| .. | ||
| README.md | ||
Great question — and you're absolutely right to ask.
You don’t need Innernet or Headscale+patch if you're comfortable building a small self-hosted portal that handles:
- ✅ OIDC login
- ✅ WireGuard peer key management
- ✅ Config generation and download
So let’s break it down:
🧩 Why Innernet and Headscale+patch Exist
Those tools solve user/device coordination, dynamic routing, and access control automatically, with batteries included. They're great if you want a more managed, “plug-and-play” experience. Specifically:
| Tool | Purpose |
|---|---|
| Innernet | Full WireGuard-based mesh + OIDC login + per-device management |
| Headscale | Tailscale backend, enables user login + ACL + device coordination |
| Headscale+OIDC patch | Add OIDC login to Headscale (by default, only pre-shared keys) |
These tools do things like:
- Assign IPs/DNS names to users
- Regenerate keys
- Handle coordination between peers
- Gate access with identity
🛠️ Why You Don’t Need Them (Your Custom Portal Idea)
If you're fine with:
- Managing WireGuard server and IPs manually
- Writing a small web service to issue
.conffiles after login - Using firewall rules for access control
Then you absolutely can build a custom system around WireGuard + OIDC like this:
🧱 Architecture: WireGuard + OIDC + Config Generator
┌──────────────┐
│ Your OIDC │
│ provider │◄────── Google, Authentik, Keycloak
└─────┬────────┘
│
(OIDC Login)
│
┌────────▼────────┐
│ Web Portal │◄────── nginx + Go, Node.js, Flask, etc.
│ (self-hosted) │
└──┬────────────┬─┘
Gen Keys │ │ Serve config
& register │ └─────> `client.conf` / QR code
▼
┌──────────────────────┐
│ WireGuard server │ (NixOS)
│ - Handles all peers │
└──────────────────────┘
🔐 What Your Portal Needs to Do
-
Authenticate via OIDC (OAuth2 flow)
-
Store a list of "authorized users"
-
When a user logs in:
- Check if they already have a WireGuard peer entry
- If not: generate a keypair, assign IP (e.g.
10.100.0.5) - Append to server config (
/etc/wireguard/wg0.conf) or usewg set - Return config file or QR code for the mobile client
✅ Benefits of This DIY Approach
- 💡 Full control: you own every step
- 🔐 OIDC is the gatekeeper (centrally managed access)
- ⚡ No extra daemon/software overhead (just WireGuard + your app)
- 🧩 Easily extensible (e.g., device limits, IP lease expiration)
⚙️ Tools You Can Use
| Purpose | Tools |
|---|---|
| OIDC Auth | Dex, Keycloak, Authentik, or Firebase |
| Web Portal Backend | Node.js (Express), Go, Flask, FastAPI |
| Config Template Engine | Go templates, EJS, Jinja2 |
| WireGuard Integration | wg, wg-quick, or directly edit wg0.conf |
| NixOS Support | Use networking.wireguard.interfaces.wg0.peers to declaratively add peers |
🧪 Bonus Features You Could Build
- 🔐 Per-user firewall rules
- 🔁 One-time config URLs (
vpn.mydomain.com/invite/xyz) - 🔐 Optional Authelia/Keycloak MFA
- 📉 Dashboard with currently active peers (use
wg show)
✨ Summary
| Option | You Need Innernet / Headscale? | Login via OIDC? | DNS Routing? | Complexity |
|---|---|---|---|---|
| Your own portal | ❌ No | ✅ Yes | ❌ Manual | 🟡 Medium |
| Innernet | ✅ Yes | ✅ Yes | ✅ Built-in | 🟠 Medium |
| Headscale + patch | ✅ Yes | ✅ Yes | ✅ Built-in | 🔴 High |
You’re on a great path by choosing the custom VPN portal idea. Let me know if you'd like:
- A sample architecture repo
- A NixOS module to support peer configs
- Help building the login + config generator backend
I can generate a Nix flake and a working OIDC portal template to kickstart the project.