- This topic has 8 replies, 2 voices, and was last updated 5 months, 3 weeks ago by
.
-
Posts
-
I’m currently testing a deployment of WireSock in service mode on a Windows 10 machine. I’m satisfied with the functionality and performance of the client so far; however, I’m wondering- what is the recommended way to secure the configuration file? When WireGuardNT creates a tunnel, the configuration file is copied into the restricted-access configuration folder (%ProgramFiles%\WireGuard\Data\Configurations) and encrypted (filename.conf.dpapi). How can we achieve a similar level of security with WireSock?
Whoops- I meant Wireguard for Windows (https://www.wireguard.com/install/), not WireguardNT.
I haven’t verified this personally, but I believe that the standard WireGuard client employs the credentials of the current user to encrypt its configuration file. Integrating a comparable feature into Wiresock wouldn’t be particularly challenging, but the specifics of its implementation would vary based on how you intend to use it. Are you interested in having this encryption feature in the command-line interface (CLI) client? Additionally, how do you foresee utilizing the CLI client—would you run it manually as an application, or would you prefer it to operate as a background service? Alternatively, would the WireSockUI be your preferred interface for this functionality?
1. Are you interested in having this encryption feature in the command-line interface (CLI) client?
– Yes, we need it in the CLI.
2. Additionally, how do you foresee utilizing the CLI client—would you run it manually as an application, or would you prefer it to operate as a background service?
– We need it to run as a background service.
3. Alternatively, would the WireSockUI be your preferred interface for this functionality?
– We don’t currently have a preferred UI. Currently, we want our user devices to full tunnel all traffic all the time, with no intervention from the user (and no UI for them to mess with). Our users do not have administrative accounts on the devices, and thus cannot modify the service anyways.As for how we intend to use it:
We would like to deploy full-tunnel WireSock configurations to all of our user laptops. IT admins will create a deployment script which generates client configurations and then deploy the WireSock client with that configuration. Once deployed, the WireSock service will automatically start (running under the Local System account) and run all the time. The tunneling will be invisible to the user, and they will not be able to disable the tunnel.Thank you for the clarification. To achieve the behavior you’re looking for, you could place the configuration file within the ‘bin’ subdirectory of Wiresock. This way, users lacking Administrator privileges will have read-only access and won’t be able to modify the file. To install the service in this setup, you can use the command:
wiresock-client.exe install --start-type 2 --config config_file_name.conf --log-level none.If your preference is to prevent users from even viewing the configuration settings, I believe I can incorporate an option to encrypt the configuration file. Would this solution meet your requirements?
Encryption of the configuration file would meet our requirements. To be clear, we would like encryption because we are concerned about the plaintext configuration file getting stolen/copied/etc., since anyone with the plaintext configuration file could connect to our WireGuard network.
I’ve implemented the feature you requested. The command-line client now includes an additional ‘import’ command. This command securely encrypts the specified configuration using LocalSystem credentials and stores it in a specially secured folder. Once encrypted, the configuration can be conveniently utilized through a shortened path reference., e.g.
C:\test>wiresock-client.exe import C:\test\test.conf Imported WireGuard configuration: C:\Program Files\WireSock VPN Client\conf\test.conf.dpapi C:\test>wiresock-client.exe install -start-type 2 -config test.conf.dpapi -log-level nonePlease find attached the updated MSI packages, version 1.2.31, for your review. I invite you to test it out and share your feedback to ensure it meets your expectations.
https://www.wiresock.net/downloads/wiresock-vpn-client-x64-1.2.31.1.msi
https://www.wiresock.net/downloads/wiresock-vpn-client-x86-1.2.31.1.msi
https://www.wiresock.net/downloads/wiresock-vpn-client-ARM64-1.2.31.1.msi
I’ve updated the functionality to include support for encrypted configurations within setups where the WireSock VPN Client service operates under a user account that differs from the LocalSystem account:
https://www.wiresock.net/downloads/wiresock-vpn-client-x64-1.2.32.1.msi
https://www.wiresock.net/downloads/wiresock-vpn-client-x86-1.2.32.1.msi
https://www.wiresock.net/downloads/wiresock-vpn-client-ARM64-1.2.32.1.msi
- You must be logged in to reply to this topic.