From aa785b9ab6b1dbe1cff49fbdae3bdf39d17bd8ba Mon Sep 17 00:00:00 2001 From: Callan Bryant Date: Sun, 1 Nov 2020 09:17:25 +0000 Subject: [PATCH] split off config generation --- CONFIG.md | 127 +++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 129 ++---------------------------------------------------- 2 files changed, 130 insertions(+), 126 deletions(-) create mode 100644 CONFIG.md diff --git a/CONFIG.md b/CONFIG.md new file mode 100644 index 0000000..cbaa2d6 --- /dev/null +++ b/CONFIG.md @@ -0,0 +1,127 @@ +Explanation of each field: + + { + "ExternalIP": "198.51.100.2", + "ExternalIP6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", + +This is the external IP that will be the value of Endpoint for the server peer +in client configs. It is automatically detected by opening a socket or using an +external IP discovery service -- the first to give a valid public IP will win. + + + "ListenPort": 51820, + +The port wiregard should listen on. + + "Domain": "dsnet", + +The domain to copy to the report file. Not used for anything else; it's useful +for DNS integration. At one site I have a script to add hosts to a zone upon +connection by polling the report file. + + "InterfaceName": "dsnet", + +The wireguard interface name. + + "Network": "10.164.236.0/22", + "Network6": "fd00:7b31:106a:ae00::/64", + +The CIDR network to use when allocating IPs to peers. This subnet, a `/22` in +the `10.0.0.0/16` block is generated randomly to (probably) avoid collisions +with other networks. There are 1022 addresses available. Addresses are +allocated to peers when peers are added with `dsnet add` using the lowest +available address. + +A random ULA network with a subnet of 0 is generated for IPv6. + + "IP": "10.164.236.1", + "IP6": "fd00:7b31:106a:ae00:44c3:29c3:53b1:a6f9", + +This is the private VPN IP of the server peer. It is the first address in the +above pool. + + "DNS": "", + +If defined, this IP address will be set in the generated peer wg-quick config +files. + + "Networks": [], + +This is a list of additional CIDR-notated networks that can be routed through +the server peer. They will be added under the server peer under `AllowedIPs` in +addition to the private network defined in `Network` above. If you want to +route the whole internet through the server peer, add `0.0.0.0/0` to the list +before adding peers. For more advanced options and theory, see +. + + "ReportFile": "/var/lib/dsnetreport.json", + +This is the location of the report file generated with `dsnet report`. It is +suggested that this command is run via a cron job; the report can be safely +consumed by a web service or DNS integration script, for instance. + +The report contains no sensitive information. At one site I use it together +with [hugo](https://gohugo.io/) +[shortcodes](https://gohugo.io/templates/shortcode-templates/) to generate a +network overview page. The shortcode file is included in this repository under +`etc/`. + + "PrivateKey": "uC+xz3v1mfjWBHepwiCgAmPebZcY+EdhaHAvqX2r7U8=", + +The server private key, automatically generated and very sensitive! + + "Peers": [] + +The list of peers managed by `dsnet add` and `dsnet remove`. See below for format. + + } + +The configuration file can be manually/programatically managed outside of dsnet +if desired; `dsnet sync` will update wireguard. + +Peer configuration, `Peers: []` in `dsnetconfig.json`: + + { + "Hostname": "test", + +The hostname given via `dsnet add `. It is used to identify the peer +in the report and for peer removal via `dsnet remove `. It can also +be used to update a DNS zone via a custom script that operates on the report +file as mentioned above. + + "Owner": "naggie", + +The owner of the peer, copied to the report file. + + "Description": "Home server", + +A description of the peer, copied to the report file; the lack of which in +`wq-quick` is what inspired me to write dsnet in the first place. + + + "IP": "10.164.236.2", + +The private VPN IP allocated by dsnet for this peer. It is the lowest available +IP in the pool from `Network`, above. + + "Added": "2020-05-07T10:04:46.336286992+01:00", + +The timestamp of when the peer was added by dsnet. + + "Networks": [], + +Any other CIDR networks that can be routed through this peer. + + "PublicKey": "altJeQ/V52JZQrGcA9RiKcpZusYU6zMUJhl7Wbd9rX0=", + +The public key derived from the private key generated by dsnet when the peer +was added. + + "PresharedKey": "GcUtlze0BMuxo3iVEjpOahKdTf8xVfF8hDW3Ylw5az0=" + +The pre-shared key for this peer. The peer has the same key defined as the +pre-shared key for the server peer. This is optional in wireguard but not for +dsnet due to the extra (post quantum!) security it provides. + + + } diff --git a/README.md b/README.md index 4aa7b4e..273d4d8 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ Currently its location is fixed as all my deployments are for a single network. I may add a feature to allow setting of the location via environment variable in the future to support multiple networks on a single host. -Main configuration example: +Main (automatically generated) configuration example: { @@ -68,6 +68,7 @@ Main configuration example: "Network": "10.164.236.0/22", "Network6": "fd00:7b31:106a:ae00::/64", "IP": "10.164.236.1", + "IP6": "fd00:d631:74ca:7b00:a28:11a1:b821:f013", "DNS": "", "Networks": [], "ReportFile": "/var/lib/dsnetreport.json", @@ -87,133 +88,9 @@ Main configuration example: ] } -Explanation of each field: - { - "ExternalIP": "198.51.100.2", - "ExternalIP6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", +See [CONFIG.md](CONFIG.md) for an explanation of each field. -This is the external IP that will be the value of Endpoint for the server peer -in client configs. It is automatically detected by opening a socket or using an -external IP discovery service -- the first to give a valid public IP will win. - - - "ListenPort": 51820, - -The port wiregard should listen on. - - "Domain": "dsnet", - -The domain to copy to the report file. Not used for anything else; it's useful -for DNS integration. At one site I have a script to add hosts to a zone upon -connection by polling the report file. - - "InterfaceName": "dsnet", - -The wireguard interface name. - - "Network": "10.164.236.0/22", - "Network6": "fd00:7b31:106a:ae00::/64", - -The CIDR network to use when allocating IPs to peers. This subnet, a `/22` in -the `10.0.0.0/16` block is generated randomly to (probably) avoid collisions -with other networks. There are 1022 addresses available. Addresses are -allocated to peers when peers are added with `dsnet add` using the lowest -available address. - -A random ULA network with a subnet of 0 is generated for IPv6. - - "IP": "10.164.236.1", - "IP6": "fd00:7b31:106a:ae00:44c3:29c3:53b1:a6f9", - -This is the private VPN IP of the server peer. It is the first address in the -above pool. - - "DNS": "", - -If defined, this IP address will be set in the generated peer wg-quick config -files. - - "Networks": [], - -This is a list of additional CIDR-notated networks that can be routed through -the server peer. They will be added under the server peer under `AllowedIPs` in -addition to the private network defined in `Network` above. If you want to -route the whole internet through the server peer, add `0.0.0.0/0` to the list -before adding peers. For more advanced options and theory, see -. - - "ReportFile": "/var/lib/dsnetreport.json", - -This is the location of the report file generated with `dsnet report`. It is -suggested that this command is run via a cron job; the report can be safely -consumed by a web service or DNS integration script, for instance. - -The report contains no sensitive information. At one site I use it together -with [hugo](https://gohugo.io/) -[shortcodes](https://gohugo.io/templates/shortcode-templates/) to generate a -network overview page. The shortcode file is included in this repository under -`etc/`. - - "PrivateKey": "uC+xz3v1mfjWBHepwiCgAmPebZcY+EdhaHAvqX2r7U8=", - -The server private key, automatically generated and very sensitive! - - "Peers": [] - -The list of peers managed by `dsnet add` and `dsnet remove`. See below for format. - - } - -The configuration file can be manually/programatically managed outside of dsnet -if desired; `dsnet sync` will update wireguard. - -Peer configuration, `Peers: []` in `dsnetconfig.json`: - - { - "Hostname": "test", - -The hostname given via `dsnet add `. It is used to identify the peer -in the report and for peer removal via `dsnet remove `. It can also -be used to update a DNS zone via a custom script that operates on the report -file as mentioned above. - - "Owner": "naggie", - -The owner of the peer, copied to the report file. - - "Description": "Home server", - -A description of the peer, copied to the report file; the lack of which in -`wq-quick` is what inspired me to write dsnet in the first place. - - - "IP": "10.164.236.2", - -The private VPN IP allocated by dsnet for this peer. It is the lowest available -IP in the pool from `Network`, above. - - "Added": "2020-05-07T10:04:46.336286992+01:00", - -The timestamp of when the peer was added by dsnet. - - "Networks": [], - -Any other CIDR networks that can be routed through this peer. - - "PublicKey": "altJeQ/V52JZQrGcA9RiKcpZusYU6zMUJhl7Wbd9rX0=", - -The public key derived from the private key generated by dsnet when the peer -was added. - - "PresharedKey": "GcUtlze0BMuxo3iVEjpOahKdTf8xVfF8hDW3Ylw5az0=" - -The pre-shared key for this peer. The peer has the same key defined as the -pre-shared key for the server peer. This is optional in wireguard but not for -dsnet due to the extra (post quantum!) security it provides. - - - } # Report file overview