On 10.08.2018 15:35, Brian Candler wrote:
> Whilst I appreciate that wireguard is symmetrical, a common use case
> is to have remote "clients" with a central "office".  I'm thinking
> about a hook whereby the "office" side could request extra
> authentication when required - e.g. if it sees a connection from a
> wireguard public key which has been idle for more than a configurable
> amount of time, then it sends a challenge which requires (e.g.) a
> Yubikey to complete.  I appreciate that it's not going to be
> straightforward, requiring the kernel module to talk to userland
> components at both ends. 

It's reasonably easy to add that as a service on top of Wireguard, once
you have an authenticated connection. The office can easily talk to an
app on the mobile device when it notices a re-awakened stale connection
(triggered by a firewall logging rule, for instance), exchange whatever
crypto it requires, and only then allow packets other than those
required for authenticating to flow through the interface (another
simple firewall rule change).

Adding a feature like this to the WG kernel itself would not be any more
secure (and indeed add a significant amount of complexity which may
exhibit exploitable bugs). It would also unnecessarily enshrine a
particular 2FA scheme into wireguard.

-- 
-- Matthias Urlichs