Sending just ssh traffic via wg

[Konstantin Ryabitsev]

On Fri, Oct 05, 2018 at 06:32:44PM +0200, Matthias Urlichs wrote:
>On 05.10.18 17:53, Konstantin Ryabitsev wrote:
>> But should the admin need to bring up the OpenVPN link
>
>This may be a stupid question, but why do you need OpenVPN any more, if
>you have Wireguard?

Because it's already there? :)

Furthermore, some members of our IT team use macs (gasp!) and for them 
it would be much easier to continue to use OpenVPN than to set up 
wireguard-go.

>I'd set up a simple server-side login page that allows people to use
>their user+pass+TOTP to enable non-SSH traffic on "their" link for the
>next N minutes, with an easily-clickable Refresh button (and a
>browser-based notification that the timeout is imminent), plus a small
>(= easily-verified-to-be-correct) backend that enables/disables your
>link's iptables rules. Problem solved.

Well, not quite. OpenVPN requires 2-factor validation each time there is 
a renegotiation -- so even if an attacker steals the private key and 
username/password of the administrator, they won't be able to establish 
a new session without having the TOTP secret as well. In the situation 
you describe, we create a window during which an attacker *would* be 
able to establish a VPN connection if they have the wireguard private 
key. We can make this window very short, but this would probably greatly 
annoy sysadmins, who will not enjoy needing to have a browser window 
open so they can re-validate. If we make this window sufficiently long 
not to annoy sysadmins, then this weakens our setup.

Furthermore, doing what you suggest would require writing a webapp and 
having some kind of queueing system for the backend process to read and 
adjust firewalls based on the data in the queue. It's a pretty 
complicated setup that seems orthogonal to the simplicity offered by 
WireGuard.

I've actually considered something like this -- to elevate their access 
privileges, an admin would need to simply ssh into the wireguard vpn 
server using their wireguard connection. A backend process could react 
to the ssh session being established and would apply additional firewall 
rules to give more access to that peer address. When that ssh session 
terminates, the same process would then drop these firewall rules back 
to their "ssh only" level. However, this still seems hacky and I would 
rather wait for Jason to come up with a More Proper way to do 2-factor, 
especially since the OpenVPN tunnel is already set up and functioning, 
so I don't have to invent anything to get what we need.

-K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20181005/39c47598/attachment.asc>