Home › Forums › Discussions › General › Encrypt config/private key or Read config in another way
Tagged: encryption, security, Wiresock
- This topic has 1 reply, 2 voices, and was last updated 9 months, 4 weeks ago by Vadim Smirnov.
-
AuthorPosts
-
January 20, 2024 at 4:43 pm #13511
Hi! Just discovered wiresock as an alternative wireguard client and it looks great 😀
So far I use Linux only however, I have a requirement to use wireguard on windows devices now and have struggled with securing the config / private key.
On linux I am able to leave my Privatekey out of the config file and instead use a PostUp command to read the privatekey from another gpg encrypted file which then uses wg program to update the tunnel.
This lets me keep the privatekey encrypted and requires me to enter a password to decrypt it.
I prefer this method as it makes me enter a separate password to unlock the key rather than having my current login automatically unlock it. Also with gpg I can set it to require the password again if I get disconnected and need to reconnect.
It looks something like this:
PostUp = wg set tunnelname private-key <(gpg -d /path/to/encrypted/private/key)
Both PostUp and wg.exe are available in the wireguard official windows client, so I tried:
FOR /F %i IN (‘gpg -d “c:\path\to\gpg\file”‘) DO wg.exe set wg2 private-key %i
Which would decrypt the file with the private-key and then pass that value to the wg.exe command. But, wg.exe acts differently on windows and requires a file passed to it rather than the key itself.
I’m wondering if there is anyway to use wiresock-client to set the private-key outside of the config file. Specifically by passing a value to it, such as a variable set by another command like above.
Or even a way to read in an entire config from a variable or output of an external command such as “gpg -d filename”.
Thanks!
January 24, 2024 at 11:28 am #13513Presently, Wiresock doesn’t support passing the private key in any way other than directly through the config file. While the core library technically allows for such functionality, it hasn’t been implemented in the current version of the software. However, it’s worth noting that this feature might be considered for future versions of Wiresock.
In the meantime, you may want to explore the configuration encryption method introduced in the “Encrypting/Securing the WireSock Config File” thread. This method involves encrypting the configuration file using LocalSystem credentials and storing it in a secure folder, offering a viable solution to protect your WireGuard network’s configuration until more flexible key handling options become available.
-
AuthorPosts
- You must be logged in to reply to this topic.