Wireguard (VPN): Storing private key in vault-vm

red-pepper-pesto · December 18, 2024, 1:26am

Continuing the discussion from Wireguard VPN setup:

I am contemplating on storing wg private key in vault-vm and use preup to load the key using qrexec. I want to know if the below will work?

PreUp = wg set %i private-key <(pass WireGuard/private-keys/%i)

In vault-vm I am planning to have a script like below

qubes.GetWGPvtKey

# Read private key from file into variable ${WG_PVT_KEY} based on argument
printf '%s\n' ${WG_PVT_KEY}

In dom0 have policy in place to allow sys-vpn to run the above script in vault-vm.
qubes.GetWGPvtKey +parameter sys-vpn @default allow target=vault-vm

In sys-vpn update the PreUp in wireguard.conf as below

PreUp = wg set %i private-key < $(qrexec-client-vm @default qubes.GetWGPvtKey+parameter)

solene · December 18, 2024, 7:43am

the idea is good, I don’t know how to use the parameter in the RPC system. However, it may be better, if suitable, to make a RPC for each kind of password you want to query, otherwise you could just crawl the entire vault through RPC mechanisms due to the parameter. There would be a user confirmation of course, but I don’t know if that GUI shows you which password is requested.

barto · December 18, 2024, 9:04am

I like the idea, especially if you have “sys-vpn” as a disposable… but after pondering it, what happens is: once you run “wg set CONN_NAME private-key” the private key will be present and readable on sys-vpn. So the security impact is minimal during run-time.
I may be missing something though

EDIT: minimal sys-vpn template, no password-less root → IT WORKS.