\ \        /_)           ___|       |        
 \ \  \   /  |  __| _ \ |      _` | __|  _ \ 
  \ \  \ /   | |    __/ |   | (   | |    __/ 
   \_/\_/   _|_|  \___|\____|\__,_|\__|\___| 

WireGuard based VPN server endpoint with LDAP support

Tested on Debian

The public command is now gate.

Use ./gate -h for top-level help and ./gate <command> -h for command-specific help.

• sudo ./gate deploy - install or update the runtime under /usr/local/lib/wiregate, assets under /usr/local/share/wiregate, and config under /etc/wiregate
• sudo ./gate init - bootstrap host services (WireGuard, unbound, iptables, sysctl) using /etc/wiregate/config; this is a heavy operation and may reboot
• ./gate client add --name NAME --email EMAIL - define and activate a new peer, generate config inside /etc/wireguard/clients, and attempt profile delivery
• ./gate client disable --name NAME - disable a peer without deleting its stored artifacts
• ./gate client delete --name NAME - delete a peer and salvage its IP address back to the pool
• ./gate client rebuild - recreate WireGuard state using existing clients in /etc/wireguard/clients
• ./gate client mail --name NAME - send the generated profile to the client

• ./gate status - show peer stats based on wg show all dump
• ./gate ldap sync - reconcile peer state from LDAP membership
• ./gate ldap logs - tail the log of the wgldapsync service

The legacy IP pool generation command remains accepted for automation compatibility, but it is deprecated and hidden from help. Normal bootstrap uses sudo ./gate init, which creates the configured IP pool only when missing and preserves existing peer leases on rerun.

Set the required client_pool_cidr in /etc/wiregate/config to the client network for this server, for example client_pool_cidr=10.69.0.0/20. The server uses the first usable address from that CIDR for wg0 and client DNS, and generates the remaining client IP pool without allocating that server address. WireGate uses fixed WireGuard UDP port 55032 for the server and generated client profiles.

Node peering is a first-version control plane for WireGate nodes. It syncs node topology over root SSH, keeps normal client peers on wg0, and uses dedicated node transit interfaces for selected remote internet exit traffic.

• ./gate node identity - show the local node identity from /etc/wiregate/node-id
• sudo ./gate node join --ssh root@seed.example.com - join topology from a seed node over SSH
• sudo ./gate node join --ssh root@node2 --init --client-pool-cidr 10.70.0.0/20 - deploy, configure, initialize, and join a fresh remote node
• sudo ./gate node sync - refresh node topology, reapply node transit state, and ensure the node sync timer is installed/enabled
• ./gate node export-topology --format json - print the public node topology JSON used by SSH sync
• sudo ./gate node policy set --peer NAME --exit-node NODE_ID - route one peer's internet exit through a selected node
• sudo ./gate node policy clear --peer NAME - remove one peer's selected remote exit policy
• ./gate node policy list - print the validated node exit policy JSON
• ./gate node status - show node peers separately from normal WireGuard clients
• sudo ./gate node remove --node-id NODE_ID - remove a node from local node state

Client pools must not overlap. Set a unique client_pool_cidr on every node, such as 10.69.0.0/20 on one node and 10.70.0.0/20 on another. Overlapping pools are rejected so a node cannot claim another node's client addresses. If a selected remote exit is unavailable, selected traffic fails closed and is blocked. It does not fall back to local internet exit or another node.

Plain join remains topology-only: sudo ./gate node join --ssh root@seed.example.com does not deploy, initialize, write remote config, or run remote system commands beyond exporting topology over SSH. Add --init only when spreading WireGate to a fresh remote host. The init mode copies only allow-listed checkout files (gate, src/, config.dist, docs/assets, client tools, and systemd units) to a private root-owned remote staging directory; it never copies .git, .sisyphus, local config, node identity, topology state, WireGuard keys, client artifacts, or runtime state.

Remote init generates /etc/wiregate/config from config.dist, safe local non-secret values, and node-specific overrides. --client-pool-cidr is required and must be unique; server_endpoint_address defaults to the SSH host when --endpoint is omitted; public_ifname is inferred from ip -json route show default on the remote unless --public-ifname is provided. Existing remote /etc/wiregate/config is refused unless --update-config is set. Because gate init may reboot the remote host, spread mode waits for SSH to reconnect and verifies the remote gate before joining it back to the local seed. Use --dry-run to validate and print the planned remote config with secret-like values redacted, without copying files, writing config, running init, or mutating topology.

Endpoint roaming is explicit. Run sudo ./gate node sync after endpoint changes, or use wgnodesync.timer. gate init installs and enables that timer when node state already exists; on an already initialized node, successful gate node join and gate node sync also install/enable it so a full gate init rerun is not required after joining topology.

First-version scope exclusions: no HTTPS daemon/API, no consensus/gossip, no arbitrary LAN/private route export, no generated remote-exit client profiles, and no automatic fallback.

./client-tools/wg-rapid - modified WireGuard client based on wg-quick that works with systemd-resolved

./client-tools/startvpn.desktop - shortcut for wg-rapid. update the parameter with peer filename

After pulling repository changes, run sudo ./gate deploy to refresh the installed runtime. Run sudo ./gate init only when host bootstrap behavior or broad system service setup needs to be applied again; normal node topology joins and syncs should not require rerunning full init.

Existing installs that still live under /root/wiregate should run sudo ./patch.sh once to move runtime files to the current layout.