Re: SFTP-based VPN bootstrapping with automatic collision-free IPs assignment/peers' public data sharing

[ST <smntov@gmail.com>]

Hi Jason,

thank you very much! It is indeed what I'm looking for. I'll try to
learn how your script exactly works, just please tell me why and to what
extent is it insecurely and what needs to be done to make it secure?

Thank you!


On Mon, 2018-04-16 at 00:37 +0200, Jason A. Donenfeld wrote:
> Hi ST,
> 
> It's a cool idea using the file system like that (the sticky bit would
> make the permissions part work correctly, perhaps), though I wonder if
> it's a bit complicated. If the model you're after is simply "server
> allocates IPs for peers already known through some channel but with
> unknown wireguard public keys", then maybe a better SSH-based
> interface is a special user that is only allowed to run one program,
> and that program does one thing: accepts as input a public key, and
> outputs [without races] an allocated IP, endpoint, and the server's
> public key. Under the hood that information could be stored in a
> variety of ways. Alternatively, this could be its own protocol over
> the wire or over TLS or over whatever the pre-established trust
> mechanism is that the idea is based on. One of the earliest dirty bash
> scripts for WireGuard did this (insecurely) over TCP --
> https://git.zx2c4.com/WireGuard/tree/contrib/examples/ncat-client-server/server.sh
> -- this is what's running on demo.wireguard.com.
> 
> Jason