WireGuard user authentication
I've read the WireGuard specification, and it looks like WireGuard doesn't natively support any kind of user authentication (e.g. LDAP or something like that). Any client which has the server's public key, and whose IP address is whitelisted in the server configuration, can connect.
Does anyone know about any WireGuard extension or implementation which provides user authentication?
Each side of the tunnel has its own generated key and derived public key (defined as "peer" on the other side of the connection). To act as you are writing, you would need to share the private key between the "clients", which is the worst you can do (technically you can, but I hope nobody would even think about that).
Let's think about "client vs. server" roles:
server
- owns secret key
- has list of all possible peers / users
- each client is represented by own peer definition on the server side with the relevant public key of the client
client
- owns secret key
- one peer definition with the public key of the server
We can say that the client is authenticated using one factor authentication and the authentication is realized using the public key of the client.
- Granting access to a new client means to add a peer definition to the server side (can be realized without restarting VPN / without breaking all current VPN sessions).
- Revoking access for the current client means removing the peer definition on the server side (again, it can be done also without restarting VPN - closing all current sessions).
If I correctly understood your question this "feature" is present in WireGuard out of the box without any needs of extensions.
As @Kamil says, WireGuard's concept is a bit different than other VPN solutions. I also started using it not a long time ago, and if you want to implement something that uses existing authentication, you can get it the way that I've seen in some projects:
- Authenticate your users with your preferred method, plus 2FA, whatever you want.
- After the user is authenticated, the client generates a temporary key pair.
- Through a secure connection, client sends the public key to the server, fetches their config (endpoint, server public key, etc...)
- The client connects to the VPN
- When the user logs out or the session expires, the server can remove the peer from the WireGuard endpoint.
All of this of course can be automated on the client and server side.