Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
Go to file
2021-05-19 11:13:25 +02:00
.github/workflows Add golangci-lint workflow 2021-05-15 15:44:35 +05:00
cmd fix: golint errors (part 2) 2021-05-19 11:13:25 +02:00
connection fix: golint errors (part 2) 2021-05-19 11:13:25 +02:00
iface fix doc and lint warns for iface package 2021-05-15 15:05:15 +05:00
release_files chore: use config.json in teh service definition instead of wiretrustee.json 2021-05-06 13:54:20 +02:00
signal fix: golint errors 2021-05-19 10:58:21 +02:00
util fix doc 2021-05-15 15:24:30 +05:00
.gitignore project init 2021-05-01 12:45:37 +02:00
.goreleaser.yaml using docker hub 2021-05-15 11:58:31 +05:00
AUTHORS add end of line 2021-05-11 22:40:09 +05:00
Dockerfile Building docker images for signal service 2021-05-11 12:38:41 +05:00
go.mod fix: golint errors 2021-05-19 10:58:21 +02:00
go.sum fix: golint errors (part 2) 2021-05-19 11:13:25 +02:00
LICENSE license: correct license text 2021-05-11 14:38:41 +02:00
main.go project init 2021-05-01 12:45:37 +02:00
README.md updated doc with docker hub registry 2021-05-15 11:58:59 +05:00

Wiretrustee

A WireGuard®-based mesh network that connects your devices into a single private network.

Why using Wiretrustee?

  • Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
  • No need to open ports and expose public IPs on the device.
  • Automatically reconnects in case of network failures or switches.
  • Automatic NAT traversal.
  • Relay server fallback in case of an unsuccessful peer-to-peer connection.
  • Private key never leaves your device.
  • Works on ARM devices (e.g. Raspberry Pi).

A bit on Wiretrustee internals

  • Wiretrustee uses WebRTC ICE implemented in pion/ice library to discover connection candidates when establishing a peer-to-peer connection between devices.
  • A connection session negotiation between peers is achieved with the Wiretrustee Signalling server signal
  • Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them. The routing of the messages on a Signalling server is based on public Wireguard keys.
  • Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT). For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server. Coturn is the one that has been successfully used for STUN and TURN in Wiretrustee setups.

What Wiretrustee is not doing:

  • Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step.
  • Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee

Client Installation

  1. Checkout Wiretrustee releases
  2. Download the latest release:
wget https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.4/wiretrustee_0.0.4_linux_amd64.rpm
  1. Install the package
sudo dpkg -i wiretrustee_0.0.4_linux_amd64.deb

Client Configuration

  1. Initialize Wiretrustee:
sudo wiretrustee init \
 --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
 --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  \
 --signalAddr signal.wiretrustee.com:10000  \
 --wgLocalAddr 10.30.30.1/24  \
 --log-level info

It is important to mention that the wgLocalAddr parameter has to be unique across your network. E.g. if you have Peer A with wgLocalAddr=10.30.30.1/24 then another Peer B can have wgLocalAddr=10.30.30.2/24

If for some reason, you already have a generated Wireguard key, you can specify it with the --wgKey parameter. If not specified, then a new one will be generated, and its corresponding public key will be output to the log. A new config will be generated and stored under /etc/wiretrustee/config.json

  1. Add a peer to connect to.
sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
  1. Restart Wiretrustee to reload changes
sudo systemctl restart wiretrustee.service
sudo systemctl status wiretrustee.service 

Running the Signal service

After installing the application, you can run the signal using the command below:

/usr/local/bin/wiretrustee signal --log-level INFO

This will launch the signal service on port 10000, in case you want to change the port, use the flag --port.

Docker image

We have packed the signal into docker images. You can pull the images from the Docker Hub and execute it with the following commands:

docker pull wiretrustee/wiretrustee:signal-latest
docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest

The default log-level is set to INFO, if you need you can change it using by updating the docker cmd as followed:

docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG

Roadmap

  • Android app