this post was submitted on 15 Apr 2024
0 points (50.0% liked)

Selfhosted

40152 readers
435 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I am running wg-easy and there is a way to passport protect the GUI used for creating Wireguard connections. Is there a way to prohibit connection to be made if not a password is entered? I don’t want someone to be able to access my VPN if for example my phone would be stolen unlocked. I don’t mind if it is client side only

top 8 comments
sorted by: hot top controversial new old
[–] [email protected] 5 points 7 months ago

Password protect your phone?

When a private key gets compromised just delete the public one from the allow list?

[–] [email protected] 2 points 7 months ago (1 children)

If it's something you're really worried about, maybe something like https://github.com/NHAS/wag will help along with your secure totp app.

[–] [email protected] 1 points 7 months ago

Thanks, will look into it

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

Simply put:No.

You need to make sure none accesses your phone even when stolen (for a myriad of other reasons as well) so passwort protect it.

This has nothing to do with WG-easy or any wireguard implementation itself-it's simply part of Wireguard. What you could do to at least discourage an attack is to save parts of the secrets (Preshared key, public key of your network) in a password manager like bitwarden and copy and paste it into the client every time you connect - and remove it from there after you're done. But be aware that this will only discourage a technically inept attacker - the WG client and the OS,etc. will keep enough of data of these transactions around to easily find out this information and for a good attacker you actually make it easier this way. So I would clearly not recommend it. Password protect your phone.

WAG and other solutions put another layer between your network and WG. Basically they add a captive portal and only "unlock" it once you authorised yourself there. It is not a pretty solution and you need to be aware that it easily locks you out of your own network.

Another solution could be that you build two WG connections - one that is limited to your firewall and can exclusively connect to that device. And one that has broader access. Use the first one to enable access, the later one for actual access. Then the first one to disable access again.

The WG easy container should always be run behind an authentication layer,even in LAN as it enables an attacker (who might be already in the LAN) establish full outside connections. This can easily be achieved with a reverse proxy like Caddy/nginx proxy manager. The container then needs to be behind the proxy in it's own network with only the WG port exposed. Requires a bit of work but is easily doable...And Portainer is your friend in that regard.

[–] [email protected] 1 points 7 months ago (1 children)

wg-easy has this option wwhen you run the docker:

-e PASSWORD=YOUR_ADMIN_PASSWORD

which set an admin password when deploying the container.

If you didn't put a password I guess you can add one in the admin settings

from https://github.com/wg-easy/wg-easy?tab=readme-ov-file#2-run-wireguard-easy

[–] [email protected] 1 points 7 months ago

That's for logging into the web GUI IIRC, not for authorizing a connection from wg client to wg server.

[–] [email protected] 1 points 7 months ago (1 children)

Yo - absolutely!

WG easy posts the GUI on a separate port than the primary Wireguard port you'd need to open in the firewall. I think it's 51821 - but this can easily be changed depending on if you're using docker-compose files or a gui like portainer to manage this.

In my case - I am using Nginx Proxy Manager - and it even has it's own basic password requirement "Access List" availability. With NPM I'm routing that gui over vpn (local dns) but you could put it behind a password with limite security via Access List, or the step beyond look into "middleware" like Keycloak.

[–] [email protected] 1 points 7 months ago

Hi, I’m not talking about the GUI. It is already behind a password and it is fine. I’m also using nginx for setting my the certs when connecting to nextcloud. What you are saying with Access List sounds very interesting but how does it work? How do you enter the password when you access nginx? Thanks for your reply