Certain private keys being mangled by wg on FreeBSD

ben edmunds tigger2014g at gmail.com
Mon Jun 7 19:17:58 UTC 2021

The issue here for pfSense is that the private key will be viewable just 
like it is within native wireguard clients in the peer config options 
and needs to be viewable here for admin and debug purposes.

With regards to clamping and hiding this from users its tricky as it 
leads to red heroin issues as people debug the tunnels via showcase for 
example and will see a different key to which they entered in the UI. So 
the only logical option is to:

1) inform the admin that the key has been clamped

2) show the admin the clamped key which they can see whilst debugging.

By not showing this to the user to avoid confusion we actually would 
create confusion in this scenario as the kernel module is performing the 
clamping but the user would have no knowledge of this and leads to 
issues being opened that are a non issue. The aim is not to show the 
users anything about clamping unless the key needs to be clamped as it 
was not clamped already.

I belive it is key to remember that pfSense is not an end user 
application/tool and designed to be used by admins & network engineers 
so should be considered power users who are capable of being exposed to 
more information.



More information about the WireGuard mailing list