[PATCH] wg: Allow config to read private key from file
Michael Tokarev
mjt at tls.msk.ru
Mon Nov 21 06:31:41 UTC 2022
21.11.2022 01:46, Daniel Gröber wrote:
> This adds a new config key PrivateKeyFile= that simply hooks up the
> existing code for the `wg set ... private-key /file` codepath.
>
> Using this new option the interface configs can be much easier to deploy in
> an automated fashion as they don't contain secrets anymore. The private key
> can easily be provisioned out of band or using a one-time provisioning step
> instead.
This is definitely a very welcome option in my PoV.
Add my
Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>
for this.
> Before this patch we were using a neat hack: it's possible to simply omit
> PrivateKey= and set it using PostUp= wg set %i private-key /some/file.
Well, this isn't really neat, it is a hackish workaround for the missing
functionality ;)
On a side, note, almost a year ago I sent a patch for wg utility to recognize
and discard some keywords which are processed by wg-quick script - like,
Address=. This way, there's no need to pre-process the config file anymore,
and in order to recognize more peers, one doesn't have to restart the
tunnel interface, instead, a regular wg syncconf wgif.conf is sufficient,
and many things can be simplified too (removing the preprocessing).
I've never got any reply for these patches.
/mjt
More information about the WireGuard
mailing list