firmware icon indicating copy to clipboard operation
firmware copied to clipboard
verified publisher icon meshtastic

[Feature Request]: Native WireGuard VPN Support for Remote Access

Open mauro-midolo opened this issue 7 months ago • 5 comments

Platform

ESP32

Description

I would like to propose the addition of native WireGuard VPN client support within the Meshtastic firmware.​

Use Case

The primary goal is to enable secure remote access to Meshtastic devices over the internet. By integrating WireGuard, users could establish encrypted tunnels directly to their devices, facilitating:​

Remote configuration and management without relying on intermediary gateways.

Secure data transmission over public networks.

Enhanced privacy and security for deployments in sensitive environments.​

Current Workaround

At present, achieving remote access requires setting up an external gateway (e.g., a Raspberry Pi) that connects to the Meshtastic device via USB or Bluetooth and handles the VPN connection. While functional, this setup adds complexity and potential points of failure.​

Benefits

  • Simplified remote management of Meshtastic nodes.

  • Reduced reliance on additional hardware.

  • Improved security posture for deployments.​

mauro-midolo avatar Apr 23 '25 13:04 mauro-midolo

Ciao, and thanks for the idea.

It looks like the wireguard kernel module is about ~35kB and the userspace tools are another ~27kB. By meshtastic firmware standards, that's a non-trivial amount of space, so this would require careful consideration.

fifieldt avatar Apr 24 '25 02:04 fifieldt

I plan to test a rough implementation of this using the "XIAO ESP32S3 & Wio-SX1262 Kit for Meshtastic & LoRa" as I have several laying around and the platform should have more than enough space to handle this.

I do believe that having this as an option on hardware that can support the additional overhead would be a great benefit for the reasons OP mentions above. However, I do also agree that including this in base-implementation could be too bulky.

We have already run across the need for similar functionality between several of our disparate mesh networks and have successfully implemented WireGuard on other ESP-based projects that have higher overhead on the device.

I will hopefully have some testing done over the next few days and will update with any findings.

TheWISPRer avatar May 09 '25 17:05 TheWISPRer

I have a rough implementation working, runs quite smoothly on my test hardware. Still uses static values for the WireGuard client config (set in the WireConfig.h file), so need to finish getting it fully integrated - but there is a fork available on my GitHub with a branch that contains the current working version

TheWISPRer avatar Jun 04 '25 19:06 TheWISPRer

@TheWISPRer , looks like it will integrate fairly cleanly, nicely done!

fifieldt avatar Jun 08 '25 09:06 fifieldt

@fifieldt Thank you! Noticing that it may need some work on keep-alive/reconnect on failure in some specific circumstances. I have two different versions of the code running on the test bench with one running some hopeful fixes. I plan to try and get some level of a "production ready" version finished over the next few weeks.

If it is of interest, I'll submit a pull request with my work when it is stable and has some basic integration. That being said, I am interested in knowing what a minimum viable version that would be of interest would entail. So far, the goals are to provide the option to enable base Wireguard client functionality on firmware compile (similar to enabling web interface), ensure stability, and ensure it is ready for others to easily integrate the configuration into client-side UI.

TheWISPRer avatar Jun 09 '25 04:06 TheWISPRer

Any chances for this to ever be merged into main repo, even if disabled by default and requiring custom build?

lkosson avatar Sep 17 '25 05:09 lkosson

For those following along, branch is here: https://github.com/meshtastic/firmware/compare/develop...TheWISPRer:Meshtastic:Wireguard

fifieldt avatar Oct 16 '25 23:10 fifieldt