wireguard-install icon indicating copy to clipboard operation
wireguard-install copied to clipboard

Published 20 hours ago verified publisher icon angristan

Set client private key

Open bitog opened this issue 3 years ago • 9 comments

For enhanced security I should set for each server client a corresponding private key, no? Or did I misunderstood something? In you setup anyone can pretty much use the client which puts me at an extra risk. How could I add my PC's wireguard key so only my PC is able to use the clients connection?

Thank you!

bitog avatar Oct 19 '20 10:10 bitog

If you open your client config you can see you have a private key already and a corresponding public key in your wg0.conf to let the server know of that client.

If you think you can be more secure by limiting the connection of your PC only from a trusted IP, then you can edit AllowedIPs in your wg0.conf.

randshell avatar Oct 19 '20 12:10 randshell

I might be missing something. But the keys are not corresponding with my WireGuard Client Public Key. Shoudn't that one being respected as well? So That only my client is able to connect? See img

bitog avatar Oct 19 '20 13:10 bitog

In your client file the private key of the client is inside [Interface], the server public key is inside [Peer].

In your server file the private key of the server is inside [Interface], the client public key is inside [Peer].

I'm not familiar with the program you are using, but my guess is to check you client public key AxL3UQ... ( as you see is calculated by the program, not saved in the file) and check it against the public key of the peer inside your server file wg0.conf. They should match.

randshell avatar Oct 19 '20 13:10 randshell

I am using the WireGuard win client. Let me make it more clear here:

Server file (wg0-client-test.conf)

[Interface]
PrivateKey = IJyD1tBRylkmyvrqvJzLPShIxBOXEPbuCsLMVk4PWkc=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = XXXXXXXX

[Peer]
PublicKey = OgegSTKO6+PUdHMadli39s99yquxHhueGz0rztfApyo=
PresharedKey = lK/001pmpqrOfSCA9vrb7ZYJKsYpYHCXD3EWfHceXgw=
Endpoint = XXXXX:51239
AllowedIPs = 0.0.0.0/0,::/0

Client file: img

As you mentioned AxL3UQ8uBAqaJjdy0+JEeYJCzFpbri8zmPHa5gL04h8= is my client public key.

Currently the default setup returned in the server file > peer > PublicKey which is for me right now (OgegSTKO6+PUdHMadli39s99yquxHhueGz0rztfApyo=).

I am just confused, why am I even able to connect to the server if they are not matching? And do I have to flip OgegSTKO6+PUdHMadli39s99yquxHhueGz0rztfApyo= with AxL3UQ8uBAqaJjdy0+JEeYJCzFpbri8zmPHa5gL04h8=?

bitog avatar Oct 19 '20 14:10 bitog

Oh! I was looking at the wrong file I guess. Now looking at /etc/wireguard/wg0.conf I do see my Client Public Key in Peers. Does that mean only that one client is able to connect to that wireguard profile?

Also, is that profile just being created / added to wg0 at initial / first start?

bitog avatar Oct 19 '20 14:10 bitog

Does that mean only that one client is able to connect to that wireguard profile?

Yes, every device will have its own profile and they will have to be "allowed" server side by writing a [Peer] block (done by the script).

Also, is that profile just being created / added to wg0 at initial / first start?

Each client profile will have its own private key and the server's public key, while the server will have its own private key plus every client generated that will be shown as a [Peer] block with their respective public keys. The client information is added to wg0.conf at user creation.

randshell avatar Oct 19 '20 18:10 randshell

Got it, thanks a lot for your all the clarifications.

Id have two more questions:

  1. Does WireGuard keep any logs? If yes - am I able to turn them off / write it to devnull?
  2. I've seen DNS IPs are being added. Are those IPs set by the script Because they look not familiar to me. In case they are, am I able to change those?

Thanks again for your help!

bitog avatar Oct 19 '20 19:10 bitog

Does WireGuard keep any logs? If yes - am I able to turn them off / write it to devnull?

From what I know the logs are from the systemd service and don't include any client or other sensitive information. There isn't a file for logs like with OpenVPN that keeps track of users and connections.

I've seen DNS IPs are being added. Are those IPs set by the script Because they look not familiar to me. In case they are, am I able to change those?

You might be using an older version of the script that defaulted to AdGuard DNS, the current one allows you to customize the DNS to use with the clients. If you want to change that now just edit your client file.

randshell avatar Oct 19 '20 19:10 randshell

Awesome, thank you. So I'd assume now that I dont have to take any further steps to clear / remove logs from the VPS.

Yes, that must be it I am currently having the following IPs as my DNS (default): 176.103.130.130,176.103.130.131 - and they do look like AdGuards DNSs.

On dnsleaktest I am getting:

img

I remember them hosting their severs on Vultr so I guess that must be it. Just quite a lot I am getting there.

bitog avatar Oct 19 '20 20:10 bitog