Weeknotes - Vault Agent, WireGuard, more WireGuard

Not a ton of side project work the last week or so. Though, I’ve been slowly incorporating Go into my toolbox at work. Think SSO OAuth API calls wrapped in a friendly, portable CLI tool.

I did however update query-bot to use Slack’s “App” API authentication flow. Thanks to this PR finally merging. Expect a proper release soon-ish!

Dynamic WireGuard configurations with Vault Agent Templates

Also in the background I’ve been toiling away on a project to bring together a WireGuard-gated Nomad, Consul, and Vault deployment model that is packed full of things like mTLS, ACLs, and dynamic, Vault-derived secrets.

Last week I implemented a Vault Agent Template for my WireGuard configuration and it’s been great not having to bake my WireGuard peer configurations into my machine images.

A sample of the template:

Address =,fd10::1/64
ListenPort = 51800
PostUp = /etc/wireguard/postup.sh
PostDown = /etc/wireguard/postdown.sh
{{- with secret "kv/node/wireguard" }}
PrivateKey = {{ .Data.data.private_key }}
{{ end }}

{{ range secrets "kv/metadata/node/wireguard-peers/" -}}
{{ with secret (printf "kv/node/wireguard-peers/%s" .) -}}
# {{ .Data.data.description }}
PublicKey = {{ .Data.data.public_key }}
AllowedIPs = {{ .Data.data.allowed_ips }}

{{ end }}
{{- end }}

Vault Agent configuration:

# WireGuard templates
template {
  source      = "/etc/wireguard/wg0.conf.tpl"
  destination = "/etc/wireguard/wg0.conf"
  command     = "systemctl restart [email protected]"

I know that I can use wg syncconf to hot-reload the configuration, but I have yet to implement that due to some blocking factors.


WireGuard Endpoint Discovery and NAT Traversal using DNS-SD

  • This type of deep-dive is my happy place. WireGuard + DNS + NAT trickery further makes the case for WireGuard as a minimal, secure, and performant tunnel technology.

Notes on building debugging puzzles

  • Julia Evans never stops introducing novel methods of knowledge sharing, and this post about her foray into interactive, debugging puzzles is right in line with her usual high-quality content. Plus, it’s about DNS!