Page MenuHomePhabricator
Feed Advanced Search

Sep 25 2019

jonaswre added a comment to T1572: Wireguard keyPair per interface.

It's not so much the implementation as I wrote before, it just doesn't seem beneficial. It gets implemented anyway, but I try to understand why a user would like to use that. The private key is by the way no identity and also won't interfere with multiple VPN peers if you are using only one pk. On IP:12345 arrives an encrypted packet, it is simply decrypted using your pk. If it works it's given to your kernel netlink interface as far as I recall and routed there, so no verification of the private key anywhere. If it can't be decrypted, it's discarded. If you have multiple wg interfaces, your 'crypto routing' either allows the traffic to the peer or discards it if it doesn't fit, the private key has nothing to do with that, since the public key of your peer is used to encrypt it. Summary, I still cna't see any benefit having that, which doesn't mean that I won't implement it.

Sep 25 2019, 4:56 PM · VyOS 1.3 Equuleus

Sep 6 2019

jonaswre added a comment to T1572: Wireguard keyPair per interface.

@hagbard the private key should stay where its generated. But thats not the point. The point @zx2c4 and I are making, is each interface represent a diffrent Identity. There are only some special cases where you would need the same private key on two interface. Useally you would just add all peers that connect with the same publickey to the same interface. You only need a second interface if there is a second identity you want to assume. For example wg01 might be used to connect to your workplace and wg02 to a vpn service. In that case you would want peers in wg01 and wg02 to know you under different identities.

Sep 6 2019, 9:16 AM · VyOS 1.3 Equuleus

Aug 15 2019

jonaswre added a comment to T1572: Wireguard keyPair per interface.

@hagbard It's not stated that you MUST use a new private key for each interface. But it states that

[e]ach network interface has a private key [...] ⇒ Cryptokey Routing

to set a private key for each interface only makes sense when you are allowed to use different keys for different interfaces. If there would be any withdraw in using multiple keys they would have just omitted the "privateKey" in the config file and set i globally. Since they didn't do that I can't imagine there is one. But I would be interested in learning what withdraws you see that the developers don't see.

Aug 15 2019, 7:11 AM · VyOS 1.3 Equuleus

Aug 9 2019

jonaswre updated the task description for T1572: Wireguard keyPair per interface.
Aug 9 2019, 10:34 AM · VyOS 1.3 Equuleus
jonaswre created T1572: Wireguard keyPair per interface in the S1 VyOS Public space.
Aug 9 2019, 9:46 AM · VyOS 1.3 Equuleus