On 10.08.2018 15:35, Brian Candler wrote: > Whilst I appreciate that wireguard is symmetrical, a common use case > is to have remote "clients" with a central "office". I'm thinking > about a hook whereby the "office" side could request extra > authentication when required - e.g. if it sees a connection from a > wireguard public key which has been idle for more than a configurable > amount of time, then it sends a challenge which requires (e.g.) a > Yubikey to complete. I appreciate that it's not going to be > straightforward, requiring the kernel module to talk to userland > components at both ends.
It's reasonably easy to add that as a service on top of Wireguard, once you have an authenticated connection. The office can easily talk to an app on the mobile device when it notices a re-awakened stale connection (triggered by a firewall logging rule, for instance), exchange whatever crypto it requires, and only then allow packets other than those required for authenticating to flow through the interface (another simple firewall rule change). Adding a feature like this to the WG kernel itself would not be any more secure (and indeed add a significant amount of complexity which may exhibit exploitable bugs). It would also unnecessarily enshrine a particular 2FA scheme into wireguard. -- -- Matthias Urlichs
signature.asc
Description: OpenPGP digital signature
_______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
