The Ubuntu system administrator who installs Wireguard can configure it using just the “wg” command interface, so editing a config file, and stopping and restarting Wireguard services is totally unnecessary. But you should backup your config to a wg*.conf file anyway, so it survives reboots and system crashes.
Any Wireguard web GUI should be simple enough to prompt the inexperienced admin through configuring the server’s Wireguard interface(s), including setting up the three most basic configurations – small VPN server, basic VPN client, and custom. If you offer a VPN service, there may need to exist a way for regular users to request access to the VPN accounts, maybe captcha and email verified? Admins can create/list/delete user accounts as they desire.
I will probably use Python, of course, but I need to figure out a safe way to authorize the web user to execute the wg binary command, to prevent abuse. Documentation will be key.
The interesting part will be the part where you sign up new users, verifying their identity, securely creating a new PKI key pair, and generate a recommended client config file to access that VPN. I want a pleasant balance between simple-to-use-for-newbies, and non-hostile-to-experienced-admins, if you know what I mean. There has to be a middle ground. I’ve generally found them to be resolved by creating command and API interfaces. If you present a standard interface to everyone, others can benefit from or extend your backend work, while enhancing and replacing your stupid web GUI.
Routing nothing is trivial. You add no local static routes. The only things you can do is access the vpn server.
Routing everything is easy. First, you add a single /32 route for the VPN gateway’s public IP, pointing towards your default route gateway, and then you add two 0.0.0.0/1 and 220.127.116.11/1 routes to usurp the default route, both pointing toward the other end of the VPN.
Basic CIDR routing rules mean the longest route that matches this destination IP wins. Routes only count the total number of 1’s in the route’s subnet mask, so a /24 route is longer than a /0 or a /1, and wins, and a /1 wins over a /0). The default route always has 0 bits in it’s subnet mask, so it’s always the route of last choice. Most clients only have /32 route for their interface, a /24 route for their local LAN, and a /0 default route for everything else.
Wireguard VPN clients add an additional network interface, wg0 usually, and then add routes pointing towards whatever is on the other end of the VPN connection. When you’re a normal client, you want everything to go over the VPN. When you’re connecting to a small work, or satelite office, you might only want to route a few specific subnets down each tunnel. Corporate users might use multiple tunnels, to reach remote data centers via remote jump boxes.
I can easily see turning this into a whole “community in a box” type product, with Matrix/Synapse/Riot for all chat/voice/video communications, Dovecot/Postfix/Mailman for all email communications, Nginx/FastCGI/bbPress for all website/forum services, and Wireguard for all VPN services. The web GUI really needs to start out being totally small community centric, while at the same time, remaining open and compatible with network federation. Let the communities themselves decide which features they want to enable, and which network(s) they want to interconnect with. Let the documentation guide the advanced through creating their own federated Matrix network, independent from anyone else.
Of course any paranoid or deviant community could take advantage of this simple technology, and use it as a tool to keep their communications private, while they plot their dastardly plans. But you have to agree there are a whole lot of solutions that achieve the same thing. I really see no problem with terrorism as a threat to this platform. That *is* the entire point to privacy, so everyone has the ability to keep their one-to-one communications private from everyone else.
After all, when any government bans any variety of VPN software, it won’t prevent it from being created and sold to the 2% who might use it for unlawful gain, it only stops the other 98% from taking advantage of it to protect themselves.