coder
diff --git a/‎agent/agent.go
+13-11 b/‎agent/agent.go
+13-11
diff --git a/‎agent/wireguard.go
+11-13 b/‎agent/wireguard.go
+11-13
diff --git a/‎cli/agent.go
+1-1 b/‎cli/agent.go
+1-1
diff --git a/‎cli/wireguardtunnel.go
+14-12 b/‎cli/wireguardtunnel.go
+14-12
diff --git a/‎coderd/database/databasefake/databasefake.go
+19-19 b/‎coderd/database/databasefake/databasefake.go
+19-19
diff --git a/‎coderd/database/dump.sql
+3-3 b/‎coderd/database/dump.sql
+3-3
diff --git a/‎coderd/database/migrations/000028_wireguard.down.sql
+2-2 b/‎coderd/database/migrations/000028_wireguard.down.sql
+2-2
diff --git a/‎coderd/database/migrations/000028_wireguard.up.sql
+3-3 b/‎coderd/database/migrations/000028_wireguard.up.sql
+3-3
diff --git a/‎coderd/database/models.go
+20-20 b/‎coderd/database/models.go
+20-20
@@ -47,30 +47,30 @@ const (
 
 type Options struct {
 	EnableWireguard        bool
-	PostPublicKeys         PostKeys
+	UploadWireguardKeys    UploadWireguardKeys
 	ListenWireguardPeers   ListenWireguardPeers
 	ReconnectingPTYTimeout time.Duration
 	EnvironmentVariables   map[string]string
 	Logger                 slog.Logger
 }
 
 type Metadata struct {
-	Addresses            []netaddr.IPPrefix `json:"addresses"`
+	WireguardAddresses   []netaddr.IPPrefix `json:"addresses"`
 	OwnerEmail           string             `json:"owner_email"`
 	OwnerUsername        string             `json:"owner_username"`
 	EnvironmentVariables map[string]string  `json:"environment_variables"`
 	StartupScript        string             `json:"startup_script"`
 	Directory            string             `json:"directory"`
 }
 
-type PublicKeys struct {
+type WireguardPublicKeys struct {
 	Public key.NodePublic  `json:"public"`
 	Disco  key.DiscoPublic `json:"disco"`
 }
 
 type Dialer func(ctx context.Context, logger slog.Logger) (Metadata, *peerbroker.Listener, error)
-type PostKeys func(ctx context.Context, keys PublicKeys) error
-type ListenWireguardPeers func(ctx context.Context, logger slog.Logger) (<-chan peerwg.WireguardPeerMessage, func(), error)
+type UploadWireguardKeys func(ctx context.Context, keys WireguardPublicKeys) error
+type ListenWireguardPeers func(ctx context.Context, logger slog.Logger) (<-chan peerwg.Handshake, func(), error)
 
 func New(dialer Dialer, options *Options) io.Closer {
 	if options == nil {
@@ -88,7 +88,7 @@ func New(dialer Dialer, options *Options) io.Closer {
 		closed:                 make(chan struct{}),
 		envVars:                options.EnvironmentVariables,
 		enableWireguard:        options.EnableWireguard,
-		postKeys:               options.PostPublicKeys,
+		postKeys:               options.UploadWireguardKeys,
 		listenWireguardPeers:   options.ListenWireguardPeers,
 	}
 	server.init(ctx)
@@ -114,8 +114,8 @@ type agent struct {
 	sshServer     *ssh.Server
 
 	enableWireguard      bool
-	wg                   *peerwg.WireguardNetwork
-	postKeys             PostKeys
+	network              *peerwg.Network
+	postKeys             UploadWireguardKeys
 	listenWireguardPeers ListenWireguardPeers
 }
 
@@ -160,9 +160,11 @@ func (a *agent) run(ctx context.Context) {
 		}()
 	}
 
-	err = a.startWireguard(ctx, metadata.Addresses)
-	if err != nil {
-		a.logger.Error(ctx, "start wireguard", slog.Error(err))
+	if a.enableWireguard {
+		err = a.startWireguard(ctx, metadata.WireguardAddresses)
+		if err != nil {
+			a.logger.Error(ctx, "start wireguard", slog.Error(err))
+		}
 	}
 
 	for {
 
@@ -11,28 +11,26 @@ import (
 )
 
 func (a *agent) startWireguard(ctx context.Context, addrs []netaddr.IPPrefix) error {
-	if a.wg != nil {
-		_ = a.wg.Close()
-		a.wg = nil
-	}
-
-	if !a.enableWireguard {
-		return nil
+	if a.network != nil {
+		_ = a.network.Close()
+		a.network = nil
 	}
 
 	// We can't create a wireguard network without these.
 	if len(addrs) == 0 || a.listenWireguardPeers == nil || a.postKeys == nil {
 		return xerrors.New("wireguard is enabled, but no addresses were provided or necessary functions were not provided")
 	}
 
-	wg, err := peerwg.NewWireguardNetwork(ctx, a.logger.Named("wireguard"), addrs)
+	wg, err := peerwg.New(a.logger.Named("wireguard"), addrs)
 	if err != nil {
 		return xerrors.Errorf("create wireguard network: %w", err)
 	}
 
-	err = a.postKeys(ctx, PublicKeys{
-		Public: wg.Private.Public(),
-		Disco:  wg.Disco,
+	// A new keypair is generated on each agent start.
+	// This keypair must be sent to Coder to allow for incoming connections.
+	err = a.postKeys(ctx, WireguardPublicKeys{
+		Public: wg.NodePrivateKey.Public(),
+		Disco:  wg.DiscoPublicKey,
 	})
 	if err != nil {
 		a.logger.Warn(ctx, "post keys", slog.Error(err))
@@ -53,13 +51,13 @@ func (a *agent) startWireguard(ctx context.Context, addrs []netaddr.IPPrefix) er
 				}
 
 				err := wg.AddPeer(peer)
-				a.logger.Info(ctx, "added wireguard peer", slog.F("peer", peer.Public.ShortString()), slog.Error(err))
+				a.logger.Info(ctx, "added wireguard peer", slog.F("peer", peer.NodePublicKey.ShortString()), slog.Error(err))
 			}
 
 			listenClose()
 		}
 	}()
 
-	a.wg = wg
+	a.network = wg
 	return nil
 }
@@ -178,7 +178,7 @@ func workspaceAgent() *cobra.Command {
 					"CODER_AGENT_TOKEN": client.SessionToken,
 				},
 				EnableWireguard:      wireguard,
-				PostPublicKeys:       client.PostWorkspaceAgentKeys,
+				UploadWireguardKeys:  client.UploadWorkspaceAgentKeys,
 				ListenWireguardPeers: client.WireguardPeerListener,
 			})
 			<-cmd.Context().Done()
 
@@ -100,29 +100,29 @@ func wireguardPortForward() *cobra.Command {
 			}
 
 			ipv6 := peerwg.UUIDToNetaddr(uuid.New())
-			wgn, err := peerwg.NewWireguardNetwork(cmd.Context(),
+			wgn, err := peerwg.New(
 				slog.Make(sloghuman.Sink(os.Stderr)),
 				[]netaddr.IPPrefix{netaddr.IPPrefixFrom(ipv6, 128)},
 			)
 			if err != nil {
 				return xerrors.Errorf("create wireguard network: %w", err)
 			}
 
-			err = client.PostWireguardPeer(cmd.Context(), workspace.ID, peerwg.WireguardPeerMessage{
-				Recipient: workspaceAgent.ID,
-				Public:    wgn.Private.Public(),
-				Disco:     wgn.Disco,
-				IPv6:      ipv6,
+			err = client.PostWireguardPeer(cmd.Context(), workspace.ID, peerwg.Handshake{
+				Recipient:      workspaceAgent.ID,
+				NodePublicKey:  wgn.NodePrivateKey.Public(),
+				DiscoPublicKey: wgn.DiscoPublicKey,
+				IPv6:           ipv6,
 			})
 			if err != nil {
 				return xerrors.Errorf("post wireguard peer: %w", err)
 			}
 
-			err = wgn.AddPeer(peerwg.WireguardPeerMessage{
-				Recipient: workspaceAgent.ID,
-				Disco:     workspaceAgent.DiscoPublicKey,
-				Public:    workspaceAgent.WireguardPublicKey,
-				IPv6:      workspaceAgent.IPv6.IP(),
+			err = wgn.AddPeer(peerwg.Handshake{
+				Recipient:      workspaceAgent.ID,
+				DiscoPublicKey: workspaceAgent.DiscoPublicKey,
+				NodePublicKey:  workspaceAgent.WireguardPublicKey,
+				IPv6:           workspaceAgent.IPv6.IP(),
 			})
 			if err != nil {
 				return xerrors.Errorf("add workspace agent as peer: %w", err)
@@ -177,6 +177,8 @@ func wireguardPortForward() *cobra.Command {
 		},
 	}
 
+	// Hide all wireguard commands for now while we test!
+	cmd.Hidden = true
 	cmd.Flags().StringArrayVarP(&tcpForwards, "tcp", "p", []string{}, "Forward a TCP port from the workspace to the local machine")
 	cmd.Flags().StringArrayVar(&udpForwards, "udp", []string{}, "Forward a UDP port from the workspace to the local machine. The UDP connection has TCP-like semantics to support stateful UDP protocols")
 	cmd.Flags().StringArrayVar(&unixForwards, "unix", []string{}, "Forward a Unix socket in the workspace to a local Unix socket or TCP port")
@@ -185,7 +187,7 @@ func wireguardPortForward() *cobra.Command {
 }
 
 func listenAndPortForwardWireguard(ctx context.Context, cmd *cobra.Command,
-	wgn *peerwg.WireguardNetwork,
+	wgn *peerwg.Network,
 	wg *sync.WaitGroup,
 	spec portForwardSpec,
 	agentIP netaddr.IP,
 
@@ -1599,23 +1599,23 @@ func (q *fakeQuerier) InsertWorkspaceAgent(_ context.Context, arg database.Inser
 	defer q.mutex.Unlock()
 
 	agent := database.WorkspaceAgent{
-		ID:                   arg.ID,
-		CreatedAt:            arg.CreatedAt,
-		UpdatedAt:            arg.UpdatedAt,
-		ResourceID:           arg.ResourceID,
-		AuthToken:            arg.AuthToken,
-		AuthInstanceID:       arg.AuthInstanceID,
-		EnvironmentVariables: arg.EnvironmentVariables,
-		Name:                 arg.Name,
-		Architecture:         arg.Architecture,
-		OperatingSystem:      arg.OperatingSystem,
-		Directory:            arg.Directory,
-		StartupScript:        arg.StartupScript,
-		InstanceMetadata:     arg.InstanceMetadata,
-		ResourceMetadata:     arg.ResourceMetadata,
-		Ipv6:                 arg.Ipv6,
-		WireguardPublicKey:   arg.WireguardPublicKey,
-		DiscoPublicKey:       arg.DiscoPublicKey,
+		ID:                      arg.ID,
+		CreatedAt:               arg.CreatedAt,
+		UpdatedAt:               arg.UpdatedAt,
+		ResourceID:              arg.ResourceID,
+		AuthToken:               arg.AuthToken,
+		AuthInstanceID:          arg.AuthInstanceID,
+		EnvironmentVariables:    arg.EnvironmentVariables,
+		Name:                    arg.Name,
+		Architecture:            arg.Architecture,
+		OperatingSystem:         arg.OperatingSystem,
+		Directory:               arg.Directory,
+		StartupScript:           arg.StartupScript,
+		InstanceMetadata:        arg.InstanceMetadata,
+		ResourceMetadata:        arg.ResourceMetadata,
+		WireguardNodeIPv6:       arg.WireguardNodeIPv6,
+		WireguardNodePublicKey:  arg.WireguardNodePublicKey,
+		WireguardDiscoPublicKey: arg.WireguardDiscoPublicKey,
 	}
 
 	q.provisionerJobAgents = append(q.provisionerJobAgents, agent)
@@ -1920,8 +1920,8 @@ func (q *fakeQuerier) UpdateWorkspaceAgentKeysByID(_ context.Context, arg databa
 			continue
 		}
 
-		agent.WireguardPublicKey = arg.WireguardPublicKey
-		agent.DiscoPublicKey = arg.DiscoPublicKey
+		agent.WireguardNodePublicKey = arg.WireguardNodePublicKey
+		agent.WireguardDiscoPublicKey = arg.WireguardDiscoPublicKey
 		agent.UpdatedAt = database.Now()
 		q.provisionerJobAgents[index] = agent
 		return nil
 
@@ -1,4 +1,4 @@
 ALTER TABLE workspace_agents
-    DROP COLUMN ipv6,
-    DROP COLUMN wireguard_public_key,
+    DROP COLUMN wireguard_ipv6,
+    DROP COLUMN node_public_key,
     DROP COLUMN disco_public_key;
@@ -1,4 +1,4 @@
 ALTER TABLE workspace_agents
-    ADD COLUMN ipv6 inet NOT NULL DEFAULT '::/128',
-    ADD COLUMN wireguard_public_key varchar(128) NOT NULL DEFAULT 'mkey:0000000000000000000000000000000000000000000000000000000000000000',
-    ADD COLUMN disco_public_key varchar(128) NOT NULL DEFAULT 'discokey:0000000000000000000000000000000000000000000000000000000000000000';
+    ADD COLUMN wireguard_node_ipv6 inet NOT NULL DEFAULT '::/128',
+    ADD COLUMN wireguard_node_public_key varchar(128) NOT NULL DEFAULT 'mkey:0000000000000000000000000000000000000000000000000000000000000000',
+    ADD COLUMN wireguard_disco_public_key varchar(128) NOT NULL DEFAULT 'discokey:0000000000000000000000000000000000000000000000000000000000000000';