I am not familiar with pritunl, but it should not be necessary to keep the private key in a file. It is possible to configure wireguard directly with code [1] without calling the wg binary manually as pritunl seems to be doing [2].
I think I’m more worried about the lifecycle of that key. Pritunl issues new keys all the time. What does Tailscale etc do?
Because these keys aren’t the short life, in-memory session keys[1], but auth keys. Knowing this single key effectively bypasses any MFA you may have.
Seems like Tailscale has 180 days by default[2], which feels a bit too long for a person who expects MFA to be more proactive than this. Sure you can change the default to 1 day, but how many users know it’s possible or would even think to change that?
Compare that with OpenVPN where you can force every single auth attempt to use a password plus TOTP code for instance.
Because these keys aren’t the short life, in-memory session keys[1], but auth keys. Knowing this single key effectively bypasses any MFA you may have.
Seems like Tailscale has 180 days by default[2], which feels a bit too long for a person who expects MFA to be more proactive than this. Sure you can change the default to 1 day, but how many users know it’s possible or would even think to change that?
Compare that with OpenVPN where you can force every single auth attempt to use a password plus TOTP code for instance.
1. https://www.wireguard.com/protocol/
2. https://tailscale.com/kb/1028/key-expiry/