Hi,

Right now, the only method for configuring peers is "push-based",
i.e. using `wg` to push the public key and AllowedIPs for each peer to the
running wireguard instance.

I'm toying with the idea of a pull-based model, for instance storing peer
configuration in a Radius or SQL database.  But it seems like an
incredibly bad idea to integrate a Radius or SQL library inside the
kernel.

What about having a userspace daemon that wireguard can query from
kernelspace when a new peer connects?  Wireguard would basically ask "Is
this public key allowed to connect, and what are its AllowedIPs?".  The
daemon would then use whatever method it wants (flat file, SQL/Radius
database, LDAP…) to determine whether the peer is allowed and its
configuration.

I guess it looks a bit like the IKE daemon in IPsec (though not exactly,
since wireguard handles rekeying itself), which I'm not sure is a good
sign :)

Baptiste