Re: Multiple (client-)peers with same keys possible ?

Re: Multiple (client-)peers with same keys possible ?

[reiner otto]

Then individual keys for the clients, sigh.

Which leads to next question:
When adding a new client to the servers wg0.conf,
does it require a restart of wg, _OR_ is it safe to simply "edit" wg0.conf, adding the clients info ?

Cheers,
Reiner

 

Re: Multiple (client-)peers with same keys possible ?

[ajs124]

On Wed, 16 May 2018 05:22:05 +0000 (UTC)
reiner otto <augustus_meyer@yahoo.de> wrote:

> Then individual keys for the clients, sigh.
> 
> Which leads to next question:
> When adding a new client to the servers wg0.conf,
> does it require a restart of wg, _OR_ is it safe to simply "edit" wg0.conf, adding the clients info ?
> 
> Cheers,
> Reiner
> 
>  
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

You don't need to restart, just use "wg addconf" or "wg setconf". Or if you
don't (want to) use the ini config format, for some reason, using "wg
set peer <base64-public-key>" directly should also work.

Re: Multiple (client-)peers with same keys possible ?

[Ivan Labáth]

Hi,

as said, I don't concieve a reasonable way of using the same key.
Wireguard routes and needs to identify and know its clients.

That said, I don't see a reason why the clients couldn't have similar
private keys.

e.g.

Server:

Private = PrivateKey

[Peer1]
Pubkey = secret_to_public(notreallysecret..001)
AllowedIPs = 172.16.0.1/16

[Peer2]
Pubkey = secret_to_public(notreallysecret..002)
AllowedIPs = 172.16.0.2/16


I would carefully consider security consequences and possible
alternatives before deploying such a scheme.

Cheers,
ivan


On Wed, May 16, 2018 at 08:50:35AM +1200, Eric Light wrote:
> Hi Reiner!
> 
> I can't figure out how that would work, considering WG is based around crypto-key routing.  How would it know where to route a given packet?
> 
> Additionally, two sets of AllowedIPs=0.0.0.0/0 would imply two different default routes.
> 
> I just don't see how that could function, tbh.  :)
> 
> E
> 
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
> 
> On Wed, 16 May 2018, at 06:36, reiner otto wrote:
> > Is it possible somehow, to define multiple (client-)peers to share the 
> > same keys ?
> > (Trading some loss of security for simpler distribution)
> > 
> > I.e. on server:
> > [Interface]
> > ListenPort = 5000
> > PrivateKey = ABCD ...XYZ
> > Address=172.16.0.1
> > 
> > [Peer]
> > PublicKey = 1234...7890
> > AllowedIPs = 172.16.0.0/16
> > 
> > 
> > client1:
> > [Interface]
> > PrivateKey = top...secret
> > ListenPort = 5000
> > Address = 172.16.0.2
> > [Peer]
> > PublicKey = everybodyknows
> > AllowedIPs = 0.0.0.0/0
> > Endpoint = 1.2.3.4
> > 
> > client2:
> > [Interface]
> > PrivateKey = top...secret
> > ListenPort = 5000
> > Address = 172.16.0.3
> > [Peer]
> > PublicKey = everybodyknows
> > AllowedIPs = 0.0.0.0/0
> > Endpoint = 1.2.3.4
> > ....
> > ....
> > ....
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Multiple (client-)peers with same keys possible ?

[Eric Light]

Hi Reiner!

I can't figure out how that would work, considering WG is based around crypto-key routing.  How would it know where to route a given packet?

Additionally, two sets of AllowedIPs=0.0.0.0/0 would imply two different default routes.

I just don't see how that could function, tbh.  :)

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Wed, 16 May 2018, at 06:36, reiner otto wrote:
> Is it possible somehow, to define multiple (client-)peers to share the 
> same keys ?
> (Trading some loss of security for simpler distribution)
> 
> I.e. on server:
> [Interface]
> ListenPort = 5000
> PrivateKey = ABCD ...XYZ
> Address=172.16.0.1
> 
> [Peer]
> PublicKey = 1234...7890
> AllowedIPs = 172.16.0.0/16
> 
> 
> client1:
> [Interface]
> PrivateKey = top...secret
> ListenPort = 5000
> Address = 172.16.0.2
> [Peer]
> PublicKey = everybodyknows
> AllowedIPs = 0.0.0.0/0
> Endpoint = 1.2.3.4
> 
> client2:
> [Interface]
> PrivateKey = top...secret
> ListenPort = 5000
> Address = 172.16.0.3
> [Peer]
> PublicKey = everybodyknows
> AllowedIPs = 0.0.0.0/0
> Endpoint = 1.2.3.4
> ....
> ....
> ....
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

Multiple (client-)peers with same keys possible ?

[reiner otto]

Is it possible somehow, to define multiple (client-)peers to share the same keys ?
(Trading some loss of security for simpler distribution)

I.e. on server:
[Interface]
ListenPort = 5000
PrivateKey = ABCD ...XYZ
Address=172.16.0.1

[Peer]
PublicKey = 1234...7890
AllowedIPs = 172.16.0.0/16


client1:
[Interface]
PrivateKey = top...secret
ListenPort = 5000
Address = 172.16.0.2
[Peer]
PublicKey = everybodyknows
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4

client2:
[Interface]
PrivateKey = top...secret
ListenPort = 5000
Address = 172.16.0.3
[Peer]
PublicKey = everybodyknows
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4
....
....
....