Access wireguard using hardware Authentication like yubikey

Question

At our company we use wireguard vpn to access our cluster. In our server, we install wireguard which will add a network interface that acts as a tunnel interface. The access with this tunnel will be encrypted via private/public keys association between the server and the client.

The below is sample config

Server:

[Interface]
PrivateKey = serverPrivateKey
ListenPort = serverPort

[Peer]
PublicKey = clientPublicKey
AllowedIPs = clientIpRanges

Client:

[Interface]
PrivateKey = clientPrivateKey
ListenPort = clientPort

[Peer]
PublicKey = serverPublicKey
Endpoint = serverIP:serverPort
AllowedIPs = 0.0.0.0/0

The client config above is now saved locally in local machines that need access to the server.

The issue is that wireguard doesn't support 2FA, so as an extra security measure, we are trying to remove the keys from the machine it self and have more secured way to access the server.

For that we have a Yubikey that we intend to add the config to it which would serve as 2FA validation to access the server.

What we are trying to achieve:

We need to remove the keys from the local PC and use the yubikey to access the server.

Stuff already went through

I have already set up pass store using gpg, where created a multiline password containing the cluster config.

Still the connection between wg and yubikey missing where we have multiple servers with different configs. The key is moved to card:

$ gpg --edit-key keyID

gpg> keytocard


Really move the primary key? (y/N) y
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

• https://lists.zx2c4.com/pipermail/wireguard/2017-November/001951.html

• https://news.ycombinator.com/item?id=17683061

• https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP

Your input is much appreciated.

Answer 1

Don't put the entire WireGuard config in your password store -- just the WireGuard private key.

If you have multiple WireGuard configs, store the private key for each in a different password entry, like say this:

wg genkey | pass insert -e WireGuard/private-keys/wg0
wg genkey | pass insert -e WireGuard/private-keys/wg1

(You can then calculate the public key for a private key like this: pass WireGuard/private-keys/wg0 | wg pubkey.)

Keep the WireGuard config for each interface in your /etc/wireguard directory -- but replace the interface's PrivateKey entry with a PostUp command that extracts the private key from your user account's password store when the interface starts up; like this example WireGuard config file (where your user account is named me):

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.200.100.8/24
DNS = 10.200.100.1
PostUp = wg set %i private-key <(sudo -u me pass WireGuard/private-keys/%i)

[Peer]
PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU=
AllowedIPs = 10.200.100.0/24
Endpoint = 198.51.100.123:51820

Or this example WireGuard config file:

# /etc/wireguard/wg1.conf
[Interface]
Address = 10.192.122.1/24
Address = 10.10.0.1/16
PostUp = wg set %i private-key <(sudo -u me pass WireGuard/private-keys/%i)
ListenPort = 51820

[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

[Peer]
PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

[Peer]
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
AllowedIPs = 10.10.10.230/32

You can start up the above wg0 interface with the following command:

sudo wg-quick up wg0

And the wg1 interface like this:

sudo wg-quick up wg1

If your gpg-agent doesn't have the PGP key for your password store in its cache, when you start one of those interfaces, you'll be prompted for the PGP key's passphrase -- or if you've moved the PGP key to a YubiKey, you'll be prompted to touch your YubiKey.