Wirt becomes WirtBot and as stealthy as Sam Fisher
Welcome to another update post.
Quite some time has passed since the last update. I have settled back in to my life in Berlin and my new job. But there were a few things nagging me about Wirt in the back of my head. So it was time to clear them. Heres the overview:
- New architecture
- Interactive installer
- Complete test environment
- Compatibility mode
- Additional DNS servers
- First UX test
- CI updates
- Store cleanup
- HTTPS is gone
- Updated Rust dependencies
Previously the system was split into two parts, the Interface running at wirtbot.com and the self hosted WirtBot. Works, but after giving it some more thought, why not simply host the interface on the WirtBot itself? Seems to make sense.
- fits better with common understanding of having an Interface uniquely tied to a Core software piece
- Increase security by not listening on public interface aka. stealth. Sam Fisher would approve!
- no need for a Hostname and valid certificate
- more interactions are possible by knowing that all traffic only flows within the network and is encrypted
- coherent naming. No more Wirt vs WirtBot vs. Interface. Much easier to talk about
So whats the downside?
The interface is not exposed over a public interface to the internet. The only machines that can reach it are the ones from the WirtBot network. After the setup your computer is not yet part of the network, and you can not configure it, because the Interface can not be reached.
How to fix this?
- The installer generates a WireGuard® config to join the network
- In addition the installer will generate an initial Interface config that can be imported in the Interace to take control of the WirtBot
The complete setup now looks like this:
- set up WirtBot server
- use generated config to join the network with WireGuard
- import the initial Interface configuration on the WirtBot`s Interface to take control of it
Find the setup docs on the new domain https://wirtbot.com/docs/setup
To facilitate the new architecture setup an interactive installer is added that will guide you through it.
It depends on
Install it with
npm install -g @wirtbot/installer and run
wirt-installer. Easy as 1 2 3. Well, almost. But I wanted to make the setup and especially updating as pain-free as possible.
Complete test environment for system functionality
Using Docker images and
docker-compose files the system can now be tested as a whole.
First the Interface gets spawned and connected to WirtBot, using pre-defined keys for the Auth that are set with environment variables. Another container spawns and runs a headless browser, which nightwatch uses to interact with the Interface and execute the tests.
All of this can be spawned during Pull-Requests, so that me and other contributors can rest assured that the System still works with their changes, and no regression are introduced.
Okay, I have to be honest here, there is not yet 100% test coverage, but its a good safety net based on solid E2E testing.
Sometimes you will encounter timeouts when using WireGuard on your devices.
These can be hard to debug if you do not know what to look for.
For this reason I included the MTU setting to the Interface.
The default is 1500, and using 1320 might fix the issues. Small change, but very helpful.
Additional DNS servers
While being connected to my WirtBot network, I noticed that I was no longer able to reach devices on my local network by their hostname.
To fix this the Interface now supports adding additional DNS servers that will be checked for
First UX test
Major thanks to redditor u/Atlach666. He set up a WirtBot and helped uncover a few mistakes in the task ordering that led to the Firewall blocking necessary requests during the setup.
All is fixed now and setting up a WirtBot is easier than ever given the new install script.
The CI now automatically builds new Docker images whenever a change langs in master.
New network entity. This will allow more flexibility. Could add multiple WirtBots to control from one interface to set up complex network topologies -> if you get the certificates!
A few things changed in its layout, such as adding a new network entity. Which could potentially lead to multiple networks running on one WirtBot.
Interested in this? I can point you in the right directions if you`d like to implement this!
HTTPS is gone
Everything is running on crypto-routed and encrypted channels. HTTPS and its certificate nightmares just didn`t make sense anymore.
Getting valid certificates and keeping them valid in such a stealthy system is not worth it for the minimal security improvement.
With all the crypto that is being used to keep the WirtBot is secure AF. So no worries here.
Updated Rust dependencies
With the rust ecosystem getting more and more mature, it was time to update the dependencies. Most importantly because ed25519-dalek is now at a 1.x version. This library is an important piece for the WirtBot. It is the foundation to generate the WireGuard keys and secure the communication between Interface and WirtBot core.
For me? A little break from coding so much on WirtBot. But I will still look at the repository on a daily basis. In addition I have created a subreddit if anyone would like to talk about the project or showcase what is possible with it.
At some point I would also like to add German on both Documentation and Interface and get the
developer-docs integrated on the website . But as we say in german: “Gut Ding will Weile haben”. So do not expect this any time soon :)
Thats it for this update and I hope you like what this little project has become.