WG-Concierge allow to add new devices quickly with no need to connect to the server remotely, it's mostly and ingress tool for WireGuard networks
Conditions
WG-Concierge needs to be installed on the server with root access (this should change but for now needs the same access as wg)
It should not be exposed outside the LAN
The client needs to be on the LAN to make the registration since the email will contain and URL with internal address
Workflow
The admin send an invitation by Email. The email contains an one time use URL (Basic Auth for start)
The server will record the URL and email
The user receives the email and opens the URL
The server checks if the URL is valid, if not reply error
The user gets a form to enter the device name and submits
Repeat step 4 for the new request
The server checks if the machine name already exists for that email, if so reply error
The server generates the private and public keys for the client (in memory)
The server grabs the last IP added, increment and lock it to that emails-device
The server generate the client configuration file (in memory)
The server update wg config with the new client
The server reply with QR Code and Configuration file
The server burns the URL so it can't be used anymore
The admin can see the table of peer clients (Basic Auth for start)
Goals
Allow quick configuration of new devices without SSH to the server
Separation of keys, the server never store the client private key
Keep track of all devices registered
Endpoints
Method
Auth
Path
Params
Body
GET
Yes
/map
GET
Yes
/invite
POST
Yes
/invite
email
GET
No
/register
token
POST
No
/register
token
device_name
Out of Scope
Remove or Update peers (that needs to be done directly on the server)
Manage the wg server operations like start/stop...
Development
Since this app needs to run on the same server of WireGuard a Vagrant Box is provided. This box start with WireGuard already installed and with a standard configuration.
The folder build will be synchronized with the box, so every time the project is compiled the result will be available inside the box.