At our company we use wireguard vpn to access our cluster. In our server, we install wireguard which will add a network interface that acts as a tunnel interface. The access with this tunnel will be encrypted via private/public keys association between the server and the client.
The below is sample config
Server:
[Interface]
PrivateKey = serverPrivateKey
ListenPort = serverPort
[Peer]
PublicKey = clientPublicKey
AllowedIPs = clientIpRanges
Client:
[Interface]
PrivateKey = clientPrivateKey
ListenPort = clientPort
[Peer]
PublicKey = serverPublicKey
Endpoint = serverIP:serverPort
AllowedIPs = 0.0.0.0/0
The client config above is now saved locally in local machines that need access to the server.
The issue is that wireguard doesn't support 2FA, so as an extra security measure, we are trying to remove the keys from the machine it self and have more secured way to access the server.
For that we have a Yubikey that we intend to add the config to it which would serve as 2FA validation to access the server.
What we are trying to achieve:
We need to remove the keys from the local PC and use the yubikey to access the server.
Stuff already went through
I have already set up pass store using gpg, where created a multiline password containing the cluster config.
Still the connection between wg and yubikey missing where we have multiple servers with different configs. The key is moved to card:
$ gpg --edit-key keyID
gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
(1) Signature key
(3) Authentication key
Your selection? 1
https://lists.zx2c4.com/pipermail/wireguard/2017-November/001951.html
https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
Your input is much appreciated.