Page MenuHomePhabricator

Wireguard keyPair per interface
Open, Requires assessmentPublicFEATURE REQUEST



I was wondering why there is only one key pair for the whole system. In a normal wireguard config there is one private key per interface. I think it's always best to stay as close to spec as possible. I would greatly appreciate the feature and because of that I would gladly help to implement it. I looked at the concerning files and don't think the needed changes would be huge or even have a big impact on normal operations.

Thanks in advance


Difficulty level
Easy (less than an hour)
Why the issue appeared?
Will be filled on close

Event Timeline

jonaswre created this object in space S1 VyOS Public.
afics added a subscriber: afics.Fri, Aug 9, 10:18 AM

I second this, I would like to be able to setup different keys for multiple wireguard interfaces too.

Best Regards,

pasik added a subscriber: pasik.Fri, Aug 9, 10:28 AM
jonaswre updated the task description. (Show Details)Fri, Aug 9, 10:34 AM
runar added a subscriber: runar.Fri, Aug 9, 12:01 PM

This sounds like a good improvement!

I propose to create a concept "named key-pairs", a key-pair could be used on one or multiple interfaces as the user wish'es. And if the user dont specify a key, a default key is selected for him. Allso when specifying a non-existant key-pair the key-pair could be autogenerated with that name.

hagbard added a subscriber: hagbard.Fri, Aug 9, 2:34 PM

I don't think it's a good idea, for several reasons.

@jonaswre Can you please point me to the specs where it recommends to use for each interface it's own private key?

jonaswre added a comment.EditedThu, Aug 15, 7:11 AM

@hagbard It's not stated that you MUST use a new private key for each interface. But it states that

[e]ach network interface has a private key [...] ⇒ Cryptokey Routing

to set a private key for each interface only makes sense when you are allowed to use different keys for different interfaces. If there would be any withdraw in using multiple keys they would have just omitted the "privateKey" in the config file and set i globally. Since they didn't do that I can't imagine there is one. But I would be interested in learning what withdraws you see that the developers don't see.

Another quote from the papers:

The interface itself has a private key [...] ⇒ Cryptokey Routing [p.4]

I think it is a bad idea to use a single key for all tunnels. If you need to change your key on one interface, that would mean disabling all other connections until changed everywhere. And since a normal wireguard install lets you set a private key per interface why shouldn't you be able to do that on vyos?

@runar I would second the "named key-pairs" idea, I had the same in mind. But I wouldn't make auto generation a high priority.


[e]ach network interface has a private key [...]

Where does it say that you need a different private key for another interface?

The big disadvantage is if you deal with many wireguard users, with multiple interfaces and crypto routing. You will need to identify the correct key for each connection terminate on an interface, the correct port (endpoint as well) and the IP addresses (allowed-ips - both IPv6 and IPv4). That's the first hassle. Now let's imagine one private key might have been compromised, let's say out of 500 interfaces and each interface let's say has 10 peers. With a single pK, a job of a few minutes since you can share the public key with your peer publically.

As I said before I don't see any benefit nor did I find any specification that a new wg interface would need it's own key.

runar added a subscriber: zx2c4.Fri, Aug 16, 9:30 AM

Maybe you could comment on this @zx2c4 ?

zx2c4 added a comment.Fri, Aug 23, 7:17 AM

Don't use the same private key in two places at the same time. This means it's not a good idea to copy private keys between computers and use it in two places, and probably also means you shouldn't assign the private key to two interfaces on the same computer at the same time, unless you have a really particular and weird setup and know precisely the implications of it. Doesn't sound like that's the case here. So you're probably best doing a private key per interface.