FokiDoki
Best practice for using on working configuration?
Hello
I have a big wg0.conf file with 30+ peers.
Is there any good way to use WireRest with current configuration and dont broke anything? Also, I dont use pre-shared key. How to disable it via any flag or variable? Is there any variable to listen only specific IP?
Thank you.
Hi! WireRest has been tested on configurations with over 10,000 peers, 30 is a breeze :)
There is no flag to disable PSK generation, but you can simply send an empty value as in the example below. PSK will not be generated
{
"publicKey": "PUBKEY",
"presharedKey": "",
"privateKey": "PRIVATE_KEY",
//other data
}
WireRest does not have the feature of listening to a specific IP address. You can instead specify a subnet by passing --server.address=192.168.1.100 in the run arguments. Replace 192.168.1.100 with the IP address available on your server. Alternatively, you can configure some kind of firewall (such as UFW) to configure access rules.
Well. Yes. I tried to play and yes. I have to send only to auto generate peer data.
{
"presharedKey": ""
}
But this is super weird :D Why not only make a get request and thats all. Without any data except token?
Thank you for server IP setting :)
Okay. Here is mine 2 coins about backup after any changes in wg0.conf:
pupa@vpn-1:~$ cat /etc/systemd/system/wireguard-backup.path
[Unit]
Description=Watch for changes in config of WireGuard VPN
[Path]
Unit=wireguard-backup.service
PathChanged=/etc/wireguard/wg0.conf
[Install]
WantedBy=multi-user.target
Use any cloud or storage for backups. I use GCP
pupa@vpn-1:~$ cat /etc/systemd/system/wireguard-backup.service
[Unit]
Description=Upload backup for config file of WireGuard VPN
After=network.target
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep 10
ExecStart=/usr/bin/bash -c "/usr/bin/gcloud storage cp /etc/wireguard/wg0.conf gs://my-vpn/$(date +"%%Y%%m%%d%%H%%M%%S")_wg0.conf"
[Install]
WantedBy=multi-user.target
sudo systemctl enable wireguard-backup.{path,service}
sudo systemctl start wireguard-backup.{path,service}
Another one thing for scaling, I use GCP:
pupa@vpn-2:~$ cat /etc/systemd/system/wireguard-sync.timer
[Unit]
Description=Timer for WireGuard peers synchronization
Requires=wireguard-sync.service
[Timer]
OnCalendar=*:0/5
OnBootSec=2min
Persistent=true
RandomizedDelaySec=30
[Install]
WantedBy=timers.target
pupa@vpn-2:~$ cat /etc/systemd/system/wireguard-sync.service
[Unit]
Description=Synchronize WireGuard peers from GCP Storage
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
User=root
ExecStart=/usr/local/bin/sync-wireguard-peers.sh
StandardOutput=journal
StandardError=journal
TimeoutStartSec=120
[Install]
WantedBy=multi-user.target
pupa@vpn-2:~$ cat /usr/local/bin/sync-wireguard-peers.sh
#!/bin/bash
LOCAL_WG_CONFIG="/etc/wireguard/wg0.conf"
TEMP_CONFIG="/tmp/wg0_new.conf"
TEMP_INTERFACE="/tmp/wg0_interface.conf"
TEMP_PEERS="/tmp/wg0_peers.conf"
TEMP_MERGED="/tmp/wg0_merged.conf"
GCS_BUCKET="gs://my-vpn/"
LAST_FILE_MARKER="/var/lib/wireguard/last_synced_file"
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') $1" | tee -a /var/log/wireguard-sync.log
}
mkdir -p "$(dirname "$LAST_FILE_MARKER")"
log "Starting WireGuard configuration synchronization"
LATEST_FILE=$(gcloud storage ls "$GCS_BUCKET" | grep "_wg0.conf$" | sort -r | head -n1)
if [[ -z "$LATEST_FILE" ]]; then
log "ERROR: No configuration files found in GCS bucket"
exit 1
fi
LATEST_FILENAME=$(basename "$LATEST_FILE")
if [[ -f "$LAST_FILE_MARKER" ]] && [[ "$(cat "$LAST_FILE_MARKER")" == "$LATEST_FILENAME" ]]; then
log "File $LATEST_FILENAME already processed, synchronization not required"
exit 0
fi
log "Found new file: $LATEST_FILENAME"
if ! gcloud storage cp "$LATEST_FILE" "$TEMP_CONFIG"; then
log "ERROR: Failed to download file $LATEST_FILE"
exit 1
fi
if [[ ! -f "$LOCAL_WG_CONFIG" ]]; then
log "ERROR: Local config $LOCAL_WG_CONFIG not found"
exit 1
fi
awk '/^\[Interface\]/{flag=1} /^\[Peer\]/{flag=0} flag' "$LOCAL_WG_CONFIG" > "$TEMP_INTERFACE"
awk '/^\[Peer\]/{flag=1} /^\[Interface\]/ && flag{flag=0} flag' "$TEMP_CONFIG" > "$TEMP_PEERS"
INTERFACE_LINES=$(wc -l < "$TEMP_INTERFACE")
PEERS_LINES=$(wc -l < "$TEMP_PEERS")
PEER_COUNT=$(grep -c "^\[Peer\]" "$TEMP_PEERS" || echo "0")
log "Extracted $INTERFACE_LINES lines from [Interface] section"
log "Extracted $PEERS_LINES lines with $PEER_COUNT [Peer] sections"
{
cat "$TEMP_INTERFACE"
echo ""
cat "$TEMP_PEERS"
} > "$TEMP_MERGED"
if ! grep -q "^\[Interface\]" "$TEMP_MERGED" || ! grep -q "^\[Peer\]" "$TEMP_MERGED"; then
log "ERROR: Invalid merged configuration"
exit 1
fi
cp "$LOCAL_WG_CONFIG" "${LOCAL_WG_CONFIG}.backup.$(date +%Y%m%d_%H%M%S)"
if command -v wg-quick >/dev/null 2>&1; then
TEMP_VALIDATION="/tmp/wg0_validation.conf"
cp "$TEMP_MERGED" "$TEMP_VALIDATION"
if ! wg-quick strip "$TEMP_VALIDATION" > /dev/null 2>&1; then
log "ERROR: Syntax error in new configuration"
rm -f "$TEMP_VALIDATION"
exit 1
fi
rm -f "$TEMP_VALIDATION"
log "Configuration syntax validation passed"
fi
cp "$TEMP_MERGED" "$LOCAL_WG_CONFIG"
if systemctl is-active --quiet wg-quick@wg0; then
log "Restarting WireGuard..."
systemctl restart wg-quick@wg0
if [[ $? -eq 0 ]]; then
log "WireGuard successfully restarted"
else
log "ERROR: Failed to restart WireGuard, rolling back to backup"
cp "${LOCAL_WG_CONFIG}.backup.$(date +%Y%m%d)_"* "$LOCAL_WG_CONFIG" 2>/dev/null || true
systemctl restart wg-quick@wg0
exit 1
fi
else
log "WireGuard was not running, starting..."
systemctl start wg-quick@wg0
fi
echo "$LATEST_FILENAME" > "$LAST_FILE_MARKER"
log "Synchronization completed successfully. Processed file: $LATEST_FILENAME"
rm -f "$TEMP_CONFIG" "$TEMP_INTERFACE" "$TEMP_PEERS" "$TEMP_MERGED"
exit 0
Installation
sudo systemctl daemon-reload
sudo systemctl enable wireguard-sync.timer
sudo systemctl start wireguard-sync.timer
sudo systemctl status wireguard-sync.timer