Replying to Avatar ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ

so, today i finally got the wireguard mesh going with 3 remote endpoints and my pc as a 4th node in the graph, making a 6 path complete graph.

turns out to be more difficult to figure out how to actually use the mesh to hide my IP than to make the mesh. the wireguard install script i have been using doesn't account for mesh setups. the tricky part has to do with routing, since with multiple exits, which do you pick? so by default it picks your lan's default gateway, ie, no proxying. but all the links to the remotes is redundant, if any one of them fails or gets disconnected, the others remain available.

so what i'm doing is setting them all up with, to start with, developing this idea of a reliable inbound route, installing the reverse proxy i have on the first one, onto the other two, and then i need to figure out how to set up the DNS so it directs to any of the three endpoints, so they all will then serve as redundant reverse proxies, all of them pointing back to my test relay, specifically. as part of the process of developing this idea for a reliable relay routing service to allow people to set up a link to the three nodes in the remote mesh with the reverse proxy, so that any one of them can forward a connection back to their relay. so, port 3334 since that seems to be the default.

so, automating this configuration, it has to make two changes, one, to add a new pubkey and new ip address for the new client, and also add an entry in the reverse proxy with a new subdomain that points to that new ip address.

probably the simplest way to do this is to create, to start with, a REST API endpoint in the reverse proxy, that allows reconfiguration. it will use nip-98 auth, and a simple administrator address list in the environment variables, and there will be get and set configuration methods. i already have an adequate tool to work with this, it can do simple upload/download operations (already is used for import/export).

the difference would be you would just set your valid nsec in your environment, call the reverse proxy API get endpoint, and write that to your config cache. then, you can edit it, and then with the same tool upload the new version, et voila

then, the process of adding/removing wireguard peer entries... probably should roll it into one, so you update the config, and it rewrites the proxy mapping and adds/removes entries from the wireguard configuration, and then triggers them to reload. since i have to make the wireguard service restart anyway, and it's barely any downtime, might as well just do the both this way, so i just need to figure out how to control the permissions to allow this...

and then ugh the automation and the interface.
f8
Deleted Account 5mo ago

Keep going this is great! 👍🏻👏

Reply to this note

Please Login to reply.

Discussion

No replies yet.