Wireguard preshared keys on GL-AR300M16-Ext

Hi, are wg preshared keys supported on GL-AR300M16-Ext?

In principle this is possible to configure manually (command-line over ssh) since wg supports that, but it doesn’t seem to be possible from the gl-inet web interface.

It also doesn’t seem to be implemented in /etc/init.d/wireguard_server that reads /etc/config/wireguard_server to create the actual wg config file that is used to configure and bring-up the wg interface. (at least not in firmware v3.211).

Also not sure if Luci supports it (haven’t tried installing it).

any ideas? is this a planned feature?

Firmware 4.x

Firmware 3.x

Yes the above is indeed available, but this is only for configuring the device as a wireguard client, and not for adding peers when the device is configured as a wireguard server.

What I want to do is use the device as a wg server, and create users (peers) with pre-shared keys. This is not possible from the interface. From VPN → Wireguard Server, the “Management” tab only has a “Add a New User” button, when clicked the “Add a New WireGuard® Client” box only asks for a user Name and it creates the configuration automatically, without any way to override it (you can only view the QR or the configuration text, but not edit it).

Of course I can generate and add the preshared keys manually over ssh, but I would also then need to modify /etc/init.d/wireguard_server to check for those and create them in the final config, which is not nice…

gl-wg already provides this for when the device is configured as a wg client:

root@GL-AR300M:~# grep shared /etc/init.d/wireguard
local preshared_key
config_get preshared_key $1 “preshared_key”
[ -n “$preshared_key” ] && echo -e “PresharedKey = $preshared_key” >>"$WFILE"

but the same is not available in gl-wg-server. I assume you don’t provide the source for those (I couldn’t find it in github), so it is not possible to contribute enhancements.

Yes you are right.

No preshared key for wg server. I will feedback to developers.

But you should be able to config manually I think.

Thanks for raising this issue to the developers.

Yes manually is possible, although with a workaround.

I have tried extending /etc/config/wireguard_server and /etc/init.d/wireguard_server with a preshared_key (similar to how wireguard client from the gl-wg package does it), but it doesn’t seem to parse it - it appears that it is not supported by libwgserverapi.so, and this isn’t open source.

So the workaround would be to either to setup everything manually (not through the gl-inet web interface or config files), or append the preshared key to the existing configuration, e.g. create a preshared key, create an extra config file that defines just the peer publickey and preshared key, and wg addconf that file.