WireGuard config protection

picapica

7/6/24, 8:29 PM

I want to set up WireGuard in the corporate network instead of OpenVPN. How can the client's config be protected from theft or loss? If the client's config falls into the wrong hands, then attackers can use it

1 + 5

vpn

password-protected

wireguard

vidarlo

7/6/24, 8:44 PM

What's your threat scenario?

larsks

7/6/24, 8:46 PM

If a client is compromised, you remove the corresponding peer from the server configuration. Now that client will no longer be able to connect.

picapica

7/6/24, 9:39 PM

@larsks If there are more than 300 customers and one of the users leaves the wireguard config on the desktop in an Internet cafe and someone has connected with it, how can you then understand that the config is discredited?

Nikita Kipriyanov

7/7/24, 6:04 AM

In the question you talk about corporate network, in the comment about "customer" and "Internet cafe". Please, pick one. In the case of corporate network you can (and should) have a security policy in which the employee is responsible for the security of the VPN key they possess. Notice that this is equally applicable to WireGuard, OpenVPN or any other VPN solution.

Greg Askew

7/7/24, 2:03 PM

This is a woefully inadequate VPN that allows an endpoint on an internal network with only one factor of authentication. Or even basic endpoint health checks. Or anything besides "we're dropping bad stuff on our heads and expect a technology solution for that".

Score:1

Server

larsks

7/6/24, 10:19 PM

The wg set wg0 private-key command can get the private key from anywhere; it doesn't need to be a local file stored on disk. So for instance if you stored the private key as a GPG-encrypted file, you could do something like this:

wg set wg0 private-key <(gpg -d private.key.gpg)

This way the private key is always stored on disk encrypted; if the client device is compromised, the key remains protected.

This article explores this solution in more detail as well as some variations on the theme involving password stores and yubikeys.

These solutions all mean that bringing up the VPN requires some sort of user interaction.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: WireGuard config protection

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.