|
|
|
|
|
|
by dminor
3028 days ago
|
|
|
I've seen WireGuard recommended here pretty strongly, so I started looking into it, but I couldn't see exactly how it could replace OpenVPN for us. We have an OpenVPN bastion for access into our VPC, and each engineer has their own key. When someone leaves, we can revoke their key. But WireGuard seems to use a single key per network interface. Would we just create an interface for every engineer (I have no idea what the limits are on these - maybe they're cheap)? Or is this just not a good use case for WireGuard? |
|
|
Every interface is associated with a public/private key pair, but each interface need not peer with a single client. That would be inefficient. Instead, each peer (including clients and the server) generates a personal key pair when they configure their local WireGuard (e.g. wg0) interface. Afterwards they set up a local configuration file consisting of peers and respective public keys.
Then in the context of a company VPN, one peer is a designated server, and every other (client) peer lists the server’s remote IP as the only peer interface in their local configuration. The server has the public key of every client as respective entries in its local config file, which is used to restrict access to whitelisted clients. Any client with the corresponding private key locally can connect to the server’s interface using their local interface.
To remove a client from the white list, you simply remove their peer entry from the local config file on the server, much like how you remove an SSH public key from authorized_keys. In fact, a decent mental model for WireGuard is tuennling over SSH, but faster, leaner and with no option for a shell or password login.