Show HN: Dsnet, a simple command to manage a centralised WireGuard VPN

I was using wg-quick at home + work but it got tedious to add peers and track what key was for what peer.<p>I looked around but I considered the available wireguard GUIs &#x2F; tools (such as subspace) to be too heavyweight and&#x2F;or have a few security concerns.<p>So, I wrote dsnet in go. dsnet manages subnet generation, IP allocation, key generation and peer management.<p>* A sane and working server peer configuration is generated with a single command * Client peers are added&#x2F;removed with a single command * A JSON report suitable for producing a HTML rendered peer status display can be generated with one command<p>There&#x27;s more in-depth information on the github README, and background + a tutorial on my website: <a href="https:&#x2F;&#x2F;callanbryant.co.uk&#x2F;blog&#x2F;how-to-set-up-a-wireguard-vpn-in-minutes-with-dsnet&#x2F;" rel="nofollow">https:&#x2F;&#x2F;callanbryant.co.uk&#x2F;blog&#x2F;how-to-set-up-a-wireguard-vp...</a><p>Thanks for reading!

&gt; The peer private key is generated on the server, which is technically not as secure as generating it on the client peer and then providing the server the public key<p>&quot;Not as secure&quot; means specifically this punts all the actual security of the system.<p>This is one of the sad but predictable thing with designs like WireGuard that themselves decided to punt this hard problem (you can also see it in OpenVPN [edited: Let&#x27;s blame an early morning for me writing OpenSSL there] and with the same consequences). So in one sense it isn&#x27;t your fault - Jason knew this was hard but left it for you to solve anyway, and predictably you didn&#x27;t.<p>But of course for the end user the practical result is that they maybe don&#x27;t get the security benefits they were told were available in WireGuard.<p>My crystal ball is cloudy but I&#x27;d guess that one possible future for WireGuard is that it gradually grows a reputation for insecurity not because WireGuard the protocol is bad but because the way it&#x27;s used has meant almost invariably bad guys get private keys they shouldn&#x27;t have.

I was just having a very similar problem. Thank you for your code.

Can someone guide me to how wg decides on whether a route push created by wg becomes default or not? Don&#x27;t see a config option to decide that in dsnet