deflax/wiregate
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
88 commits 1 branch 0 tags 237 KiB
  • Python 96.1%
  • Shell 3.9%
Find a file
Exact
deflax e13bf70699 Update WireGate operations documentation
2026-04-29 16:08:35 +00:00
client-tools update banner 2024-06-26 20:44:47 +00:00
src Change default WireGuard listen port 2026-04-29 16:04:41 +00:00
tests Update WireGate operations documentation 2026-04-29 16:08:35 +00:00
.gitignore Update docs and repo metadata 2026-04-23 16:35:25 +00:00
AGENTS.md Update WireGate operations documentation 2026-04-29 16:08:35 +00:00
config.dist Document default WireGuard listen port 2026-04-29 16:04:59 +00:00
gate Move CLI and operational modules to src 2026-04-23 18:58:49 +00:00
LICENSE Initial commit 2023-11-10 02:01:46 +02:00
mail.md Polish WireGate wording 2026-04-24 01:38:40 +00:00
patch.sh Move runtime deploy to split layout 2026-04-24 01:10:21 +00:00
README.md Update WireGate operations documentation 2026-04-29 16:08:35 +00:00
wgldapsync.service Move runtime deploy to split layout 2026-04-24 01:10:21 +00:00
wgldapsync.timer Harden LDAP sync service behavior 2026-04-17 14:12:46 +00:00
wgnodesync.service Add node sync systemd units 2026-04-26 15:03:49 +00:00
wgnodesync.timer Add node sync systemd units 2026-04-26 15:03:49 +00:00

README.md 

\ \        /_)           ___|       |        
 \ \  \   /  |  __| _ \ |      _` | __|  _ \ 
  \ \  \ /   | |    __/ |   | (   | |    __/ 
   \_/\_/   _|_|  \___|\____|\__,_|\__|\___|

WireGuard based VPN server endpoint with LDAP support

Tested on Debian

CLI

The public command is now gate.

Use ./gate -h for top-level help and ./gate <command> -h for command-specific help.

Server Commands

  • sudo ./gate deploy - install or update the runtime under /usr/local/lib/wiregate, assets under /usr/local/share/wiregate, and config under /etc/wiregate
  • sudo ./gate init - bootstrap host services (WireGuard, unbound, iptables, sysctl) using /etc/wiregate/config; this is a heavy operation and may reboot
  • ./gate client add --name NAME --email EMAIL - define and activate a new peer, generate config inside /etc/wireguard/clients, and attempt profile delivery
  • ./gate client disable --name NAME - disable a peer without deleting its stored artifacts
  • ./gate client delete --name NAME - delete a peer and salvage its IP address back to the pool
  • ./gate client rebuild - recreate WireGuard state using existing clients in /etc/wireguard/clients
  • ./gate client mail --name NAME - send the generated profile to the client

Server Tools

  • ./gate status - show peer stats based on wg show all dump
  • ./gate ldap sync - reconcile peer state from LDAP membership
  • ./gate ldap logs - tail the log of the wgldapsync service

The legacy IP pool generation command remains accepted for automation compatibility, but it is deprecated and hidden from help. Normal bootstrap uses sudo ./gate init, which creates the configured IP pool only when missing and preserves existing peer leases on rerun.

Client Address Pool Configuration

Set the required client_pool_cidr in /etc/wiregate/config to the client network for this server, for example client_pool_cidr=10.69.0.0/20. The server uses the first usable address from that CIDR for wg0 and client DNS, and generates the remaining client IP pool without allocating that server address. WireGate uses fixed WireGuard UDP port 55032 for the server and generated client profiles.

Node Commands

Node peering is a first-version control plane for WireGate nodes. It syncs node topology over root SSH, keeps normal client peers on wg0, and uses dedicated node transit interfaces for selected remote internet exit traffic.

  • ./gate node identity - show the local node identity from /etc/wiregate/node-id
  • sudo ./gate node join --ssh root@seed.example.com - join topology from a seed node over SSH
  • sudo ./gate node join --ssh root@node2 --init --client-pool-cidr 10.70.0.0/20 - deploy, configure, initialize, and join a fresh remote node
  • sudo ./gate node sync - refresh node topology, reapply node transit state, and ensure the node sync timer is installed/enabled
  • ./gate node export-topology --format json - print the public node topology JSON used by SSH sync
  • sudo ./gate node policy set --peer NAME --exit-node NODE_ID - route one peer's internet exit through a selected node
  • sudo ./gate node policy clear --peer NAME - remove one peer's selected remote exit policy
  • ./gate node policy list - print the validated node exit policy JSON
  • ./gate node status - show node peers separately from normal WireGuard clients
  • sudo ./gate node remove --node-id NODE_ID - remove a node from local node state

Client pools must not overlap. Set a unique client_pool_cidr on every node, such as 10.69.0.0/20 on one node and 10.70.0.0/20 on another. Overlapping pools are rejected so a node cannot claim another node's client addresses. If a selected remote exit is unavailable, selected traffic fails closed and is blocked. It does not fall back to local internet exit or another node.

Plain join remains topology-only: sudo ./gate node join --ssh root@seed.example.com does not deploy, initialize, write remote config, or run remote system commands beyond exporting topology over SSH. Add --init only when spreading WireGate to a fresh remote host. The init mode copies only allow-listed checkout files (gate, src/, config.dist, docs/assets, client tools, and systemd units) to a private root-owned remote staging directory; it never copies .git, .sisyphus, local config, node identity, topology state, WireGuard keys, client artifacts, or runtime state.

Remote init generates /etc/wiregate/config from config.dist, safe local non-secret values, and node-specific overrides. --client-pool-cidr is required and must be unique; server_endpoint_address defaults to the SSH host when --endpoint is omitted; public_ifname is inferred from ip -json route show default on the remote unless --public-ifname is provided. Existing remote /etc/wiregate/config is refused unless --update-config is set. Because gate init may reboot the remote host, spread mode waits for SSH to reconnect and verifies the remote gate before joining it back to the local seed. Use --dry-run to validate and print the planned remote config with secret-like values redacted, without copying files, writing config, running init, or mutating topology.

Endpoint roaming is explicit. Run sudo ./gate node sync after endpoint changes, or use wgnodesync.timer. gate init installs and enables that timer when node state already exists; on an already initialized node, successful gate node join and gate node sync also install/enable it so a full gate init rerun is not required after joining topology.

First-version scope exclusions: no HTTPS daemon/API, no consensus/gossip, no arbitrary LAN/private route export, no generated remote-exit client profiles, and no automatic fallback.

Client Side Tools

./client-tools/wg-rapid - modified WireGuard client based on wg-quick that works with systemd-resolved

./client-tools/startvpn.desktop - shortcut for wg-rapid. update the parameter with peer filename

Updating an installed server

After pulling repository changes, run sudo ./gate deploy to refresh the installed runtime. Run sudo ./gate init only when host bootstrap behavior or broad system service setup needs to be applied again; normal node topology joins and syncs should not require rerunning full init.

Existing installs that still live under /root/wiregate should run sudo ./patch.sh once to move runtime files to the current layout.