I know the author doesn’t want to use Tailscale, but they’re really, and I can’t stress this enough, really good. However, I understand that cost is a concern — perhaps headscale, an open source reimplementation of the coordination server (the proprietary stuff in Tailscale) can possibly be used instead.
Or you can use good old OpenVPN. For remote access to a university network it’s more than sufficient. It’s an old, somewhat clunky tool, but it does the job.
Most VPN technology, OpenVPN included, has the idea of ‘sessions’. Sessions are great in some ways but not great in others, because sessions can get broken and then you have to start over, which can often cut off any existing connections you have over the VPN session (such as ongoing ssh connections). WireGuard is appealing partly because it is completely session-less (and as a result can roam freely; your client can shift IPs without the WireGuard connection exploding). If we could provision WireGuard, I suspect this would make it a better experience for some of our users.
(I’m the author of the linked-to entry.)
I’m not sure I know exactly what problems you’re trying to solve, but you might be interested in innernet as a self-hosted wireguard provisioning option.
What do you think of
Something like Drago could eventually automate provisioning clients, but it’s hard to tell how it will evolve as it gets developed more, and the tricky (and time consuming) bit is supporting a UI and integration with WireGuard clients on all of the major platforms (Windows, macOS, iOS, Android, and ideally Linux). Drago also seems to support more flexibility than we’d use, which might be a drawback in practice.
For some reason, I can’t get OpenVPN to generate wireguard certs.
And for that matter, OpenVPN usually relies on a local CA to generate OpenVPN certs, which is an exciting premise of its own.
wireguard used to have a line like “Don’t even attempt to generate anything with non-wireguard tools” - which at the point was really annoying for one use case I had…
Wireguard client on PicoLisp + Monocypher.