wireguard-install
wireguard-install copied to clipboard
Set client private key
For enhanced security I should set for each server client a corresponding private key, no? Or did I misunderstood something? In you setup anyone can pretty much use the client which puts me at an extra risk. How could I add my PC's wireguard key so only my PC is able to use the clients connection?
Thank you!
If you open your client config you can see you have a private key already and a corresponding public key in your wg0.conf
to let the server know of that client.
If you think you can be more secure by limiting the connection of your PC only from a trusted IP, then you can edit AllowedIPs
in your wg0.conf
.
I might be missing something. But the keys are not corresponding with my WireGuard Client Public Key. Shoudn't that one being respected as well? So That only my client is able to connect? See
In your client file the private key of the client is inside [Interface]
, the server public key is inside [Peer]
.
In your server file the private key of the server is inside [Interface]
, the client public key is inside [Peer]
.
I'm not familiar with the program you are using, but my guess is to check you client public key AxL3UQ...
( as you see is calculated by the program, not saved in the file) and check it against the public key of the peer inside your server file wg0.conf
. They should match.
I am using the WireGuard win client. Let me make it more clear here:
Server file (wg0-client-test.conf
)
[Interface]
PrivateKey = IJyD1tBRylkmyvrqvJzLPShIxBOXEPbuCsLMVk4PWkc=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = XXXXXXXX
[Peer]
PublicKey = OgegSTKO6+PUdHMadli39s99yquxHhueGz0rztfApyo=
PresharedKey = lK/001pmpqrOfSCA9vrb7ZYJKsYpYHCXD3EWfHceXgw=
Endpoint = XXXXX:51239
AllowedIPs = 0.0.0.0/0,::/0
Client file:
As you mentioned AxL3UQ8uBAqaJjdy0+JEeYJCzFpbri8zmPHa5gL04h8=
is my client public key.
Currently the default setup returned in the server file
> peer
> PublicKey
which is for me right now (OgegSTKO6+PUdHMadli39s99yquxHhueGz0rztfApyo=
).
I am just confused, why am I even able to connect to the server if they are not matching? And do I have to flip OgegSTKO6+PUdHMadli39s99yquxHhueGz0rztfApyo=
with AxL3UQ8uBAqaJjdy0+JEeYJCzFpbri8zmPHa5gL04h8=
?
Oh! I was looking at the wrong file I guess. Now looking at /etc/wireguard/wg0.conf
I do see my Client Public Key in Peers. Does that mean only that one client is able to connect to that wireguard profile?
Also, is that profile just being created / added to wg0
at initial / first start?
Does that mean only that one client is able to connect to that wireguard profile?
Yes, every device will have its own profile and they will have to be "allowed" server side by writing a [Peer]
block (done by the script).
Also, is that profile just being created / added to wg0 at initial / first start?
Each client profile will have its own private key and the server's public key, while the server will have its own private key plus every client generated that will be shown as a [Peer]
block with their respective public keys. The client information is added to wg0.conf
at user creation.
Got it, thanks a lot for your all the clarifications.
Id have two more questions:
- Does WireGuard keep any logs? If yes - am I able to turn them off / write it to devnull?
- I've seen DNS IPs are being added. Are those IPs set by the script Because they look not familiar to me. In case they are, am I able to change those?
Thanks again for your help!
Does WireGuard keep any logs? If yes - am I able to turn them off / write it to devnull?
From what I know the logs are from the systemd service and don't include any client or other sensitive information. There isn't a file for logs like with OpenVPN that keeps track of users and connections.
I've seen DNS IPs are being added. Are those IPs set by the script Because they look not familiar to me. In case they are, am I able to change those?
You might be using an older version of the script that defaulted to AdGuard DNS, the current one allows you to customize the DNS to use with the clients. If you want to change that now just edit your client file.
Awesome, thank you. So I'd assume now that I dont have to take any further steps to clear / remove logs from the VPS.
Yes, that must be it I am currently having the following IPs as my DNS (default):
176.103.130.130,176.103.130.131
- and they do look like AdGuards DNSs.
On dnsleaktest I am getting:
I remember them hosting their severs on Vultr so I guess that must be it. Just quite a lot I am getting there.