WireGuard user authentication

wireguard

I've read the WireGuard specification, and it looks like WireGuard doesn't natively support any kind of user authentication (e.g. LDAP or something like that). Any client which has the server's public key, and whose IP address is whitelisted in the server configuration, can connect.

Does anyone know about any WireGuard extension or implementation which provides user authentication?

Best Answer

Each side of the tunnel has its own generated key and derived public key (defined as "peer" on the other side of the connection). To act as you are writing, you would need to share the private key between the "clients", which is the worst you can do (technically you can, but I hope nobody would even think about that).

Let's think about "client vs. server" roles:

server

owns secret key
has list of all possible peers / users
each client is represented by own peer definition on the server side with the relevant public key of the client

client

owns secret key
one peer definition with the public key of the server

We can say that the client is authenticated using one factor authentication and the authentication is realized using the public key of the client.

Granting access to a new client means to add a peer definition to the server side (can be realized without restarting VPN / without breaking all current VPN sessions).
Revoking access for the current client means removing the peer definition on the server side (again, it can be done also without restarting VPN - closing all current sessions).

If I correctly understood your question this "feature" is present in WireGuard out of the box without any needs of extensions.

Related Solutions

Ubuntu VPN – Troubleshooting WireGuard VPN Setup Issues

Well, in several of days, nights, and killed servers, I solved all the problems myself :)

Firstly, I'd like to mention that wg and wg-quick utilities treats config files differently. So, my wg setconf wg0 /etc/wireguard/wg0.conf didn't work the expected way, and I guess it uses old config format. Now I use wg-quick through systemctl.
Secondly, my addition of net.ipv4.ip_forward=1 to the file /etc/sysctl.conf didn't work even though I called systemctl daemon-reload ; systemctl restart systemd-networkd. I had to link config with the kernel using sysctl -p /etc/sysctl.conf command. This allows peers to communicate with each other and reach the Internet through VPN.
It's good to mention that for all the Address notes it's better to use subnet mask of 32 bits, which means an exact IP, not a range.
In addition, I've set up custom DNS with BIND9 to create own domain in the network. And NginX with sender's IP address checking to restrict access to VPN's clients only.

For now, my configs are as follows.

Server

[Interface]
Address = 10.0.0.1/32
ListenPort = 5555
PrivateKey = ___some_private_key___

# The following is needed only if you have `ufw` installed
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = ___some_public_key___
AllowedIPs = 10.0.0.1/32

Client

[Interface]
PrivateKey = ___some_private_key___
ListenPort = 5555
Address = 10.0.0.1/32

[Peer]
PublicKey = ___some_public_key___
AllowedIPs = 10.0.0.0/24
Endpoint = ___some_ip_address__:5555

Wireguard VPN – Fix Handshake Failure with Second Peer Due to Private Key

Thanks to wireguard's IRC channel #wireguard members, finally the problem has been solved.

To fix it, the public key in two server's [Peer] must be same.

In my example, I had to put "l7YElLKnNWLUmohKpR+rQDORLmXm5geAivz9AzbbvkE=" in server 1 [Peer] PublicKey field.

This fixed the problem.

Best Answer

Related Solutions

Ubuntu VPN – Troubleshooting WireGuard VPN Setup Issues

Wireguard VPN – Fix Handshake Failure with Second Peer Due to Private Key

Related Topic