|
|
|
|
|
|
by dsacco
3028 days ago
|
|
|
> But WireGuard seems to use a single key per network interface. Every interface is associated with a public/private key pair, but each interface need not peer with a single client. That would be inefficient. Instead, each peer (including clients and the server) generates a personal key pair when they configure their local WireGuard (e.g. wg0) interface. Afterwards they set up a local configuration file consisting of peers and respective public keys. Then in the context of a company VPN, one peer is a designated server, and every other (client) peer lists the server’s remote IP as the only peer interface in their local configuration. The server has the public key of every client as respective entries in its local config file, which is used to restrict access to whitelisted clients. Any client with the corresponding private key locally can connect to the server’s interface using their local interface. To remove a client from the white list, you simply remove their peer entry from the local config file on the server, much like how you remove an SSH public key from authorized_keys. In fact, a decent mental model for WireGuard is tuennling over SSH, but faster, leaner and with no option for a shell or password login. |
|
|