From: "Ivan Labáth" <labawi-wg@matrix-dream.net>
To: wireguard@lists.zx2c4.com
Subject: Re: Multiple (client-)peers with same keys possible ?
Date: Tue, 15 May 2018 22:39:55 +0100 [thread overview]
Message-ID: <20180515213955.GA19046@matrix-dream.net> (raw)
In-Reply-To: <1526417435.709029.1373298160.471617A2@webmail.messagingengine.com>
Hi,
as said, I don't concieve a reasonable way of using the same key.
Wireguard routes and needs to identify and know its clients.
That said, I don't see a reason why the clients couldn't have similar
private keys.
e.g.
Server:
Private = PrivateKey
[Peer1]
Pubkey = secret_to_public(notreallysecret..001)
AllowedIPs = 172.16.0.1/16
[Peer2]
Pubkey = secret_to_public(notreallysecret..002)
AllowedIPs = 172.16.0.2/16
I would carefully consider security consequences and possible
alternatives before deploying such a scheme.
Cheers,
ivan
On Wed, May 16, 2018 at 08:50:35AM +1200, Eric Light wrote:
> Hi Reiner!
>
> I can't figure out how that would work, considering WG is based around crypto-key routing. How would it know where to route a given packet?
>
> Additionally, two sets of AllowedIPs=0.0.0.0/0 would imply two different default routes.
>
> I just don't see how that could function, tbh. :)
>
> E
>
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
>
> On Wed, 16 May 2018, at 06:36, reiner otto wrote:
> > Is it possible somehow, to define multiple (client-)peers to share the
> > same keys ?
> > (Trading some loss of security for simpler distribution)
> >
> > I.e. on server:
> > [Interface]
> > ListenPort = 5000
> > PrivateKey = ABCD ...XYZ
> > Address=172.16.0.1
> >
> > [Peer]
> > PublicKey = 1234...7890
> > AllowedIPs = 172.16.0.0/16
> >
> >
> > client1:
> > [Interface]
> > PrivateKey = top...secret
> > ListenPort = 5000
> > Address = 172.16.0.2
> > [Peer]
> > PublicKey = everybodyknows
> > AllowedIPs = 0.0.0.0/0
> > Endpoint = 1.2.3.4
> >
> > client2:
> > [Interface]
> > PrivateKey = top...secret
> > ListenPort = 5000
> > Address = 172.16.0.3
> > [Peer]
> > PublicKey = everybodyknows
> > AllowedIPs = 0.0.0.0/0
> > Endpoint = 1.2.3.4
> > ....
> > ....
> > ....
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2018-05-15 21:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <267632710.2840000.1526409369057.ref@mail.yahoo.com>
2018-05-15 18:36 ` reiner otto
2018-05-15 20:50 ` Eric Light
2018-05-15 21:39 ` Ivan Labáth [this message]
[not found] <896575027.3009605.1526448125867.ref@mail.yahoo.com>
2018-05-16 5:22 ` reiner otto
2018-05-16 14:04 ` ajs124
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180515213955.GA19046@matrix-dream.net \
--to=labawi-wg@matrix-dream.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).