<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body><div style="font-family:Helvetica,Arial;font-size:13px"><div style="margin:0px">Hi everybody! We are using WireeGuard on Mac and Linux which works great but for </div><div style="margin:0px">compliance purpose, we would like to be able to add an OTP challenge on connection.</div><div style="margin:0px"><br></div><div style="margin:0px">I've been looking at the archive of the mailing list and at the various projects</div><div style="margin:0px">built around WireGuard and started writing an implementation based on the idea</div><div style="margin:0px">from <a href="https://lists.zx2c4.com/pipermail/wireguard/2017-September/001741.html">https://lists.zx2c4.com/pipermail/wireguard/2017-September/001741.html</a>:</div><div style="margin:0px"><br></div><div style="margin:0px">> Alternatively, you could do OTP in-band, in order to authorize that</div><div style="margin:0px">> public key for a certain window of time before inactivity. In this</div><div style="margin:0px">> scheme, you'd disallow access to the network segment based on firewall</div><div style="margin:0px">> rules until a certain in-band challenge is made -- perhaps by</div><div style="margin:0px">> contacting a certain sandboxed server and answering an OTP challenge</div><div style="margin:0px">> there</div><div style="margin:0px"><br></div><div style="margin:0px">My current implementation (I plan to publish it under MIT license once it's </div><div style="margin:0px">ready) has a Python server on the WireGuard server bound to the wg interface</div><div style="margin:0px">that add an IPTable rule to allow the traffic for a given amount of time when</div><div style="margin:0px">a TOTP is received over TCP. Here are some details</div><div style="margin:0px"><br></div><div style="margin:0px"> - The TOTP is bound to the internal tunnel IP address so the IP address that</div><div style="margin:0px"> opens the TCP connection is used to identify the user, as thee packet must </div><div style="margin:0px"> have been decrypted, it seems to me that there is no way to spoof this.</div><div style="margin:0px"><br></div><div style="margin:0px"> - A small text protocol let the user log-in, log-out and read the status of the </div><div style="margin:0px"> connection.</div><div style="margin:0px"><br></div><div style="margin:0px">The client needs to send the TOTP just after connecting to the server, for which</div><div style="margin:0px">I had hoped to use the "PostUp" field of wg-quick.</div><div style="margin:0px"><br></div><div style="margin:0px">{Post,Pre}-{Up,Down} seems to be only available on wg-quick for now but we are</div><div style="margin:0px">using the wireguard-apple client so I have a few questions:</div><div style="margin:0px"><br></div><div style="margin:0px"> 1. Is the absence of support {Post,Pre}-{Up,Down} in wireguard-apple on</div><div style="margin:0px"> purpose or would a patch to add this welcomed?</div><div style="margin:0px"><br></div><div style="margin:0px"> 2. Is this way to do the OTP authentication sound?</div><div style="margin:0px"><br></div><div style="margin:0px"> 3. I've seen that TunSafe has added an extension to the WireGuard protocol so</div><div style="margin:0px"> the TOTP auth would not be shared by an attacker that succeded to connect when</div><div style="margin:0px"> the user is already connected. This seems like a good idea to do, what are your </div><div style="margin:0px"> thougts about this? Would you recommend against my "easier" implementation?</div><div style="margin:0px"><br></div><div style="margin:0px"> 4. I know that TunSafe was strongly advised against when it was closed-source.</div><div style="margin:0px"> Now that it is AGPL code, is it still the case?</div><div style="margin:0px"><br></div><div style="margin:0px">One more thing, to simplify the deployment of WireGuard, I would like to propose</div><div style="margin:0px">a change in the way the MacOS client import WireGuard configurations from a file.</div><div style="margin:0px"><br></div><div style="margin:0px">Our current flow is "Please open the WireGuard app, click on create Tunnel, give </div><div style="margin:0px">it a name, paste this configuration underneath what's already written, hit save</div><div style="margin:0px">and send us your public key". It gives a lot of oportunity to the user to</div><div style="margin:0px">mistype something and make changing the configuration cumbersome ("Edit the </div><div style="margin:0px">tunnel, don't touch the `[Interface]` part but replace what's underneath by </div><div style="margin:0px">this") so I would like to be able to send to the user a configuration file with</div><div style="margin:0px">the PrivateKey missing and have the WireGuard client generate one on the fly but</div><div style="margin:0px">this currently gives an error "Interface’s private key is required". Would</div><div style="margin:0px">sending a patch for this be welcomed too?</div><div style="margin:0px"><br></div><div style="margin:0px"><br></div><div style="margin:0px">Thanks for taking the time to help me, I look forward to contribute to WireGuard :)</div><div style="margin:0px"><br></div><div style="margin:0px">Rémi</div><div><br></div></div></body></html>