Wireguard preshared keys on GL-AR300M16-Ext

axu · 2022-08-03T11:38:28.662Z

Hi, are wg preshared keys supported on GL-AR300M16-Ext?

In principle this is possible to configure manually (command-line over ssh) since wg supports that, but it doesn’t seem to be possible from the gl-inet web interface.

It also doesn’t seem to be implemented in /etc/init.d/wireguard_server that reads /etc/config/wireguard_server to create the actual wg config file that is used to configure and bring-up the wg interface. (at least not in firmware v3.211).

Also not sure if Luci supports it (haven’t tried installing it).

any ideas? is this a planned feature?

alzhao · 2022-08-04T04:48:07.389Z

Firmware 4.x

image779×813 33 KB

Firmware 3.x

image886×836 25.9 KB

axu · 2022-08-04T09:26:54.247Z

Yes the above is indeed available, but this is only for configuring the device as a wireguard client, and not for adding peers when the device is configured as a wireguard server.

What I want to do is use the device as a wg server, and create users (peers) with pre-shared keys. This is not possible from the interface. From VPN → Wireguard Server, the “Management” tab only has a “Add a New User” button, when clicked the “Add a New WireGuard® Client” box only asks for a user Name and it creates the configuration automatically, without any way to override it (you can only view the QR or the configuration text, but not edit it).

Of course I can generate and add the preshared keys manually over ssh, but I would also then need to modify /etc/init.d/wireguard_server to check for those and create them in the final config, which is not nice…

axu · 2022-08-04T09:35:21.724Z

gl-wg already provides this for when the device is configured as a wg client:

root@GL-AR300M:~# grep shared /etc/init.d/wireguard
local preshared_key
config_get preshared_key $1 “preshared_key”
[ -n “$preshared_key” ] && echo -e “PresharedKey = $preshared_key” >>“$WFILE”

but the same is not available in gl-wg-server. I assume you don’t provide the source for those (I couldn’t find it in github), so it is not possible to contribute enhancements.

alzhao · 2022-08-05T03:03:16.714Z

Yes you are right.

No preshared key for wg server. I will feedback to developers.

But you should be able to config manually I think.

axu · 2022-08-05T10:06:16.981Z

Thanks for raising this issue to the developers.

Yes manually is possible, although with a workaround.

I have tried extending /etc/config/wireguard_server and /etc/init.d/wireguard_server with a preshared_key (similar to how wireguard client from the gl-wg package does it), but it doesn’t seem to parse it - it appears that it is not supported by libwgserverapi.so, and this isn’t open source.

So the workaround would be to either to setup everything manually (not through the gl-inet web interface or config files), or append the preshared key to the existing configuration, e.g. create a preshared key, create an extra config file that defines just the peer publickey and preshared key, and wg addconf that file.