57 +02:00
go.sum Add cors headers (#85) 2021-08-16 11:29:57 +02:00
LICENSE license: correct license text 2021-05-11 14:38:41 +02:00
manifest.xml Avoid prompt admin at every execution 2021-06-25 10:28:27 +02:00
README.md Update README.md 2021-08-20 13:24:54 +02:00

Wiretrustee

A WireGuard®-based mesh network that connects your devices into a single private network.

Note: The main branch may be in an unstable or even broken state during development. For stable versions, see releases.

Why using Wiretrustee?

  • Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
  • No need to open ports and expose public IPs on the device.
  • Automatically reconnects in case of network failures or switches.
  • Automatic NAT traversal.
  • Relay server fallback in case of an unsuccessful peer-to-peer connection.
  • Private key never leaves your device.
  • Works on ARM devices (e.g. Raspberry Pi).

A bit on Wiretrustee internals

  • Wiretrustee uses WebRTC ICE implemented in pion/ice library to discover connection candidates when establishing a peer-to-peer connection between devices.
  • A connection session negotiation between peers is achieved with the Wiretrustee Signalling server signal
  • Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them. The routing of the messages on a Signalling server is based on public Wireguard keys.
  • Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT). For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server. Coturn is the one that has been successfully used for STUN and TURN in Wiretrustee setups.

What Wiretrustee is not doing:

  • Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step. This feature is on the roadmap.
  • Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee. This feature is on the roadmap.

Product Roadmap

Client Installation

Linux

  1. Checkout Wiretrustee releases
  2. Download the latest release (Switch VERSION to the latest):

Debian packages

wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.deb
  1. Install the package
sudo dpkg -i wiretrustee_<VERSION>_linux_amd64.deb

Fedora/Centos packages

wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.rpm
  1. Install the package
sudo rpm -i wiretrustee_<VERSION>_linux_amd64.rpm

MACOS

  1. Checkout Wiretrustee releases
  2. Download the latest release (Switch VERSION to the latest):
curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
  1. Decompress
tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
sudo mv wiretrusee /usr/local/bin/wiretrustee
chmod +x /usr/local/bin/wiretrustee

After that you may need to add /usr/local/bin in your MAC's PATH environment variable:

export PATH=$PATH:/usr/local/bin

Windows

  1. Checkout Wiretrustee releases
  2. Download the latest Windows release wiretrustee_<VERSION>_windows_amd64.tar.gz (Switch VERSION to the latest):
  3. Decompress and move to a more fixed path in your system
  4. Open Powershell
  5. For Windows systems, we can use the service command to configure Wiretrustee as a service by running the following commands in Powershell:
cd C:\path\to\wiretrustee\bin
.\wiretrustee.exe service --help
.\wiretrustee.exe service install # This will prompt for administrator permissions in order to install a new service

You may need to run Powershell as Administrator

  1. After installing you can follow the Client Configuration steps.
  2. To uninstall the service simple run the command above with the uninstall flag:
.\wiretrustee.exe service uninstall

Client Configuration

  1. Initialize Wiretrustee:

For Unix systems:

sudo wiretrustee init \
 --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
 --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  \
 --signalAddr signal.wiretrustee.com:10000  \
 --wgLocalAddr 10.30.30.1/24  \
 --log-level info

For Windows systems:

.\wiretrustee.exe init `
 --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 `
 --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  `
 --signalAddr signal.wiretrustee.com:10000  `
 --wgLocalAddr 10.30.30.1/24  `
 --log-level info

It is important to mention that the wgLocalAddr parameter has to be unique across your network. E.g. if you have Peer A with wgLocalAddr=10.30.30.1/24 then another Peer B can have wgLocalAddr=10.30.30.2/24

If for some reason, you already have a generated Wireguard key, you can specify it with the --wgKey parameter. If not specified, then a new one will be generated, and its corresponding public key will be output to the log. A new config will be generated and stored under /etc/wiretrustee/config.json

  1. Add a peer to connect to.

For Unix systems:

sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'

For Windows systems:

.\wiretrustee.exe add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
  1. Restart Wiretrustee to reload changes For MACOS you will just start the service:
sudo wiretrustee up --log-level info 
# or
sudo wiretrustee up --log-level info & # to run it in background

For Linux systems:

sudo systemctl restart wiretrustee.service
sudo systemctl status wiretrustee.service 

For Windows systems:

.\wiretrustee.exe service start

You may need to run Powershell as Administrator

Running Management, Signal and Coturn

Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Management and Signal services, plus an instance of Coturn, it also provides a turnserver.conf file as a simple example of Coturn configuration. You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to proper credentials.

The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in Running the Signal service, the management in Management, and the Coturn official documentation here.

Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.

Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow Certbot's official documentation to generate one from Lets Encrypt, or, we found that the example provided by BigBlueButton covers the basics to configure Coturn with Let's Encrypt certs.

The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.

Simple docker-composer execution:

cd infrastructure_files
docker-compose up -d

You can check logs by running:

cd infrastructure_files
docker-compose logs signal
docker-compose logs management
docker-compose logs coturn

If you need to stop the services, run the following:

cd infrastructure_files
docker-compose down

WireGuard is a registered trademark of Jason A. Donenfeld.