plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
homelab/nixos/hosts/vpn/README.md
plasmagoat 7dd5043b5d ready for runners
2025-06-06 23:32:17 +02:00

127 lines
5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Great question — and you're absolutely right to ask.
You **dont need** Innernet or Headscale+patch *if* you're comfortable building a small self-hosted portal that handles:
* ✅ OIDC login
* ✅ WireGuard peer key management
* ✅ Config generation and download
So lets break it down:
---
## 🧩 Why *Innernet* and *Headscale+patch* Exist
Those tools solve **user/device coordination**, dynamic routing, and access control *automatically*, **with batteries included**. They're great if you want a more managed, “plug-and-play” experience. Specifically:
| Tool | Purpose |
| ------------------------ | ----------------------------------------------------------------- |
| **Innernet** | Full WireGuard-based mesh + OIDC login + per-device management |
| **Headscale** | Tailscale backend, enables user login + ACL + device coordination |
| **Headscale+OIDC patch** | Add OIDC login to Headscale (by default, only pre-shared keys) |
These tools do things like:
* Assign IPs/DNS names to users
* Regenerate keys
* Handle coordination between peers
* Gate access with identity
---
## 🛠️ Why You *Dont* Need Them (Your Custom Portal Idea)
If you're fine with:
* Managing WireGuard server and IPs manually
* Writing a small web service to issue `.conf` files after login
* Using firewall rules for access control
Then you absolutely **can** build a custom system around **WireGuard + OIDC** like this:
---
### 🧱 Architecture: WireGuard + OIDC + Config Generator
```
┌──────────────┐
│ Your OIDC │
│ provider │◄────── Google, Authentik, Keycloak
└─────┬────────┘
(OIDC Login)
┌────────▼────────┐
│ Web Portal │◄────── nginx + Go, Node.js, Flask, etc.
│ (self-hosted) │
└──┬────────────┬─┘
Gen Keys │ │ Serve config
& register │ └─────> `client.conf` / QR code
┌──────────────────────┐
│ WireGuard server │ (NixOS)
│ - Handles all peers │
└──────────────────────┘
```
---
### 🔐 What Your Portal Needs to Do
* Authenticate via OIDC (OAuth2 flow)
* Store a list of "authorized users"
* When a user logs in:
* Check if they already have a WireGuard peer entry
* If not: generate a keypair, assign IP (e.g. `10.100.0.5`)
* Append to server config (`/etc/wireguard/wg0.conf`) or use `wg set`
* Return config file or QR code for the mobile client
---
## ✅ Benefits of This DIY Approach
* 💡 Full control: you own every step
* 🔐 OIDC is the gatekeeper (centrally managed access)
* ⚡ No extra daemon/software overhead (just WireGuard + your app)
* 🧩 Easily extensible (e.g., device limits, IP lease expiration)
---
## ⚙️ Tools You Can Use
| Purpose | Tools |
| ---------------------- | -------------------------------------------------------------------------- |
| OIDC Auth | [Dex](https://github.com/dexidp/dex), Keycloak, Authentik, or Firebase |
| Web Portal Backend | Node.js (Express), Go, Flask, FastAPI |
| Config Template Engine | Go templates, EJS, Jinja2 |
| WireGuard Integration | `wg`, `wg-quick`, or directly edit `wg0.conf` |
| NixOS Support | Use `networking.wireguard.interfaces.wg0.peers` to declaratively add peers |
---
## 🧪 Bonus Features You Could Build
* 🔐 Per-user firewall rules
* 🔁 One-time config URLs (`vpn.mydomain.com/invite/xyz`)
* 🔐 Optional Authelia/Keycloak MFA
* 📉 Dashboard with currently active peers (use `wg show`)
---
## ✨ Summary
| Option | You Need Innernet / Headscale? | Login via OIDC? | DNS Routing? | Complexity |
| ----------------- | ------------------------------ | --------------- | ------------ | ---------- |
| Your own portal | ❌ No | ✅ Yes | ❌ Manual | 🟡 Medium |
| Innernet | ✅ Yes | ✅ Yes | ✅ Built-in | 🟠 Medium |
| Headscale + patch | ✅ Yes | ✅ Yes | ✅ Built-in | 🔴 High |
Youre on a great path by choosing the custom VPN portal idea.
Let me know if you'd like:
* A **sample architecture repo**
* A **NixOS module to support peer configs**
* Help building the **login + config generator backend**
I can generate a Nix flake and a working OIDC portal template to kickstart the project.
Reference in a new issue View git blame Copy permalink