Hey cool project! I starred this a while ago. Nice to see you here.
Just to clarify though, WireHub is just a config generator. It doesn't run your networks. It doesn't ask you to install anything other than stock WireGuard apps. It doesn't do "Web3 wallet validation" or anything remotely cool.
TLDR: WireHub is a tool that helps you generate WireGuard configurations and easily share those with your end-users - instead of emailing configs around, you can just share a link to WireHub.
--
So if you want a secure private network for your devices and you choose WireGuard as the protocol for it, there a few ways to get there depending on your needs.
As is often the case, it's a question of convenience Vs security & trust.
In general, I think there are three categories of tools:
1) CLIs - Command line tools where you run a couple of commands and you get a folder of wireguard config files.
2) Self-hosted Admin UIs - `git clone ... && docker-compose up` (or something to that effect) in a server of yours and you get an admin UI to control a WireGuard interface and its peers.
3) All-in-One - tools that control the whole stack, from using/recreating WireGuard in userspace with custom agents to SSO, RBAC, etc etc.
With CLIs, its easy to generate configurations but then there's a lot of fiddling to main them. Multiple networks? New peers? Rotating keys? Securing Keys? Ugh.
With self-hosted admin UIs, like wg-easy, subspace, et al, you can get to 90% quite easily especially if you're up to to some open source hacking yourself, and the GUI aspect makes it kind of easier to maintain your network.
Yet, the issue of securing the PrivateKeys remains - they are all kept on the server running the admin UI and are then distributed to peers.
All-in-One solutions, like tailscale, netbird, netmaker, et al, solve the PrivateKey problem by providing agents - their own software you have to install on each of your devices. Their software securely handles PrivateKeys on each client so they are not stored in a single place and never leave the device they were created on. You get to 100% pretty quickly, but you're somehow left wondering about the layers and layers of pure magic (in a good way!) going on behind the scenes.
WireHub tries to strike a balance between convenience and security in all three categories by:
- Making PrivateKeys optional. For maximum security, just don't share them with WireHub. For convenience however, WireHub can encrypt your PrivateKeys in browser (using WebCrypto) with a password of your choice (that is never stored, anywhere). WireHub can also generate the keys in browser, using Jason's javascript implementation.
- Not running any servers. For maximum security, bring your own cloud. For convenience, you can use `curl` to download the relevant WireGuard config on each server.
- Relying on stock WireGuard apps and not providing clients or other software to install. Jason is just better at writing secure software :)
So these choices place a hard limit on what WireHub can and will try to do.
Just to clarify though, WireHub is just a config generator. It doesn't run your networks. It doesn't ask you to install anything other than stock WireGuard apps. It doesn't do "Web3 wallet validation" or anything remotely cool.