Everything I have been reading about wireguard suggests that most prople use it as a replacement for VPN. Meaning the client/server model. It does that quite well but my mission, without reverse engineering Docker’s encrypted micronetwork, was to implement the same idea as part of a zero trust architecture.
I have 3 machines with this intended network:
mach1 mach2 mach3
^ ^ ^
| | |
internet <--> FW <<-----------(network admin)------------------>
then adding the wg conections
mach1 <---> mach2 <---> mach3
^ ^ ^
| | |
internet <--> FW <<----------(network admin)------------------->
Then adding some fiewwall rules so that the admin network is limited to port 22 and the
ssh authentication is limited to certs or passwords with 2fa or some such. And the wg
network is limited to it’s peers. So there is no way for mach1 to connect to mach3. Furthermore,
the fiewwall would also limit the traffic to the permitted ports and therefore protocols.
Eventually I might be able to add DPI to check the connection contents.