WireSep

Privilege separated implementation of WireGuard

Latest release

wiresep-0.11.3.tar.gz (April 26, 2020)
sha256 - changes - license ISC

You can subscribe to the release feed to follow new releases.

Requirements

Install

$ doas pkg_add wiresep

Generate a new private key for the tun0 interface.

$ doas wiresep-keygen tun0

Then create a configuration and store it in /etc/wiresep/wiresep.conf. A simple example looks like the following:

# This is an example of a server listening on the public ip 198.51.100.7 port
# 1022. It uses the tun0 device with the internal ip addresses 2001:db8::7
# and 172.16.0.1 and allows communication with the peer Jane and Joe. Jane is
# allowed to use any source ip, while Joe may only use 2001:db8::4 or
# 172.16.0.11/30 as the source ip of his packets. The private key for the tun0
# interface can be generated with `wiresep-keygen tun0`.

interface tun0 {
    ifaddr 2001:db8::7/126
    ifaddr 172.16.0.1/24

    listen 198.51.100.7:1022

    peer jane {
        pubkey BhyBpDfD7joIPPpjBW/g/Wdhiu3iVOzQhKodbsLqJ3A=
        allowedips *
    }

    peer joe {
        pubkey AhyBpDfD7joIPPpjBW/g/Wdhiu3iVOzQhKodbsLqJ3A=
        allowedips 2001:db8::4
        allowedips 172.16.0.11/30
    }
}

See wiresep.conf(5) for a complete description of the configuration file.

Once everyting is set, run wiresep(8):

$ doas wiresep

Documentation

Refer to the manuals for documentation and a configuration example:

The design documents can be found in the doc directory.

Code and repository

Browse the release archive, browse the source code online or clone the repository:

$ git clone https://netsend.nl/wiresep.git

Known issues

Contact

You can send a message to tim at this domain. When sending in patches I prefer the format created by git-format-patch(1).