Wag Wag has enhanced WireGuard with the addition of MFA, route restriction, and device enrollment features. It allows defining routes that require MFA authorization or are always accessible, offers an easy API for client registration, and supports multiple MFA options like webauthn and oidc. A unique feature is the sponsorship from Aura Information Security. To set up Wag, requirements include installing iptables and libpam, running as root, and enabling forwarding in sysctl. The management commands allow actions like starting the server, managing devices, users, and web admins. ACL rules can be defined to control access based on routes and protocols. The most specific match governs user access levels in determining MFA requirements.
https://github.com/NHAS/wag