I am building a Wireguard VPN network, in which I want to add and remove peers on the server without restarting the service or losing connections with existing peers. Tried searching for the results, but I found nothing that can suit my needs (all the solutions will cause a few second freeze or will require clients to redo handshake with server). Is it possible to implement this with Wireguard and if yes, how?
Asked
Active
Viewed 1.3k times
3 Answers
11
You can use wg conjointly with wg-quick. wg is a lower-level command, actually the one used by wg-quick to really do WireGuard-specific configuration on the interface (along various ip xxx commands for the base networking parts).
Its subcommand wg syncconf used conjointly with wg-quick strip is intended to update settings without disruption for current peer communication with changed settings in the configuration file as documented in wg-quick and wg's manpages:
Use strip to output a configuration file with all wg-quick(8)-specific options removed, suitable for use with wg(8).
The strip command is useful for reloading configuration files without disrupting active sessions:
# wg syncconf wgnet0 <(wg-quick strip wgnet0)
syncconf<interface> <configuration-filename>Like
setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient thansetconf, but has the benefit of not disrupting current peer sessions. The contents of must be in the format described by CONFIGURATION FILE FORMAT below.
So to repeat the example, if the configuration for interface wg0, usually used with wg-quick is in /etc/wireguard/wg0.conf (or any other Distribution-specific place) and a [Peer] section was just added (resp. removed) to this file, to make this peer available (resp. not available anymore) without disrupting communication with already configured peers, then run as root in a bash shell:
wg syncconf wg0 <(wg-quick strip wg0)
Some parts will have to be completed manually, since they are not handled by wg, as described in wg-quick's CONFIGURATION section: additional routes, iptables rules...
A.B
- 11,090
- 2
- 24
- 45
-
Thanks for the answer, but will wg-strip work with wg addconf? First I want to modify config with wg addconf newpeer.conf, then I want to syncconf and apply those changes. Is it possible? – Anton2319 May 21 '22 at 17:07
-
I did answer your question. If you have an other question, please submit an other one properly, with the correct context. – A.B May 21 '22 at 17:59
-
Very nice answer. This should be the accepted answer. – cdhowie Dec 08 '22 at 17:06
4
I'm working on a similar project, and my conclusion is that you're better off keeping all configuration inside your own database, and completely skipping wireguard config files for the peer setup. You might still want to use the wireguard config file for the [Interface] section, which my example below uses. But you could do that programmatically too, should you need to.
So, assuming we have an interface called wg0, defined in
/etc/wireguard/wg0.conf
[Interface]
ListenPort = 51820
Address = 10.100.1.1
PrivateKey = <your private key>
In the above config, there are zero peers.
Add a new peer:
wg set wg0 peer "K30I8eIxuBL3OA43Xl34x0Tc60wqyDBx4msVm8VLkAE=" allowed-ips 10.101.1.2/32
ip -4 route add 10.101.1.2/32 dev wg0
Remove a peer:
wg set wg0 peer "K30I8eIxuBL3OA43Xl34x0Tc60wqyDBx4msVm8VLkAE=" remove
ip -4 route delete 10.101.1.2/32 dev wg0
As far as I know, this will not cause downtime for other peers.
The technique I used to figure out the ip -4 route ... commands to run, is simply by using wg-quick up wg0 and taking note of the commands that it spits out.
Ben Harper
- 164
- 2
2
If wireguard is started by systemd, there is a command to ask wireguard to reload the configuration:
systemctl reload wg-quick@wg0
Should reload the configuration for the wg0 adapter without restarting the service, and without disrupting current connections.
fsr
- 21
- 2