mirrors/easy-wg-quick
1
0
Fork 0
mirror of https://github.com/burghardt/easy-wg-quick.git synced 2025-09-26 16:21:16 +02:00
Code Issues Projects Releases Wiki Activity

Use private PSKs for each client instead of a single global key.

Browse Source 
Easy-wg-quick configures WireGuard to work in an optional pre-shared key mode.
PSK is mixed into the public key cryptography. This patch removes the global
`wgpsk.key` file and switches to using a per-client pre-shared key. After this
change, each client knows only its own PSK.
This commit is contained in:
Krzysztof Burghardt 2022-05-19 12:36:26 +02:00
parent 9bd43e029d
commit c798a1dc2e
No known key found for this signature in database
GPG Key ID: DAEF40729813AE81
5 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
*.bak *.bak
*.conf *.conf
*.key *.key
*.psk
*.txt *.txt

1
README.md
View File

@ -98,7 +98,6 @@ Following command will create `wgclient_client_name.conf` file.
``` ```
No seqno.txt... creating one! No seqno.txt... creating one!
No wgpsk.key... creating one!
No wghub.key... creating one! No wghub.key... creating one!
No wghub.conf... creating one! No wghub.conf... creating one!
Wireguard hub address is 10.13.1.140:51820 on wlp9s0. Wireguard hub address is 10.13.1.140:51820 on wlp9s0.

12
easy-wg-quick
View File

@ -257,11 +257,6 @@ get_ipv6_mode() {
cat ipv6mode.txt cat ipv6mode.txt
} }
create_psk() {
echo "No wgpsk.key... creating one!"
wg genpsk > wgpsk.key
}
create_hub_key() { create_hub_key() {
echo "No wghub.key... creating one!" echo "No wghub.key... creating one!"
wg genkey > wghub.key wg genkey > wghub.key
@ -382,7 +377,7 @@ MTU = $INT_NET_MTU
[Peer] [Peer]
PublicKey = $(wg pubkey < wghub.key) PublicKey = $(wg pubkey < wghub.key)
PresharedKey = $(cat wgpsk.key) PresharedKey = $(wg genpsk | tee "wgclient_$CONF_NAME.psk")
AllowedIPs = $INT_NET_CLINET_ALLOWEDIPS AllowedIPs = $INT_NET_CLINET_ALLOWEDIPS
Endpoint = $EXT_NET_IP:$EXT_NET_PORT Endpoint = $EXT_NET_IP:$EXT_NET_PORT
PersistentKeepalive = 25 PersistentKeepalive = 25
@ -420,7 +415,7 @@ $(allowedips_to_uci_list "$INT_NET_CLINET_ALLOWEDIPS")
option endpoint_port '$EXT_NET_PORT' option endpoint_port '$EXT_NET_PORT'
option persistent_keepalive '25' option persistent_keepalive '25'
option public_key '$(wg pubkey < wghub.key)' option public_key '$(wg pubkey < wghub.key)'
option preshared_key '$(cat wgpsk.key)' option preshared_key '$(cat "wgclient_$CONF_NAME.psk")'
EOF EOF
} }
@ -439,7 +434,7 @@ add_client_to_hub_conf() {
# $SEQNO: $CONF_NAME > wgclient_$CONF_NAME.conf # $SEQNO: $CONF_NAME > wgclient_$CONF_NAME.conf
[Peer] [Peer]
PublicKey = $(wg pubkey < "wgclient_$CONF_NAME.key") PublicKey = $(wg pubkey < "wgclient_$CONF_NAME.key")
PresharedKey = $(cat wgpsk.key) PresharedKey = $(cat "wgclient_$CONF_NAME.psk")
AllowedIPs = $INT_NET_ADDRESS$SEQNO$INT_NET_ADDRESS_MASK$($NET6 && echo ", $INT_NET6_ADDRESS$1$INT_NET6_ADDRESS_MASK") AllowedIPs = $INT_NET_ADDRESS$SEQNO$INT_NET_ADDRESS_MASK$($NET6 && echo ", $INT_NET6_ADDRESS$1$INT_NET6_ADDRESS_MASK")
EOF EOF
if $NET6 && test "$NET6MODE" = "proxy_ndp"; then if $NET6 && test "$NET6MODE" = "proxy_ndp"; then
@ -561,7 +556,6 @@ main() {
SEQNO="$(get_seq_no)" SEQNO="$(get_seq_no)"
test -f portno.txt || create_port_no test -f portno.txt || create_port_no
EXT_NET_PORT="$(get_port_no)" EXT_NET_PORT="$(get_port_no)"
test -f wgpsk.key || create_psk
test -f wghub.key || create_hub_key test -f wghub.key || create_hub_key
test -f wghub.conf || create_hub_conf test -f wghub.conf || create_hub_conf

13
tests/no_global_psk.bats Executable file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env bats
load teardown setup
@test "run to check for private psk" {
run ../easy-wg-quick private_psk
[ "$status" -eq 0 ]
[ "${#lines[@]}" -gt 10 ]
run test -f wgclient_private_psk.psk
[ "$status" -eq 0 ]
run test -f wgpsk.key
[ "$status" -eq 1 ]
}

2
tests/teardown.bash
View File

@ -1,5 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
teardown() { teardown() {
rm -f ./*.bak ./*.conf ./*.key ./*.txt rm -f ./*.bak ./*.conf ./*.key ./*.psk ./*.txt
} }