WireGuard user authentication

wireguard

I've read the WireGuard specification, and it looks like WireGuard doesn't natively support any kind of user authentication (e.g. LDAP or something like that). Any client which has the server's public key, and whose IP address is whitelisted in the server configuration, can connect.

Does anyone know about any WireGuard extension or implementation which provides user authentication?


Each side of the tunnel has its own generated key and derived public key (defined as "peer" on the other side of the connection). To act as you are writing, you would need to share the private key between the "clients", which is the worst you can do (technically you can, but I hope nobody would even think about that).

Let's think about "client vs. server" roles:

server

  • owns secret key
  • has list of all possible peers / users
  • each client is represented by own peer definition on the server side with the relevant public key of the client

client

  • owns secret key
  • one peer definition with the public key of the server

We can say that the client is authenticated using one factor authentication and the authentication is realized using the public key of the client.

  • Granting access to a new client means to add a peer definition to the server side (can be realized without restarting VPN / without breaking all current VPN sessions).
  • Revoking access for the current client means removing the peer definition on the server side (again, it can be done also without restarting VPN - closing all current sessions).

If I correctly understood your question this "feature" is present in WireGuard out of the box without any needs of extensions.


As @Kamil says, WireGuard's concept is a bit different than other VPN solutions. I also started using it not a long time ago, and if you want to implement something that uses existing authentication, you can get it the way that I've seen in some projects:

  • Authenticate your users with your preferred method, plus 2FA, whatever you want.
  • After the user is authenticated, the client generates a temporary key pair.
  • Through a secure connection, client sends the public key to the server, fetches their config (endpoint, server public key, etc...)
  • The client connects to the VPN
  • When the user logs out or the session expires, the server can remove the peer from the WireGuard endpoint.

All of this of course can be automated on the client and server side.

Related

Disabling the Azure AD cloud only account?
Any point in running containers as non-root on openshift
How to set value of ipa_hostname directive in sssd.conf using Augeas
nginx prevent cache for proxy/fast_cgi on response 5xx
How can I use IIS administration commandlets on Windows Server 2012 R2?
DDOS Attack to http server and iptables doesn't help (i have access_log) [duplicate]
How to implement a uptime-monitoring and forced shutdown after a defined uptime with notifications and countdown [closed]
How do you port forward a privileged sub-1024 port to a non-privileged 1024+ port with firewalld?
Ubuntu 20.04 routing for just one IP (in the same subnet) ends in "dev lo" instead "dev eth0", kubernetes worker node can't connect to master node
NFS: control file/folder access using groups on the server
Routing from mikrotik two IP addresses to same gateway
Postfix service enabled but won't start on reboot