From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Matthias Urlichs <matthias@urlichs.de>
Cc: wireguard@lists.zx2c4.com
Subject: Re: Sending just ssh traffic via wg
Date: Fri, 5 Oct 2018 17:01:48 -0400 [thread overview]
Message-ID: <20181005210148.GA24357@chatter> (raw)
In-Reply-To: <81a33d58-8810-7f56-6193-ed6543a62915@urlichs.de>
[-- Attachment #1.1: Type: text/plain, Size: 2593 bytes --]
On Fri, Oct 05, 2018 at 06:32:44PM +0200, Matthias Urlichs wrote:
>On 05.10.18 17:53, Konstantin Ryabitsev wrote:
>> But should the admin need to bring up the OpenVPN link
>
>This may be a stupid question, but why do you need OpenVPN any more, if
>you have Wireguard?
Because it's already there? :)
Furthermore, some members of our IT team use macs (gasp!) and for them
it would be much easier to continue to use OpenVPN than to set up
wireguard-go.
>I'd set up a simple server-side login page that allows people to use
>their user+pass+TOTP to enable non-SSH traffic on "their" link for the
>next N minutes, with an easily-clickable Refresh button (and a
>browser-based notification that the timeout is imminent), plus a small
>(= easily-verified-to-be-correct) backend that enables/disables your
>link's iptables rules. Problem solved.
Well, not quite. OpenVPN requires 2-factor validation each time there is
a renegotiation -- so even if an attacker steals the private key and
username/password of the administrator, they won't be able to establish
a new session without having the TOTP secret as well. In the situation
you describe, we create a window during which an attacker *would* be
able to establish a VPN connection if they have the wireguard private
key. We can make this window very short, but this would probably greatly
annoy sysadmins, who will not enjoy needing to have a browser window
open so they can re-validate. If we make this window sufficiently long
not to annoy sysadmins, then this weakens our setup.
Furthermore, doing what you suggest would require writing a webapp and
having some kind of queueing system for the backend process to read and
adjust firewalls based on the data in the queue. It's a pretty
complicated setup that seems orthogonal to the simplicity offered by
WireGuard.
I've actually considered something like this -- to elevate their access
privileges, an admin would need to simply ssh into the wireguard vpn
server using their wireguard connection. A backend process could react
to the ssh session being established and would apply additional firewall
rules to give more access to that peer address. When that ssh session
terminates, the same process would then drop these firewall rules back
to their "ssh only" level. However, this still seems hacky and I would
rather wait for Jason to come up with a More Proper way to do 2-factor,
especially since the OpenVPN tunnel is already set up and functioning,
so I don't have to invent anything to get what we need.
-K
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2018-10-05 21:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-04 15:53 Sending just ssh traffic via wg Konstantin Ryabitsev
2018-10-04 18:56 ` Jason A. Donenfeld
2018-10-05 10:03 ` Toke Høiland-Jørgensen
2018-10-05 15:41 ` Jason A. Donenfeld
2018-10-05 15:53 ` Konstantin Ryabitsev
2018-10-05 16:32 ` Matthias Urlichs
2018-10-05 21:01 ` Konstantin Ryabitsev [this message]
2018-10-05 17:34 ` Jason A. Donenfeld
[not found] <mailman.1.1538820001.22807.wireguard@lists.zx2c4.com>
2018-10-06 10:21 ` Brian Candler
2018-10-06 10:27 ` Roman Mamedov
2018-10-06 10:28 ` Brian Candler
2018-10-06 13:41 ` Konstantin Ryabitsev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181005210148.GA24357@chatter \
--to=konstantin@linuxfoundation.org \
--cc=matthias@urlichs.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).