A simple utility to help connect wireguard nodes together in a full mesh topology
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Alex c96ec64d09 Add AGPLv3 license 2 months ago
src make igd message a debug 2 months ago
.gitignore fail with error message instead of panic 3 months ago
Cargo.lock gossip encryption (fix #4) 3 months ago
Cargo.nix update cargo.nix 3 months ago
Cargo.toml gossip encryption (fix #4) 3 months ago
LICENSE Add AGPLv3 license 2 months ago
Makefile first commit 3 months ago
README.md add sample config file 2 months ago
config.toml first commit 3 months ago
default.nix add default.nix 3 months ago
flake.lock fail with error message instead of panic 3 months ago
flake.nix statically link nix binary 2 months ago



wgautomesh is a simple utility to help configure a full-mesh wireguard network. It does not assume that all nodes have a publicly reachable address. It uses a gossip protocol to broadcast the endpoint addresses nodes use to talk to one another. This way, even if nodes A and B are not able to communicate directly initially (both behind NAT), if they can both communicate with node C then they will indirectly be able to know each other's NAT-ed address and port. They will then try to connect to one another using those addresses, which should allow NAT hole punching.


  • does not assume all nodes are publicly reachable
  • configuration very similar to wg-quick: each node needs a list of the credentials of all other nodes in the mesh
  • ultra simple encrypted gossip protocol over UDP (bincode encoding + xsalsa20poly1305 symmetric encryption)
  • automatic discovery of nodes in a same LAN using UDP broadcast (if enabled, nodes will prefer connecting to one another using their LAN IP addresses when available)
  • can automatically open ports in your router using IGD/UPnP
  • saves to disk known addresses of peers so that they can be reused on restart (usefull if all addresses have changed and the ones in the config file are no longer relevant)


  • wgautomesh does not create a wireguard interface, it assumes it exists and merely configures the peers attached to it
  • wgautomesh only tries to establish connectivity to the peers specified in its config file, it does not provide facilities for dynamically adding more peers like many wireguard configuration tools do.

wgautomesh was built for Deuxfleurs to integrate with our automated NixOS-based configuration management system. A preliminary NixOS module for wgautomesh can be found here

Sample configuration file

interface = "wg0"
gossip_port = 1666
lan_discovery = true
gossip_secret_file = "/var/lib/wgautomesh/gossip_secret"
persist_file = "/var/lib/wgautomesh/state"
upnp_forward_external_port = 33723

pubkey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="
address = ""
endpoint = ""

pubkey = "lABn/axzD1jkFulX8c+K3B3CbKXORlIMDDoe8sQVxhs="
address = ""
endpoint = ""

pubkey = "XLOYoMXF+PO4jcgfSVAk+thh4VmWx0wzWnb0xs08G1s="
address = ""
endpoint = "bitfrost.fiber.shirokumo.net:33734"

pubkey = "smBQYUS60JDkNoqkTT7TgbpqFiM43005fcrT6472llI="
address = ""
endpoint = ""

pubkey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY="
address = ""