I've been building this project as both a side project and my job for a little while now. The rationale behind it is while wireguard is a fantastic protocol cryptographically it leaves a lot to be desired when it comes to enrollment and end user device security.
Obviously instead of using an off the shelf solution like tailscale, I decided to reinvent the wheel which has honestly been quite fun with learning about eBPF, and recently clustering and HA with etcd!
The most recent version (in the docker container) contains about 6 months of very new work bringing it all from sqlite3 to etcd. So please be forgiving if it does some weird things!
Hope you all enjoy!
P.s Im not a web developer and any tips on that front to make it less teeth pullingly awful are welcome!
> curl http://public.server.address:8080/register_device?key=e83253...
> The service will return a fully templated response
It looks like the "registration" involves the server generating a private key then sending to the client, rather than the client generating a private key and sending the public key to the server.
Not only that but your example is http! Probably worth replacing that part at least in case people think http is a reasonable option.
> To authenticate the user should browse to the servers vpn address, in the example, case 192.168.1.1:8080, where they will be prompted for their 2fa code.
So when the session times out, is there any way for the client to realise this? Or does their ssh session (or whatever) just stop working?
I've on and off looked for a wireguard client which can do something like the captive portal detection on wifi. Ideally it would be an extra line in the config file (like persistentkeepalive), which does a URL pull. Could be checked periodically (like with the keepalive). If it returns "OK", then fine, if it doesn't return then there's a network problem, but if it returns a "Location" header, the client would pop up a browser at that location, allowing for session reauthentication or whatever.
I haven't found one.
To answer your last question, eBPF XDP which is what I use can only do PASS, DROP or REDIRECT. So I stick with the easiest possible outcome and do PASS/DROP, which means your connections will just stop working.
However you can always set up the detection yourself by adding the captive portal detection pages to your wag MFA list then the browser should do everything else for you.
Unfortunately doing interception or acting like a proxy isnt something Im looking to do with wag (which makes authorisation timeout/logout a bit easier to deal with)
Hope that answers things!
That requires integration with a client, which is a massive pain to integrate
That would be really cool. I hope the author of this will consider it.
My only problem is that if you capture that route and then redirect it, or whatnot, your peers wont be able to log in to wifi in public areas like coffee-shops/libraries/etc because the route will be trying to go via a VPN which wont be returning any real data.
Such as where you should be going to log in haha
I have written one in Go for the Mac which uses the command line wg from Brew and handles key gen, but it is clunky and requires sudo.
A proper native app which uses the network entitlements would be great, but it is beyond my ken
I would expect software that implements the wireguard transport layer to implement session management to be called a working VPN server solution. This means a second channel to the server for periodically rotating session keys, terminating sessions, changing IP addresses, configuring new routes and repeating authentication if necessary.
While the wireguard key effectively gives you the ability to talk to the wag server, the session is effectively maintained by a map in ebpf, as to whether you've authorised or not.
So even if someone steals your private key material, they wont be able to access MFA restricted routes
Both solutions are custom for that VPN, so I’d just have one WG tunnel that’s controlled through a secured (web)service. The bonus is that you wouldn’t need a hard coded initial key. (You’d still need some authentication mechanism, but it could be more than fixed public/private key pairs).
So IPsec's IKE protocol? Why not just... use IPsec?
The scenario I'm imagining is: someone opens the TOTP entry UI in their browser, opens devtools, and starts to loop through all possible TOTP codes.
Specifically to force people to have a bit of a think as to why their device is trying to force auth to begin with, as it indicates an endpoint compromise.
https://github.com/NHAS/wag/blob/cdbdbec3393fa86bf6c823117c8...
If you have username and password and are able to force the TOTP in the 60s window, the TOTP would be useless imho.
But I'll try and give a basic run down on the differences/similarities.
Wag is good for hub and spoke design where you want to have a hard boundary, rather than a tailscale-esque mesh where everything touches everything and then the rules define the overlay.
Both wag and tailscale add SSO integrations and effectively 2FA for securing your users.
And both of us have a way to enroll and a web UI to manage things, although I'm sure TailScale is much more polished considering I'm one guy who doesnt like web development.
As for things Im definitely not going to implement, probably interception or a TLS proxy to redirect users once their session logs out. Primarily just because doing that in eBPF is a little bit beyond me right at this second, and I dont feel like writing the DNAT/SNAT components I'd probably have to in order to get it working
You'd think that sites choosing wireguard would have a more modern setup and might make heavy use of (self service) ULAs.
Is there something specific you were thinking about when you mention ULAs?
