Hi, Right now, the only method for configuring peers is "push-based", i.e. using `wg` to push the public key and AllowedIPs for each peer to the running wireguard instance.
I'm toying with the idea of a pull-based model, for instance storing peer configuration in a Radius or SQL database. But it seems like an incredibly bad idea to integrate a Radius or SQL library inside the kernel. What about having a userspace daemon that wireguard can query from kernelspace when a new peer connects? Wireguard would basically ask "Is this public key allowed to connect, and what are its AllowedIPs?". The daemon would then use whatever method it wants (flat file, SQL/Radius database, LDAP…) to determine whether the peer is allowed and its configuration. I guess it looks a bit like the IKE daemon in IPsec (though not exactly, since wireguard handles rekeying itself), which I'm not sure is a good sign :) Baptiste
signature.asc
Description: PGP signature
_______________________________________________ WireGuard mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/wireguard
