November 3, 2023 at 2:40 pm #13374
I’m currently testing a deployment of WireSock in service mode on a Windows 10 machine. I’m satisfied with the functionality and performance of the client so far; however, I’m wondering- what is the recommended way to secure the configuration file? When WireGuardNT creates a tunnel, the configuration file is copied into the restricted-access configuration folder (%ProgramFiles%\WireGuard\Data\Configurations) and encrypted (filename.conf.dpapi). How can we achieve a similar level of security with WireSock?November 3, 2023 at 2:42 pm #13375
Whoops- I meant Wireguard for Windows (https://www.wireguard.com/install/), not WireguardNT.November 3, 2023 at 3:12 pm #13376
I haven’t verified this personally, but I believe that the standard WireGuard client employs the credentials of the current user to encrypt its configuration file. Integrating a comparable feature into Wiresock wouldn’t be particularly challenging, but the specifics of its implementation would vary based on how you intend to use it. Are you interested in having this encryption feature in the command-line interface (CLI) client? Additionally, how do you foresee utilizing the CLI client—would you run it manually as an application, or would you prefer it to operate as a background service? Alternatively, would the WireSockUI be your preferred interface for this functionality?November 3, 2023 at 3:59 pm #13377
1. Are you interested in having this encryption feature in the command-line interface (CLI) client?
– Yes, we need it in the CLI.
2. Additionally, how do you foresee utilizing the CLI client—would you run it manually as an application, or would you prefer it to operate as a background service?
– We need it to run as a background service.
3. Alternatively, would the WireSockUI be your preferred interface for this functionality?
– We don’t currently have a preferred UI. Currently, we want our user devices to full tunnel all traffic all the time, with no intervention from the user (and no UI for them to mess with). Our users do not have administrative accounts on the devices, and thus cannot modify the service anyways.
As for how we intend to use it:
We would like to deploy full-tunnel WireSock configurations to all of our user laptops. IT admins will create a deployment script which generates client configurations and then deploy the WireSock client with that configuration. Once deployed, the WireSock service will automatically start (running under the Local System account) and run all the time. The tunneling will be invisible to the user, and they will not be able to disable the tunnel.November 3, 2023 at 4:55 pm #13378
Thank you for the clarification. To achieve the behavior you’re looking for, you could place the configuration file within the ‘bin’ subdirectory of Wiresock. This way, users lacking Administrator privileges will have read-only access and won’t be able to modify the file. To install the service in this setup, you can use the command:
wiresock-client.exe install --start-type 2 --config config_file_name.conf --log-level none.
If your preference is to prevent users from even viewing the configuration settings, I believe I can incorporate an option to encrypt the configuration file. Would this solution meet your requirements?November 3, 2023 at 8:56 pm #13379
Encryption of the configuration file would meet our requirements. To be clear, we would like encryption because we are concerned about the plaintext configuration file getting stolen/copied/etc., since anyone with the plaintext configuration file could connect to our WireGuard network.November 4, 2023 at 4:10 pm #13380
I’ve implemented the feature you requested. The command-line client now includes an additional ‘import’ command. This command securely encrypts the specified configuration using LocalSystem credentials and stores it in a specially secured folder. Once encrypted, the configuration can be conveniently utilized through a shortened path reference., e.g.
C:\test>wiresock-client.exe import C:\test\test.conf Imported WireGuard configuration: C:\Program Files\WireSock VPN Client\conf\test.conf.dpapi C:\test>wiresock-client.exe install -start-type 2 -config test.conf.dpapi -log-level none
Please find attached the updated MSI packages, version 1.2.31, for your review. I invite you to test it out and share your feedback to ensure it meets your expectations.November 5, 2023 at 4:28 pm #13381
I’ve updated the functionality to include support for encrypted configurations within setups where the WireSock VPN Client service operates under a user account that differs from the LocalSystem account:November 6, 2023 at 9:28 pm #13384
Thank you for the prompt responses regarding this feature. The encryption is working as expected in our initial testing. We will update if there are any issues as we continue testing.
- You must be logged in to reply to this topic.