* Multiple (client-)peers with same keys possible ? [not found] <267632710.2840000.1526409369057.ref@mail.yahoo.com> @ 2018-05-15 18:36 ` reiner otto 2018-05-15 20:50 ` Eric Light 0 siblings, 1 reply; 5+ messages in thread From: reiner otto @ 2018-05-15 18:36 UTC (permalink / raw) To: wireguard Is it possible somehow, to define multiple (client-)peers to share the same keys ? (Trading some loss of security for simpler distribution) I.e. on server: [Interface] ListenPort = 5000 PrivateKey = ABCD ...XYZ Address=172.16.0.1 [Peer] PublicKey = 1234...7890 AllowedIPs = 172.16.0.0/16 client1: [Interface] PrivateKey = top...secret ListenPort = 5000 Address = 172.16.0.2 [Peer] PublicKey = everybodyknows AllowedIPs = 0.0.0.0/0 Endpoint = 1.2.3.4 client2: [Interface] PrivateKey = top...secret ListenPort = 5000 Address = 172.16.0.3 [Peer] PublicKey = everybodyknows AllowedIPs = 0.0.0.0/0 Endpoint = 1.2.3.4 .... .... .... ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Multiple (client-)peers with same keys possible ? 2018-05-15 18:36 ` Multiple (client-)peers with same keys possible ? reiner otto @ 2018-05-15 20:50 ` Eric Light 2018-05-15 21:39 ` Ivan Labáth 0 siblings, 1 reply; 5+ messages in thread From: Eric Light @ 2018-05-15 20:50 UTC (permalink / raw) To: wireguard Hi Reiner! I can't figure out how that would work, considering WG is based around crypto-key routing. How would it know where to route a given packet? Additionally, two sets of AllowedIPs=0.0.0.0/0 would imply two different default routes. I just don't see how that could function, tbh. :) E -------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es On Wed, 16 May 2018, at 06:36, reiner otto wrote: > Is it possible somehow, to define multiple (client-)peers to share the > same keys ? > (Trading some loss of security for simpler distribution) > > I.e. on server: > [Interface] > ListenPort = 5000 > PrivateKey = ABCD ...XYZ > Address=172.16.0.1 > > [Peer] > PublicKey = 1234...7890 > AllowedIPs = 172.16.0.0/16 > > > client1: > [Interface] > PrivateKey = top...secret > ListenPort = 5000 > Address = 172.16.0.2 > [Peer] > PublicKey = everybodyknows > AllowedIPs = 0.0.0.0/0 > Endpoint = 1.2.3.4 > > client2: > [Interface] > PrivateKey = top...secret > ListenPort = 5000 > Address = 172.16.0.3 > [Peer] > PublicKey = everybodyknows > AllowedIPs = 0.0.0.0/0 > Endpoint = 1.2.3.4 > .... > .... > .... > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Multiple (client-)peers with same keys possible ? 2018-05-15 20:50 ` Eric Light @ 2018-05-15 21:39 ` Ivan Labáth 0 siblings, 0 replies; 5+ messages in thread From: Ivan Labáth @ 2018-05-15 21:39 UTC (permalink / raw) To: wireguard Hi, as said, I don't concieve a reasonable way of using the same key. Wireguard routes and needs to identify and know its clients. That said, I don't see a reason why the clients couldn't have similar private keys. e.g. Server: Private = PrivateKey [Peer1] Pubkey = secret_to_public(notreallysecret..001) AllowedIPs = 172.16.0.1/16 [Peer2] Pubkey = secret_to_public(notreallysecret..002) AllowedIPs = 172.16.0.2/16 I would carefully consider security consequences and possible alternatives before deploying such a scheme. Cheers, ivan On Wed, May 16, 2018 at 08:50:35AM +1200, Eric Light wrote: > Hi Reiner! > > I can't figure out how that would work, considering WG is based around crypto-key routing. How would it know where to route a given packet? > > Additionally, two sets of AllowedIPs=0.0.0.0/0 would imply two different default routes. > > I just don't see how that could function, tbh. :) > > E > > -------------------------------------------- > Q: Why is this email five sentences or less? > A: http://five.sentenc.es > > On Wed, 16 May 2018, at 06:36, reiner otto wrote: > > Is it possible somehow, to define multiple (client-)peers to share the > > same keys ? > > (Trading some loss of security for simpler distribution) > > > > I.e. on server: > > [Interface] > > ListenPort = 5000 > > PrivateKey = ABCD ...XYZ > > Address=172.16.0.1 > > > > [Peer] > > PublicKey = 1234...7890 > > AllowedIPs = 172.16.0.0/16 > > > > > > client1: > > [Interface] > > PrivateKey = top...secret > > ListenPort = 5000 > > Address = 172.16.0.2 > > [Peer] > > PublicKey = everybodyknows > > AllowedIPs = 0.0.0.0/0 > > Endpoint = 1.2.3.4 > > > > client2: > > [Interface] > > PrivateKey = top...secret > > ListenPort = 5000 > > Address = 172.16.0.3 > > [Peer] > > PublicKey = everybodyknows > > AllowedIPs = 0.0.0.0/0 > > Endpoint = 1.2.3.4 > > .... > > .... > > .... > > _______________________________________________ > > WireGuard mailing list > > WireGuard@lists.zx2c4.com > > https://lists.zx2c4.com/mailman/listinfo/wireguard > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <896575027.3009605.1526448125867.ref@mail.yahoo.com>]
* Re: Multiple (client-)peers with same keys possible ? [not found] <896575027.3009605.1526448125867.ref@mail.yahoo.com> @ 2018-05-16 5:22 ` reiner otto 2018-05-16 14:04 ` ajs124 0 siblings, 1 reply; 5+ messages in thread From: reiner otto @ 2018-05-16 5:22 UTC (permalink / raw) To: wireguard Then individual keys for the clients, sigh. Which leads to next question: When adding a new client to the servers wg0.conf, does it require a restart of wg, _OR_ is it safe to simply "edit" wg0.conf, adding the clients info ? Cheers, Reiner ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Multiple (client-)peers with same keys possible ? 2018-05-16 5:22 ` reiner otto @ 2018-05-16 14:04 ` ajs124 0 siblings, 0 replies; 5+ messages in thread From: ajs124 @ 2018-05-16 14:04 UTC (permalink / raw) To: wireguard On Wed, 16 May 2018 05:22:05 +0000 (UTC) reiner otto <augustus_meyer@yahoo.de> wrote: > Then individual keys for the clients, sigh. > > Which leads to next question: > When adding a new client to the servers wg0.conf, > does it require a restart of wg, _OR_ is it safe to simply "edit" wg0.conf, adding the clients info ? > > Cheers, > Reiner > > > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard You don't need to restart, just use "wg addconf" or "wg setconf". Or if you don't (want to) use the ini config format, for some reason, using "wg set peer <base64-public-key>" directly should also work. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-05-16 14:03 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <267632710.2840000.1526409369057.ref@mail.yahoo.com> 2018-05-15 18:36 ` Multiple (client-)peers with same keys possible ? reiner otto 2018-05-15 20:50 ` Eric Light 2018-05-15 21:39 ` Ivan Labáth [not found] <896575027.3009605.1526448125867.ref@mail.yahoo.com> 2018-05-16 5:22 ` reiner otto 2018-05-16 14:04 ` ajs124
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).