Add pre-shared key option to genconfig #35
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change does not add the pre-shared keys to the database but from
a security perspective this should not be done anyway.
If private keys exist the configuration is not overwritten so re-running
`genconfig` does not overwrite existing configuration.
TODO: add an option to generate new configuration (keys should be regularly
rotated)
---
* pre-shared keys are recommended to help towards quantum resistance
- https://www.wireguard.com/known-limitations/#post-quantum-secrecy
* this commit is based on:
- k4yt3x#10
(with the missing json import added)
add pre-shared key generation
* updates version number
* adds --psk / -p options to `wg-meshconf genconfig` to make the new functionality optional & disabled by default to not breaks existing user configuration. * the new pre-shared key functionality does not store the generated keys as storing them in a spreadsheet alongside the private keys defeats the purpose. When using the new --psk option the keys are re-generated (as keys should be rotated periodically)
make new pre-shared key functionality optional
* fixes from the python 'black' formatting module
run black formatting module against the codebase
* as per the contributing guidelines
alphabetical imports
* upstream changes from: - master...k4yt3x:wg-meshconf:master
merge upstream
|
It seems a problem if configs already deployed to remote peers with old PresharedKeys. |
Revert "merge upstream"
Hi @ww7 , more recently I've started using & contributing documentation to netbird There is an option for post-quantum cryptography with pre-shared keys rotated every 2 minutes with rosenpass.eu Also useful is mutual TLS to remove the need for a VPN. I use mTLS with Knot DNS (it works perfectly) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is based on an old previous PR & adds a
--pskoption togenconfigfor pre-shared keys:fixes missing
jsonimportincludes python
blackcode formattingbumps the
wg-meshconfversion to2.5.2lower cased some help message to be uniform with the default
--helpoption fromargparseupdates
READMEwith:wg-meshconfas an isolated app withpipx--pskfunctionality (disabled by default to not interfere with existing user configuration)The pre-shared keys are not stored in the
databaseas they should be being rotated periodically ( they are re-generated every timegenconfigis run with--psk).From a security perspective storing the pre-shared keys along side the private keys defeats their purpose.