Wireguard -- how to provide my own private key?

Hi,

Going through the process, it appears that AirVPN both generates a WireGuard public key, and then holds onto it.

This entirely defeats the purpose of having a private key.

Is there a way I can set up a WireGuard device by providing a public key for a private key I have generated and own? This is pretty much a deal-breaker for me.

Thank you.

OpenSourcerer

Be advised that this key is solely used to authenticate you against the AirVPN server. Providing your own does not increase your privacy in any way. The actual encryption keys, which are rotated hourly at the latest to provide Perfect Forward Secrecy, are negotiated and used with the CHACHA-POLY1305 cipher; this process is entirely out of the hands of the user, though.

Envy1851

I also would like to see this option.

For an example use case -- I have a wireguard tunnel set up between my home network and offsite devices. I already have generated keys, and can provide the public key (which should be all that is needed on AirVPN side). If I had this option, I could use the same wireguard key on my offsite devices with 2 peers (home network and AirVPN, only allowing local traffic to home network).

Currently, the only option would be to use the private+public key pair combo generated by AirVPN, and allow that on my tunnel at home which would not be acceptable security wise. In that case then AirVPN or anyone who obtained the key would be able to VPN into my local network. It would be better to never have the private key stored anywhere else.

OpenSourcerer

I think I wrote it above – the key's sole purpose is to authenticate you against the AirVPN server. What purpose would it serve to provide your own?

Because AirVPN should never have the private key in the first place. That's the whole point of public-key cryptography, is that the owner of the keypair should be the only one to ever have access to the private key.

Look at e.g. Mullvad. You provide your own public key, or they generate one in-browser on the client that they never see.

It's a privacy and confidentiality thing, not a functionality thing.

Envy1851

In my case, that would not be the sole purpose of the key. The key would also be used to authenticate myself against my own wireguard server, which is the reason I want to remain in control of this key. If I were to do this setup currently, I would have to put complete trust in AirVPN to keep this key safe. Anyone with the key could authenticate against my own wireguard server, which is where the risk comes from. Keeping my private key stored locally and only providing the public key would definitely be preferred.

OpenSourcerer

On 1/6/2024 at 6:08 PM, e3b0 said:

It's a privacy and confidentiality thing, not a functionality thing.

No, it is just that – a functionality thing. As written above, and I write it again, this key is not used for encryption, only for authentication against a server, so providing your own key is a completely unnecessary feature. One of the reasons is Mr. Envy1851's situation:

On 1/15/2024 at 3:44 PM, Envy1851 said:

The key would also be used to authenticate myself against my own wireguard server, which is the reason I want to remain in control of this key. If I were to do this setup currently, I would have to put complete trust in AirVPN to keep this key safe. Anyone with the key could authenticate against my own wireguard server, which is where the risk comes from

You should know that you're not supposed to use the same password in multiple places, so how is using the same key in multiple places any better? Your reasoning is really off and not something to be encouraged by offering such a feature.

Envy1851

21 hours ago, OpenSourcerer said:

You should know that you're not supposed to use the same password in multiple places, so how is using the same key in multiple places any better? Your reasoning is really off and not something to be encouraged by offering such a feature.

In what way would this be equivalent to using the same password in multiple places? You are not sharing your private key with the wireguard server like you would be with a password, you only share a public key. It's literally a feature of Wireguard to have multiple peers on the same tunnel. For this to happen you would be using the same wireguard tunnel (therefore the same key) to connect to both peers (in my case AirVPN and my home network). But I cannot use this feature because I do not trust the safety/security of my AirVPN-generated key pair.

So yeah, currently I am doing what you are advising (two different tunnels therefore two different keys) but the experience is much worse than it could be, since you cannot have both tunnels active at the same time on Android. I need to choose whether I want to be able to access my home network or have my traffic tunneled through VPN.

benfitita

@Envy1851 is right. You should fully control your private key for this kind of setup – 1 WireGuard interface with multiple peers. Otherwise in case of a private key leak from AirVPN, somebody could connect to their home network.

As far as I understand this WireGuard private/public key stuff, there're 2 key pairs.
1. AirVPN needs to generate a public key from their secret server private key, and that goes into your [Peer] config section.
2. You need to pass your public key to AirVPN, so they put it into their [Peer] section (server-side) for your "device".

You should be able to keep your private key secret and `wg pubkey` to create a public key which you store with AirVPN. There's no need to share your private key with AirVPN. I suppose that public key could be stored in the "Devices". There could be an additional button "Put my own public key" which erases the old keypair and just retains the public key. When such device is selected, "Config generator" puts a placeholder value in `[Interface]` -> `PrivateKey`. Maybe there's a value that would make wg complain about an invalid config? Sophisticated users would have to know they have to edit this file. Perhaps "Config generator" could additionally display a warning when such a device is selected. @Staff would you consider adding such an advanced feature?

However, I can see how, for the ease of use, some users might prefer to let AirVPN generate your private key and keep it stored for them.

aatrox22312

I too want to have simultaneous connections to my home network for the private IP range, while still sending all public facing traffic through airvpn by having two peers in my config. In it's current state this is not possible with airvpn.
The solution @benfitita proposed would solve this issue for advanced users while still being accessible for new users.
I would appreciate if the staff would look into this

flat4

As I am reading this post, from a super high level view (non technical) what some of you are aiming to do is use airvpn servers as personal vlans so you can access you internal networks when connecting to airvpn via whatever? So providing your own key will prevent airvpn or anyone else from reaching your network while connected to a airvpn server?

is that a good synopsis?

aatrox22312

On 5/24/2024 at 3:20 PM, flat4 said:

As I am reading this post, from a super high level view (non technical) what some of you are aiming to do is use airvpn servers as personal vlans so you can access you internal networks when connecting to airvpn via whatever? So providing your own key will prevent airvpn or anyone else from reaching your network while connected to a airvpn server?

is that a good synopsis?

I think you misunderstood, wireguard allows having multiple Peers.
For each peer you can define allowed Addresses which is the selector to which peer traffic is routed.
Allowed IPs for the Peer in your home network is set to 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) and AirVPN would have all public IP ranges as allowedFor example google.com would be routed through AirVPN while 10.0.0.2 is routed into your home network. So it's only either of them, traffic directed to your home network is not routed through AirVPN. Also theres no direct connection between AirVPN and my own VPN Server. So others connected to the same AirVPN server can not reach the private network.

At least that's my understanding of it.

So for example the config would look like this

[Interface]
PrivateKey = wDMfXXXXXXXXXXXXXXXXXXXXXXXXnQE8=
Address = 10.42.42.42/32
.....
[Peer]
PublicKey = 2MQ5XXXXXXXXXXXXXXXXXXXXXXXXX64eWm1I=
Endpoint = vpn.example.com:51820
AllowedIPs = 10.0.0.0/8
......
[Peer]
PublicKey = PyLXXXXXXXXXXXXXXXXXXXXXXXuig+hk=
Endpoint = europe3.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 192.0.0.0/9, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4,::/0,10.141.36.99/32

Thats why we need to provide our own private key, because the respective public key has to be provided to both, airvpn and your own vpn server

Wireguard -- how to provide my own private key?

Recommended Posts

Guest

Share this post

Link to post

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

Share this post

Link to post

Share this post

Link to post

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

Share this post

Link to post

Guest

Share this post

Link to post

Share this post

Link to post

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation