wgpull is a wireguard configuration management system for small mesh networks based on a central lighthouse and node architecture. Nodes will periodically poll the lighthouse, sending their own configuration and receiving a list of peers to configure. Wireguard private, public and pre-shared keys are transparently configured, private and public keys are generated by the nodes, the pre-shared keys are generated by the lighthouse.
Right now this only supports nodes that either run Linux with systemd-networkd or OpenWRT with UCI, but more backends should be easy to add.
It is written in Rust, using gotham as a web server and ureq as a HTTP client among some other crates.
The main purpose of wgpull is to make it easier to add, remove, configure and monitor small wireguard networks, which can be cumbersome in a fully connected / mesh network where every node is connected to every other node. I previously used ansible to distribute the configuration, but I found this to be slow and error prone, now if a node configuration changes or is added I only have to configure a single node with ansible, not all nodes on the network.
- automatic configuration orchestration of wireguard mesh network setups
- transparent private, public and pre-shared key configuration and revocation[^1]
- metrics aggregation with a prometheus export endpoint
- configuration backends:
systemd: Linux with wireguard and systemd-networkd (tested on Ubuntu 20.04 / 23.04)uci: OpenWRT with wireguard and UCI (prebuild package for armv7 / tested on TurrisOS 6.3.3)
[^1] Key revocation will cause some down time until all the new keys are discovered (disabled by default)
tbd. I will add some more details once I've tested it a bit more in production.