Hi ST, It's a cool idea using the file system like that (the sticky bit would make the permissions part work correctly, perhaps), though I wonder if it's a bit complicated. If the model you're after is simply "server allocates IPs for peers already known through some channel but with unknown wireguard public keys", then maybe a better SSH-based interface is a special user that is only allowed to run one program, and that program does one thing: accepts as input a public key, and outputs [without races] an allocated IP, endpoint, and the server's public key. Under the hood that information could be stored in a variety of ways. Alternatively, this could be its own protocol over the wire or over TLS or over whatever the pre-established trust mechanism is that the idea is based on. One of the earliest dirty bash scripts for WireGuard did this (insecurely) over TCP -- https://git.zx2c4.com/WireGuard/tree/contrib/examples/ncat-client-server/server.sh -- this is what's running on demo.wireguard.com.
Jason _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
