Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

3-1: Wireguard-Powered Tools

It’s time to graduate from our isolated Podman environments and start building something in the real world. If all goes according to plan, what we build can be the beginning of your new Wireguard-powered private network. Therefore, we want to make it as easy as possible to manage this network. While you can manage keys and configurations manually, you don’t have to. Wireguard forms the foundation of several well-built, well-maintained open source networking solutions which have both paid/managed and self-hosted options.

We’re going to use Netbird for our build, but it’s worth reviewing some of the big names in Wireguard tools, so you know what the options are.

Why Managed Tools?

Think back to the manual drudgery of key generation in the early labs. While we scripted away this complexity for later labs to focus on new concepts, you may not have that luxury in the real world. Wireguard has some creature comforts, like QR codes, to add configuration to mobile devices, but there is still a tremendous amount of manual effort.

Take the Lighthouse server. Our small network required the addition of just a few public keys. Imagine a network of a dozen Peers—or more. Some automation makes this a much saner process.

Managed tools also come with some very handy networking tricks that only a dynamic service that’s changing configuration and routing in real-time can pull off. For example, most managed Wireguard-based tools use a management server for setup, but after setup, most traffic between Peers is direct, or peer-to-peer. You might think that’s impossible for two Peers behind NATed firewalls, but these tools find a way.

Another benefit: automatic DNS. Without any additional work, most of these tools resolve Peer hostnames. You can still maintain custom DNS servers if you like, or you can use those hostnames directly.

Ending on the biggie, access control. Raw Wireguard has only AllowedIPs as a tool for managing access to network resources. As your network grows more complex, you may find yourself wishing for more options. Identity-based, Peer-based, or group-based access control policies make mesh networking much more convenient at scale.

Imagine running a small remote business. You could set up central assets in one location, accessed behind a traditional firewall and VPN. Or you could use an “edgeless” Wireguard-based mesh network, placing assets where it makes sense to place them, and governing access via groups or identity. I dunno about you, but I find the latter much more appealing, especially in the age of ever-increasing 0-days against edge devices.

Some Options

We’re going to use Netbird for our buildout. It’s a comprehensive network manager built on Wireguard. I like Netbird for its ergonomics and licensing model. But there are other tools you might want to explore.

Tailscale

Tailscale is by far the most popular Wireguard-based networking platform, and for good reason: excellent free-tier support, even better paid options for businesses. There’s a lot to like about Tailscale, and I’ve used it in the past. Why not for this course, then?

I wanted to give you a fully self-hostable solution. While Headscale seeks to reproduce some of Tailscale’s capabilities, it’s far more limited, and harder to manage. Plus, it still requires Tailscale’s closed-source client. Netbird’s entire stack is open source.

Netmaker

Netmaker is another open-source-with-enterprise-options offering. It is, in my opinion, the most complex of the popular Wireguard products, although its Kubernetes deployment options may be appealing for some organizations. Have a look! It may be preferable to Netbird for your needs. I’m confident that the skills we practice with Netbird will translate across.

Alright, let’s go build a network.

Check For Understanding

  • What are the advantages of using tools built on Wireguard rather than just Wireguard? What are some potential drawbacks?