dn42-autopeer-daemon

A small daemon that automates adding and removing dn42 peers, and provides a simple API.

Build

The program uses a bundled version of SQLite, so a C compiler is required.

You can use cargo-zigbuild to easily build the musl version.

cargo zigbuild --release --target x86_64-unknown-linux-musl

Requirements

• Linux with systemd or Alpine Linux
• wireguard-tools-openrc package installed(for Alpine Linux)
• wg-quick is available
• BIRD2 installed
• Run as root (or grant sufficient permissions to complete all operations)

How It Works

The program assumes that you have a /etc/bird/peers folder based on the BIRD2 configuration from the DN42 wiki.

It does the following:

• Writes peer info to peers.db
• Generates WireGuard and BIRD configurations and places them in /etc/wireguard and /etc/bird/peers
• On systemd-based Linux, runs systemctl start wg-quick@<interface_name> to start the tunnel and systemctl enable wg-quick@<interface_name> to enable autostart
• On Alpine Linux (OpenRC), create per-interface symlink ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.<interface_name>, then run rc-service wg-quick.<interface_name> start to start the tunnel and rc-update add wg-quick.<interface_name> default to enable autostart
• Runs birdc configure to reload the BIRD configuration

Limitations

The templates are limited to using WireGuard tunnels and BIRD with MP-BGP. This is currently the popular peering method in the DN42 community.

I have only tested on Debian and Alpine Linux.

Configuration

Fill in config.toml

API

• Base URL: http://<listen_address>:<api_port>
• Auth: add Authorization: Bearer <secret> when API.secret is set. If the header is missing or invalid, the response is 401 Unauthorized with body Unauthorized.

POST /add

curl -sS -X POST http://127.0.0.1:4242/add \
  -H "Authorization: Bearer $SECRET" \
  -H "Content-Type: application/json" \
  -d '{
        "asn": 4242421234,
        "wireguard_endpoint": null,
        "wireguard_link_local": "fe80::beef",
        "wireguard_public_key": "<peer_public_key>",
        "wireguard_preshared_key": "<optional_preshared_key>",
        "mtu": 1420
      }'

Notes on Optional Fields:

• wireguard_endpoint: (Optional) If omitted or set to null, the daemon configures the connection in passive mode (it listens for incoming connections but does not actively connect). If a valid endpoint address is provided (e.g., "peer.example.net:51820"), it operates in active mode. Empty strings or invalid formats are rejected.
• wireguard_preshared_key: (Optional) If omitted or set to null, the connection will be established without a Pre-Shared Key. If a valid 32-byte Base64 encoded key is provided, the WireGuard configuration will utilize it (PresharedKey). Empty strings ("") or incorrectly formatted keys are rejected.

Responses:

• 200 OK
• 400 Bad Request
• 401 Unauthorized
• 409 Conflict
• 500 Internal Server Error

POST /del

Curl:

curl -sS -X POST http://127.0.0.1:4242/del \
  -H "Authorization: Bearer $SECRET" \
  -H "Content-Type: application/json" \
  -d '{ "asn": 4242421234 }'

Responses:

• 200 OK
• 400 Bad Request
• 401 Unauthorized
• 404 Not Found
• 500 Internal Server Error

POST /get

Curl:

curl -sS -X POST http://127.0.0.1:4242/get \
  -H "Authorization: Bearer $SECRET" \
  -H "Content-Type: application/json" \
  -d '{ "asn": 4242421234 }'

Responses:

• 200 OK header: Content-Type: application/json; charset=utf-8; body is the peer object:

  {
    "asn": 4242420253,
    "wireguard_endpoint": null,
    "wireguard_link_local": "fe80::abcd",
    "wireguard_public_key": "<peer_public_key>",
    "wireguard_preshared_key": null,
    "mtu": 1420
  }

• 400 Bad Request
• 401 Unauthorized
• 404 Not Found
• 500 Internal Server Error