WireGuard user authenticationWireguard VPN Outbound and InboundExcluding fwmark(ed) Packets from Wireguard...
Would a primitive species be able to learn English from reading books alone?
Would this string work as string?
Air travel with refrigerated insulin
Pre-Employment Background Check With Consent For Future Checks
How to test the sharpness of a knife?
How to make money from a browser who sees 5 seconds into the future of any web page?
Can you identify this lizard-like creature I observed in the UK?
Why would five hundred and five be same as one?
Do you waste sorcery points if you try to apply metamagic to a spell from a scroll but fail to cast it?
How do I prevent inappropriate ads from appearing in my game?
Why do Radio Buttons not fill the entire outer circle?
Review your own paper in Mathematics
What happens if I try to grapple mirror image?
How were servants to the Kaiser of Imperial Germany treated and where may I find more information on them
How to write Quadratic equation with negative coefficient
Is there anyway, I can have two passwords for my wi-fi
How would a solely written language work mechanically
Mimic lecturing on blackboard, facing audience
Determining multivariate least squares with constraint
Difference between shutdown options
Why does a 97 / 92 key piano exist by Bösendorfer?
Check if object is null and return null
If A is dense in Q, then it must be dense in R.
El Dorado Word Puzzle II: Videogame Edition
WireGuard user authentication
Wireguard VPN Outbound and InboundExcluding fwmark(ed) Packets from Wireguard TunnelRunning Wireguard disables SSH access to the machineUbuntu 18.04.1, cannot add PPA wireguard/ubuntu/wireguardConverting IPtables rules into FirewallD Rules (Killswitch for Wireguard)
I've read WireGuard specification, and it looks that it doesn't natively support any kind of user authentication (i.e. LDAP or something like that). Any client which has server's public key, and whose IP address is whitelisted in the server configuration, can connect.
Does anyone knows about any WireGuard extension / implementation which does provide user authentication feature?
Thanks!
wireguard
asked Jan 13 at 8:00
Aleksandar PesicAleksandar Pesic
12117
add a comment |
I've read WireGuard specification, and it looks that it doesn't natively support any kind of user authentication (i.e. LDAP or something like that). Any client which has server's public key, and whose IP address is whitelisted in the server configuration, can connect.
Does anyone knows about any WireGuard extension / implementation which does provide user authentication feature?
Thanks!
wireguard
asked Jan 13 at 8:00
Aleksandar PesicAleksandar Pesic
12117
add a comment |
I've read WireGuard specification, and it looks that it doesn't natively support any kind of user authentication (i.e. LDAP or something like that). Any client which has server's public key, and whose IP address is whitelisted in the server configuration, can connect.
Does anyone knows about any WireGuard extension / implementation which does provide user authentication feature?
Thanks!
wireguard
asked Jan 13 at 8:00
Aleksandar PesicAleksandar Pesic
12117
I've read WireGuard specification, and it looks that it doesn't natively support any kind of user authentication (i.e. LDAP or something like that). Any client which has server's public key, and whose IP address is whitelisted in the server configuration, can connect.
Does anyone knows about any WireGuard extension / implementation which does provide user authentication feature?
Thanks!
wireguard
wireguard
asked Jan 13 at 8:00
Aleksandar PesicAleksandar Pesic
12117
asked Jan 13 at 8:00
Aleksandar PesicAleksandar Pesic
12117
asked Jan 13 at 8:00
Aleksandar PesicAleksandar Pesic
12117
asked Jan 13 at 8:00
Aleksandar PesicAleksandar Pesic
12117
asked Jan 13 at 8:00
Aleksandar PesicAleksandar Pesic
12117
12117
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Each side of the tunnel has own generated key and derived public key (defined as "peer" on other side of connection). To act as you are writing you would share the private key between the "clients" which is the worst case you can do (technically you can but I hope nobody would even think about that).
Let think about "client vs. server" roles.
server
- own secret key
- list of all possible peers / users
- each client is represented by own peer definition on server side with relevant public key of the client
- each client is represented by own peer definition on server side with relevant public key of the client
client
- own secret key
one peer definition with the public key of the server
We can say that client is authenticated using one factor authentication and the authentication is realized using public key of the client.
Granting access to new client mean to add peer definition to server side (can be realize without restarting VPN / without breaking all current vpn sessions).
Revoking access for the current client mean removing peer definition on server side (again it can be done also without restarting VPN - closing all current sessions).
If I correctly understood your question this "feature" is present in wireguard out of the box without any needs of extensions.
answered 2 mins ago
Kamil JKamil J
3576
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f948816%2fwireguard-user-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Each side of the tunnel has own generated key and derived public key (defined as "peer" on other side of connection). To act as you are writing you would share the private key between the "clients" which is the worst case you can do (technically you can but I hope nobody would even think about that).
Let think about "client vs. server" roles.
server
- own secret key
- list of all possible peers / users
- each client is represented by own peer definition on server side with relevant public key of the client
- each client is represented by own peer definition on server side with relevant public key of the client
client
- own secret key
one peer definition with the public key of the server
We can say that client is authenticated using one factor authentication and the authentication is realized using public key of the client.
Granting access to new client mean to add peer definition to server side (can be realize without restarting VPN / without breaking all current vpn sessions).
Revoking access for the current client mean removing peer definition on server side (again it can be done also without restarting VPN - closing all current sessions).
If I correctly understood your question this "feature" is present in wireguard out of the box without any needs of extensions.
answered 2 mins ago
Kamil JKamil J
3576
add a comment |
Each side of the tunnel has own generated key and derived public key (defined as "peer" on other side of connection). To act as you are writing you would share the private key between the "clients" which is the worst case you can do (technically you can but I hope nobody would even think about that).
Let think about "client vs. server" roles.
server
- own secret key
- list of all possible peers / users
- each client is represented by own peer definition on server side with relevant public key of the client
- each client is represented by own peer definition on server side with relevant public key of the client
client
- own secret key
one peer definition with the public key of the server
We can say that client is authenticated using one factor authentication and the authentication is realized using public key of the client.
Granting access to new client mean to add peer definition to server side (can be realize without restarting VPN / without breaking all current vpn sessions).
Revoking access for the current client mean removing peer definition on server side (again it can be done also without restarting VPN - closing all current sessions).
If I correctly understood your question this "feature" is present in wireguard out of the box without any needs of extensions.
answered 2 mins ago
Kamil JKamil J
3576
add a comment |
Each side of the tunnel has own generated key and derived public key (defined as "peer" on other side of connection). To act as you are writing you would share the private key between the "clients" which is the worst case you can do (technically you can but I hope nobody would even think about that).
Let think about "client vs. server" roles.
server
- own secret key
- list of all possible peers / users
- each client is represented by own peer definition on server side with relevant public key of the client
- each client is represented by own peer definition on server side with relevant public key of the client
client
- own secret key
one peer definition with the public key of the server
We can say that client is authenticated using one factor authentication and the authentication is realized using public key of the client.
Granting access to new client mean to add peer definition to server side (can be realize without restarting VPN / without breaking all current vpn sessions).
Revoking access for the current client mean removing peer definition on server side (again it can be done also without restarting VPN - closing all current sessions).
If I correctly understood your question this "feature" is present in wireguard out of the box without any needs of extensions.
answered 2 mins ago
Kamil JKamil J
3576
Each side of the tunnel has own generated key and derived public key (defined as "peer" on other side of connection). To act as you are writing you would share the private key between the "clients" which is the worst case you can do (technically you can but I hope nobody would even think about that).
Let think about "client vs. server" roles.
server
- own secret key
- list of all possible peers / users
- each client is represented by own peer definition on server side with relevant public key of the client
- each client is represented by own peer definition on server side with relevant public key of the client
client
- own secret key
one peer definition with the public key of the server
We can say that client is authenticated using one factor authentication and the authentication is realized using public key of the client.
Granting access to new client mean to add peer definition to server side (can be realize without restarting VPN / without breaking all current vpn sessions).
Revoking access for the current client mean removing peer definition on server side (again it can be done also without restarting VPN - closing all current sessions).
If I correctly understood your question this "feature" is present in wireguard out of the box without any needs of extensions.
answered 2 mins ago
Kamil JKamil J
3576
answered 2 mins ago
Kamil JKamil J
3576
answered 2 mins ago
Kamil JKamil J
3576
answered 2 mins ago
Kamil JKamil J
3576
3576
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f948816%2fwireguard-user-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
