This is a cool project and I would not shame anyone for using it, but WireGuard is much much simpler than OpenVPN (which was comically hard to get right). If you are considering this because of the possible overhead of doing it yourself I can say it's really not that bad.

>but WireGuard is much much simpler than OpenVPN (which was comically hard to get right).

I love WireGuard, and it's definitely beautifully designed to be security fail safe with no moving parts as far as that goes. If you manage to get a link to work, it should be dependable. But as you say "simpler" isn't saying much when the comparison is a pile of crud like OpenVPN. And (as I've just spent the last 24 hours battling befuddling errors in trying to get certain WG setups to work on OPNsense) that simplicity also means that a lot more leans on the rest of the ecosystem around WG. It makes the explicit and very correct design choice to be more like the classic Unix model, doing one thing very very well and then leaving the rest to other bits rather than the everything-and-the-kitchen-sink OpenVPN.

But in turn I'm very excited about people building nice stuff on top of it and smoothing out integrations with other parts of the puzzle. Tying it into more scalable credential management, more automation/GUIs over handling other fiddly bits for common use cases (like firewall and NAT), more easy onboarding (like the QR codes here), etc is all stuff that'll be cool to see moved along. I think WG could be part of the foundation for giving more people the ability to work with VPNs (even if they don't know what that term is), and in turn could be an important piece of the puzzle in bring some more decentralization back particularly for smart home/IoT stuff. If it was trivial and standard for more people to run off their home networks from anywhere, that'd help eliminate one major motivation for cloud tie-in.

Setting up WireGuard isn’t hard, but managing clients without a CLI is just not really 2021.

When you have to manage a decent number of users and multiple gateways, you need something to help manage that - whether you write it yourself or use something off the shelf, you can't reasonably just use Wireguard out of the box.

Not to mention that Wireguard is really only one component of what would normally be considered a VPN - the other part is the network routing which depends on netfilter/iptables/ufw etc., which can be quite complex.

I get the impression a lot of people think of "VPN" in terms of their own simple personal connection to some gateway or small set of machines they control, but that's just the most trivial use case.

Angristan's OpenVPN installer script works 100% every time. Haven't found a WireGuard installer that works 100% every time - not even Angristan's. Looking forward to trying the OP's solution!

https://github.com/angristan/openvpn-install https://github.com/angristan/wireguard-install

wirehole is a docker compose solution which works flawlessly and requires just a single command to set up

Thank you! Will check it out.

Has there been any projects that allow self-service wireguard setup for a group of people?

Update: Actually nevermind, It's been a while since I've searched, and a few are coming up:

https://github.com/ngoduykhanh/wireguard-ui https://github.com/EmbarkStudios/wg-ui

Tailscale? Or did you mean FOSS?

like this https://news.ycombinator.com/item?id=26628285

?

This is great, I’ve been thinking about writing a plug-in for Cockpit[0] that has similar functionally.

[0] https://cockpit-project.org/

I use Cockpit once, and I give up since it messes up my firewall config. It does not recognize iptables and only recognize firewalld on my Centos 7.

I’ve only used wireguard as a client but it’s simply amazing how few resources it consumes. Openvpn when transmitting data would be 10-20% my cpu on a 9th gen i3. I don’t even see a blip with wireguard.

This looks awesome, thanks for sharing!

very useful, I was looking up for something like this. How to make it run kubernetes (k3s) cluster, especially the `sysctls` part.