Multiple (client-)peers with same keys possible ?

Development discussion of WireGuard
 help / color / mirror / Atom feed
* Multiple (client-)peers with same keys possible ?
       [not found] <267632710.2840000.1526409369057.ref@mail.yahoo.com>
@ 2018-05-15 18:36 ` reiner otto
  2018-05-15 20:50   ` Eric Light
  0 siblings, 1 reply; 5+ messages in thread
From: reiner otto @ 2018-05-15 18:36 UTC (permalink / raw)
  To: wireguard

Is it possible somehow, to define multiple (client-)peers to share the same keys ?
(Trading some loss of security for simpler distribution)

I.e. on server:
[Interface]
ListenPort = 5000
PrivateKey = ABCD ...XYZ
Address=172.16.0.1

[Peer]
PublicKey = 1234...7890
AllowedIPs = 172.16.0.0/16

client1:
[Interface]
PrivateKey = top...secret
ListenPort = 5000
Address = 172.16.0.2
[Peer]
PublicKey = everybodyknows
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4

client2:
[Interface]
PrivateKey = top...secret
ListenPort = 5000
Address = 172.16.0.3
[Peer]
PublicKey = everybodyknows
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4
....
....
....

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Multiple (client-)peers with same keys possible ?
  2018-05-15 18:36 ` Multiple (client-)peers with same keys possible ? reiner otto
@ 2018-05-15 20:50   ` Eric Light
  2018-05-15 21:39     ` Ivan Labáth
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Light @ 2018-05-15 20:50 UTC (permalink / raw)
  To: wireguard

Hi Reiner!

I can't figure out how that would work, considering WG is based around crypto-key routing.  How would it know where to route a given packet?

Additionally, two sets of AllowedIPs=0.0.0.0/0 would imply two different default routes.

I just don't see how that could function, tbh.  :)

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Wed, 16 May 2018, at 06:36, reiner otto wrote:
> Is it possible somehow, to define multiple (client-)peers to share the 
> same keys ?
> (Trading some loss of security for simpler distribution)
> 
> I.e. on server:
> [Interface]
> ListenPort = 5000
> PrivateKey = ABCD ...XYZ
> Address=172.16.0.1
> 
> [Peer]
> PublicKey = 1234...7890
> AllowedIPs = 172.16.0.0/16
> 
> 
> client1:
> [Interface]
> PrivateKey = top...secret
> ListenPort = 5000
> Address = 172.16.0.2
> [Peer]
> PublicKey = everybodyknows
> AllowedIPs = 0.0.0.0/0
> Endpoint = 1.2.3.4
> 
> client2:
> [Interface]
> PrivateKey = top...secret
> ListenPort = 5000
> Address = 172.16.0.3
> [Peer]
> PublicKey = everybodyknows
> AllowedIPs = 0.0.0.0/0
> Endpoint = 1.2.3.4
> ....
> ....
> ....
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Multiple (client-)peers with same keys possible ?
  2018-05-15 20:50   ` Eric Light
@ 2018-05-15 21:39     ` Ivan Labáth
  0 siblings, 0 replies; 5+ messages in thread
From: Ivan Labáth @ 2018-05-15 21:39 UTC (permalink / raw)
  To: wireguard

Hi,

as said, I don't concieve a reasonable way of using the same key.
Wireguard routes and needs to identify and know its clients.

That said, I don't see a reason why the clients couldn't have similar
private keys.

e.g.

Server:

Private = PrivateKey

[Peer1]
Pubkey = secret_to_public(notreallysecret..001)
AllowedIPs = 172.16.0.1/16

[Peer2]
Pubkey = secret_to_public(notreallysecret..002)
AllowedIPs = 172.16.0.2/16

I would carefully consider security consequences and possible
alternatives before deploying such a scheme.

Cheers,
ivan

On Wed, May 16, 2018 at 08:50:35AM +1200, Eric Light wrote:
> Hi Reiner!
> 
> I can't figure out how that would work, considering WG is based around crypto-key routing.  How would it know where to route a given packet?
> 
> Additionally, two sets of AllowedIPs=0.0.0.0/0 would imply two different default routes.
> 
> I just don't see how that could function, tbh.  :)
> 
> E
> 
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
> 
> On Wed, 16 May 2018, at 06:36, reiner otto wrote:
> > Is it possible somehow, to define multiple (client-)peers to share the 
> > same keys ?
> > (Trading some loss of security for simpler distribution)
> > 
> > I.e. on server:
> > [Interface]
> > ListenPort = 5000
> > PrivateKey = ABCD ...XYZ
> > Address=172.16.0.1
> > 
> > [Peer]
> > PublicKey = 1234...7890
> > AllowedIPs = 172.16.0.0/16
> > 
> > 
> > client1:
> > [Interface]
> > PrivateKey = top...secret
> > ListenPort = 5000
> > Address = 172.16.0.2
> > [Peer]
> > PublicKey = everybodyknows
> > AllowedIPs = 0.0.0.0/0
> > Endpoint = 1.2.3.4
> > 
> > client2:
> > [Interface]
> > PrivateKey = top...secret
> > ListenPort = 5000
> > Address = 172.16.0.3
> > [Peer]
> > PublicKey = everybodyknows
> > AllowedIPs = 0.0.0.0/0
> > Endpoint = 1.2.3.4
> > ....
> > ....
> > ....
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread
[parent not found: <896575027.3009605.1526448125867.ref@mail.yahoo.com>]
* Re: Multiple (client-)peers with same keys possible ?
       [not found] <896575027.3009605.1526448125867.ref@mail.yahoo.com>
@ 2018-05-16  5:22 ` reiner otto
  2018-05-16 14:04   ` ajs124
  0 siblings, 1 reply; 5+ messages in thread
From: reiner otto @ 2018-05-16  5:22 UTC (permalink / raw)
  To: wireguard

Then individual keys for the clients, sigh.

Which leads to next question:
When adding a new client to the servers wg0.conf,
does it require a restart of wg, _OR_ is it safe to simply "edit" wg0.conf, adding the clients info ?

Cheers,
Reiner

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Multiple (client-)peers with same keys possible ?
  2018-05-16  5:22 ` reiner otto
@ 2018-05-16 14:04   ` ajs124
  0 siblings, 0 replies; 5+ messages in thread
From: ajs124 @ 2018-05-16 14:04 UTC (permalink / raw)
  To: wireguard

On Wed, 16 May 2018 05:22:05 +0000 (UTC)
reiner otto <augustus_meyer@yahoo.de> wrote:

> Then individual keys for the clients, sigh.
> 
> Which leads to next question:
> When adding a new client to the servers wg0.conf,
> does it require a restart of wg, _OR_ is it safe to simply "edit" wg0.conf, adding the clients info ?
> 
> Cheers,
> Reiner
> 
>  
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

You don't need to restart, just use "wg addconf" or "wg setconf". Or if you
don't (want to) use the ini config format, for some reason, using "wg
set peer <base64-public-key>" directly should also work.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-05-16 14:03 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <267632710.2840000.1526409369057.ref@mail.yahoo.com>
2018-05-15 18:36 ` Multiple (client-)peers with same keys possible ? reiner otto
2018-05-15 20:50   ` Eric Light
2018-05-15 21:39     ` Ivan Labáth
     [not found] <896575027.3009605.1526448125867.ref@mail.yahoo.com>
2018-05-16  5:22 ` reiner otto
2018-05-16 14:04   ` ajs124

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).