Skip to content

Wireguard only peers #2892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
iridated wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Wireguard only peers #2892

iridated wants to merge 15 commits into from

Conversation

@iridated
Copy link

@iridated iridated commented Nov 14, 2025
edited
Loading

Implements #1545 as discussed in that feature

Checklist

  • have read the CONTRIBUTING.md file
  • raised a GitHub issue or discussed it on the projects chat beforehand
  • added unit tests
  • added integration tests
  • updated documentation if needed
  • updated CHANGELOG.md

@iridated
Mullvad wireguard-only node proof of concept
252201b 
Starting work towards issue juanfont#1545
@iridated
WireGuard-only peers: initial implementation
aac25bf 
Mostly written by Claude, with review and corrections by me
@iridated
Generate protobuf files
179e323
@iridated
List wireguard-only nodes in separate table
842b71e
@iridated
Maybe wg-only nodes report Online=true
29044f6
@iridated
Add fake HostInfo to prevent Android app crash
ce47372
@iridated
Combine extra wg-only peer configuration into a single JSON parameter
5634d55
@iridated
Regenerate protobuf files
6590a87
@iridated
Store WireGuard-only peers in NodeStore
92a1ea8
@iridated
Make types.WireGuardOnlyPeer more strongly typed
20286fd
@iridated
Separate the concepts of wg-only peers, and their connections to tail…
556f35c 
…net nodes

This allows us to properly utilize the idea of multiple KnownNodeIDs for
a single WireGuard node. Limitations in the previous types required all
of them to share a single masquerade address which isn't realistic.

A single WireGuard-only node has some properties which are essential to
this peer (e.g. public key, endpoints), and some properties which vary
depending on which tailnet node wants to connect to it (e.g. masquerade
address). This commit adjusts the whole wg-only peer feature to deal
with this logical separation.
@iridated
Generate protobuf files
db93454
@iridated
Incorporate changes from main branch
54c37d6
@iridated
Add connection details to headscale nodes list
24e6079
@iridated
Add more wg-only peer details to node_store.DebugString
cd0eec3
@kradalby
Copy link
Collaborator

kradalby commented Nov 18, 2025

Hello, thanks, just to manage expectations, I'm gonna have to look at this every ones in a while, because it is very overwhelming, and I will still prioritise the current roadmap and the work I have to do.

At a first glance, it does look promising, but I am very concerned about the maintenance burden over time. That said I am positive to ultimately getting it in.

@Cerothen

This comment was marked as spam.

Sign in to view
@kradalby
Copy link
Collaborator

kradalby commented Dec 17, 2025

Just checking back in as this PR is in my mind, I am just not sure what to do or how we should tackle it yet.

In addition to maintenance, my genuine main concern with this PR is that I suspect most users do not understand what "WireGuard peers" will mean, even if both I and @iridated have written up what it actually allows.
I am concerned about the support burden of people misunderstanding and posting issues or taking up space on Slack.

That said, I am still fairly committed to eventually get it in, but we need to split it up and do it bit by bit, and we need to find a way to ensure we can support it over time.

I think it is unrealistic to get it in before 0.31.0, which means we aim to redo the API/gRPC before hand making a lot of the 6000 lines in this PR obsolete.

I think a meaningful first step would be to factor out all of the WireGuard server-side code into a new PR that is rebased on top of the current main, so we can start to review and test the data structures. I appreciate that not having the CLI/API makes it harder to test, but for now, lets try to just get the amount of code into a size that is reviewable, and make the automated tests run by keeping it rebased on top of main.

Speaking of keeping it on top of main. As I expect this effort to take some time, a reasonable measure for maintainability is going to be to keep it up to date on top of main, which will also measure community commitment. If we do not manage this, the effort will likely go stale and I suspect it will sit there until I eventually have time or want to prioritise it. Currently it is not going to make any roadmap for a long time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

@nblock nblock Awaiting requested review from nblock nblock is a code owner

@juanfont juanfont Awaiting requested review from juanfont juanfont is a code owner

@kradalby kradalby Awaiting requested review from kradalby kradalby is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iridated @kradalby @Cerothen