I've read the WireGuard specification, and it looks like WireGuard doesn't natively support any kind of user authentication (e.g. LDAP or something like that). Any client which has the server's public key, and whose IP address is whitelisted in the server configuration, can connect.
Does anyone know about any WireGuard extension or implementation which provides user authentication?
Each side of the tunnel has its own generated key and derived public key (defined as "peer" on the other side of the connection). To act as you are writing, you would need to share the private key between the "clients", which is the worst you can do (technically you can, but I hope nobody would even think about that).
Let's think about "client vs. server" roles:
server
client
We can say that the client is authenticated using one factor authentication and the authentication is realized using the public key of the client.
If I correctly understood your question this "feature" is present in WireGuard out of the box without any needs of extensions.
As @Kamil says, WireGuard's concept is a bit different than other VPN solutions. I also started using it not a long time ago, and if you want to implement something that uses existing authentication, you can get it the way that I've seen in some projects:
All of this of course can be automated on the client and server side.
To expand upon @Securez's suggestion, what about combining something like SSH with Wireguard? The idea here would be that SSH provides the desired "authentication" service, while Wireguard provides the secure tunnel once a peer successfully authenticates.
For example (on a linux box),
configure SSH to enable multiple authentication methods, e.g.
AuthenticationMethods "publickey,keyboard-interactive"
next, implement a combination of public key + password + TOTP authentication for SSH using something like oathtool (this could also include LDAP based authentication or any combination of the several authentication methods supported by SSH, but for sure include key based authentication)
then configure
/etc/ssh/sshrc
to call a script that, based on the user logging into SSH, adds a peer to Wireguard (optionally also opens the WG port for the user's IP address on a firewall e.g. iptables)User then connects as follows (can be automated using a simple script):
A cron job can be scheduled to check the time elapsed since the latest handshake for each active peer, and if the time is greater than a specified interval, e.g. 180 seconds (meaning peer is no longer connected), kick the peer (and if applicable, close the firewall port).
If you don't need the connecting user to be able to SSH into the remote peer, you can set the user shell to
/sbin/nologin
. Also, in order for the script called in/etc/ssh/sshrc
to be able to add a peer to Wireguard, the script will need sudo access. That risk can be limited with something like the following in/etc/sudoers
:%wireguard-users ALL=NOPASSWD: /path/to/add-wg-peer
where
wireguard-users
is a group that you would add all the Wireguard users to. Ideally, theadd-wg-peer
script should not accept any parameters, to limit misuse.Benefits of such a setup:
Down side:
Thoughts, observations, criticisms? I'm really interested in hearing what potential pitfalls a setup like this could result in.