Re: Reflections on WireGuard Design Goals

2018-08-11 Thread Aaron Jones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/08/18 00:46, Jason A. Donenfeld wrote: > This is in fact true, but I'm not sure we're planning on following > suite with that kind of thing in kernel space for WireGuard... Indeed. :) -BEGIN PGP SIGNATURE- Comment: Using GnuPG with

Re: Reflections on WireGuard Design Goals

2018-08-11 Thread Jason A. Donenfeld
On Sat, Aug 11, 2018, 17:15 Aaron Jones wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 11/08/18 22:52, Luiz Angelo Daros de Luca wrote: > > I see these wireguard extra features just like dhcp is. Nobody > > thinks about implementing dhcp inside kernel or even iproute > >

Re: Reflections on WireGuard Design Goals

2018-08-11 Thread Aaron Jones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/08/18 22:52, Luiz Angelo Daros de Luca wrote: > I see these wireguard extra features just like dhcp is. Nobody > thinks about implementing dhcp inside kernel or even iproute > tools. The Linux kernel has a (minimal, non-configurable) DHCP

Re: Reflections on WireGuard Design Goals

2018-08-11 Thread Luiz Angelo Daros de Luca
> I think that given the WireGuard building block, it's certainly > possible to build a 2FA framework around it. > I see these wireguard extra features just like dhcp is. Nobody thinks about implementing dhcp inside kernel or even iproute tools. +1 for 2FA and +1 for a service that share peer

Re: Reflections on WireGuard Design Goals

2018-08-11 Thread Jason A. Donenfeld
On Fri, Aug 10, 2018 at 6:35 AM Brian Candler wrote: > But I'd feel a lot happier if a second level of authentication were > required to establish a wireguard connection I think that given the WireGuard building block, it's certainly possible to build a 2FA framework around it. And I do

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Reuben Martin
On Fri, Aug 10, 2018, 3:16 PM em12345 wrote: > Hi, > > > From my point of view, the only thing which makes me uncomfortable about > > wireguard is the lack of any second authentication factor. Your private > > key is embedded in a plaintext file in your device (e.g. laptop), not > > even

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Eisfunke
Hello together, > In the absence of that, it would be nice if the private key which is > stored on the laptop were encrypted with a passphrase. Simplest option > may be to extend wg-quick so that the entire config file can be > pgp-encrypted. one can already do that via the wg-quick PostUp

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread em12345
Hi, > From my point of view, the only thing which makes me uncomfortable about > wireguard is the lack of any second authentication factor. Your private > key is embedded in a plaintext file in your device (e.g. laptop), not > even protected with a passphrase. Most VPN authentications are just

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread jungle Boogie
> > On 10/08/18 16:40, jungle Boogie wrote: >> If someone already has my ssh key, I'd revoke it - regardless if >> they had the password or not. Same with the WG key - shutdown the >> tunnel, remove the affected peer and start it back up. > > No need to interrupt the tunnel. > > # wg set peer

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Aaron Jones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/08/18 16:40, jungle Boogie wrote: > If someone already has my ssh key, I'd revoke it - regardless if > they had the password or not. Same with the WG key - shutdown the > tunnel, remove the affected peer and start it back up. No need to

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread jungle Boogie
On 10 August 2018 at 09:03, Brian Candler wrote: > On 10/08/2018 16:03, Roman Mamedov wrote: > > But I'd feel a lot happier if a second level of authentication were > required to establish a wireguard connection, if no packets had been > flowing for more than a configurable amount of time - say,

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Kalin KOZHUHAROV
On Fri, 10 Aug 2018, 19:04 Brian Candler, wrote: > On 10/08/2018 16:03, Roman Mamedov wrote: > > But I'd feel a lot happier if a second level of authentication were > required to establish a wireguard connection, if no packets had been > flowing for more than a configurable amount of time - say,

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Brian Candler
On 10/08/2018 16:03, Roman Mamedov wrote: But I'd feel a lot happier if a second level of authentication were required to establish a wireguard connection, if no packets had been flowing for more than a configurable amount of time - say, an hour. It would give some comfort around lost/stolen

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread nicolas prochazka
hello, just to say you, as a simple end user we are using wireguard since one year for our product, we have 10K tunnels deployed , wireguard is perfect for us, very simple, we can develop our specific code on top of if ( key management , ) so +1 for jason vision thanks for this piece of code

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Roman Mamedov
On Fri, 10 Aug 2018 14:35:14 +0100 Brian Candler wrote: > From my point of view, the only thing which makes me uncomfortable > about wireguard is the lack of any second authentication factor. Your > private key is embedded in a plaintext file in your device (e.g. > laptop), not even

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Konstantin Ryabitsev
On Fri, Aug 10, 2018 at 02:35:14PM +0100, Brian Candler wrote: From my point of view, the only thing which makes me uncomfortable about wireguard is the lack of any second authentication factor. Your private key is embedded in a plaintext file in your device (e.g. laptop), not even protected

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Matthias Urlichs
On 10.08.2018 15:35, Brian Candler wrote: > Whilst I appreciate that wireguard is symmetrical, a common use case > is to have remote "clients" with a central "office".  I'm thinking > about a hook whereby the "office" side could request extra > authentication when required - e.g. if it sees a

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Kalin KOZHUHAROV
Please excuse my brevity, phone typing here... On Fri, 10 Aug 2018, 16:36 Brian Candler, wrote: > Thanks for explaining the project background, and your very sensible > goals of simplicity and robustness. And thanks for releasing this > excellent piece of software. > > From my point of view,

Re: Reflections on WireGuard Design Goals

2018-08-10 Thread Brian Candler
For whatever reason, in the last several weeks, WireGuard been receiving a considerable amount of attention, and with that comes various parties interested in the project moving in this direction or in that direction. And more generally, over the last year or so, we've seen a decent amount of