Great question — and you're absolutely right to ask. You **don’t need** Innernet or Headscale+patch *if* you're comfortable building a small self-hosted portal that handles: * ✅ OIDC login * ✅ WireGuard peer key management * ✅ Config generation and download So let’s break it down: --- ## 🧩 Why *Innernet* and *Headscale+patch* Exist Those tools solve **user/device coordination**, dynamic routing, and access control *automatically*, **with batteries included**. They're great if you want a more managed, “plug-and-play” experience. Specifically: | Tool | Purpose | | ------------------------ | ----------------------------------------------------------------- | | **Innernet** | Full WireGuard-based mesh + OIDC login + per-device management | | **Headscale** | Tailscale backend, enables user login + ACL + device coordination | | **Headscale+OIDC patch** | Add OIDC login to Headscale (by default, only pre-shared keys) | These tools do things like: * Assign IPs/DNS names to users * Regenerate keys * Handle coordination between peers * Gate access with identity --- ## 🛠️ Why You *Don’t* Need Them (Your Custom Portal Idea) If you're fine with: * Managing WireGuard server and IPs manually * Writing a small web service to issue `.conf` files after login * Using firewall rules for access control Then you absolutely **can** build a custom system around **WireGuard + OIDC** like this: --- ### 🧱 Architecture: WireGuard + OIDC + Config Generator ``` ┌──────────────┐ │ Your OIDC │ │ provider │◄────── Google, Authentik, Keycloak └─────┬────────┘ │ (OIDC Login) │ ┌────────▼────────┐ │ Web Portal │◄────── nginx + Go, Node.js, Flask, etc. │ (self-hosted) │ └──┬────────────┬─┘ Gen Keys │ │ Serve config & register │ └─────> `client.conf` / QR code ▼ ┌──────────────────────┐ │ WireGuard server │ (NixOS) │ - Handles all peers │ └──────────────────────┘ ``` --- ### 🔐 What Your Portal Needs to Do * Authenticate via OIDC (OAuth2 flow) * Store a list of "authorized users" * When a user logs in: * Check if they already have a WireGuard peer entry * If not: generate a keypair, assign IP (e.g. `10.100.0.5`) * Append to server config (`/etc/wireguard/wg0.conf`) or use `wg set` * Return config file or QR code for the mobile client --- ## ✅ Benefits of This DIY Approach * 💡 Full control: you own every step * 🔐 OIDC is the gatekeeper (centrally managed access) * ⚡ No extra daemon/software overhead (just WireGuard + your app) * 🧩 Easily extensible (e.g., device limits, IP lease expiration) --- ## ⚙️ Tools You Can Use | Purpose | Tools | | ---------------------- | -------------------------------------------------------------------------- | | OIDC Auth | [Dex](https://github.com/dexidp/dex), Keycloak, Authentik, or Firebase | | Web Portal Backend | Node.js (Express), Go, Flask, FastAPI | | Config Template Engine | Go templates, EJS, Jinja2 | | WireGuard Integration | `wg`, `wg-quick`, or directly edit `wg0.conf` | | NixOS Support | Use `networking.wireguard.interfaces.wg0.peers` to declaratively add peers | --- ## 🧪 Bonus Features You Could Build * 🔐 Per-user firewall rules * 🔁 One-time config URLs (`vpn.mydomain.com/invite/xyz`) * 🔐 Optional Authelia/Keycloak MFA * 📉 Dashboard with currently active peers (use `wg show`) --- ## ✨ Summary | Option | You Need Innernet / Headscale? | Login via OIDC? | DNS Routing? | Complexity | | ----------------- | ------------------------------ | --------------- | ------------ | ---------- | | Your own portal | ❌ No | ✅ Yes | ❌ Manual | 🟡 Medium | | Innernet | ✅ Yes | ✅ Yes | ✅ Built-in | 🟠 Medium | | Headscale + patch | ✅ Yes | ✅ Yes | ✅ Built-in | 🔴 High | You’re on a great path by choosing the custom VPN portal idea. Let me know if you'd like: * A **sample architecture repo** * A **NixOS module to support peer configs** * Help building the **login + config generator backend** I can generate a Nix flake and a working OIDC portal template to kickstart the project.