Hi Guys,
Just following the conversation here. I agree that users should *NEVER* divulge their private keys, in any normal use scenario!! This is the whole security premise that Diffie-Hellman key pairs are built on.
This is indeed a fundamental security flaw! Absolutely no doubt about that! However, this being said, I realize this is a "no security" ham VPN application for 44net and it is up to the provider to dictate their usage specifications.
Hams should always remember that to be taken seriously, we need to follow best-practice approaches whenever practical, where security professionals won't roll their eyes at us and ultimately say "you're not plugging that device into our network!"
As for "any other commercial vendor using wireguard" providing the private/public keypair for me to use: really?? I've always just exchanged public keys. If a commercial vendor demanded that I only use the keys they provided, they wouldn't even get my consideration and I would send my data (and money!) elsewhere.
73, David K4FXC
On Thu, 23 Feb 2023, Mark Phillips via 44net wrote:
"fundemental security flaw"
I disagree. You want to use my system? You use the keys I provide. You will find that any other vendor using wireguard (e.g. private VPN companies) will supply you a file in this same manner. It's not like I'm then advertising the keys out to the world.
Plus, this has to be as idiot proof as possible. In our experience, the majority of our VPN clients (we are approaching 50) could not find their arse with both hands and so asking them for a key is rocket science. Its a whole world of pain that frankly I just don't want.
You can all throw your objections out into the list but the difference is that we are doing it while you are bitching about it.
On Thu, Feb 23, 2023 at 8:06 AM Nicholas Justin njustin444@gmail.com wrote:
That guide has a fundamental security flaw. The *private* key should be only be known by the end-user. This is randomly generated locally. The end-user then tells the "sysop" what their *public* key is.
This is nothing specific to Wireguard, hamnet, etc. It's basic public-private key cryptography.
Quote from guide: *"Delete the contents of the âPrivate Keyâ field and paste the private key from the config file supplied by your * *local sysop". (WRONG!)*
On Wed, Feb 22, 2023, 6:42 PM KUN LIN via 44net 44net@mailman.ampr.org wrote:
How did you get the Wireguard VPN account assigned to you? Kun
*From:* Mark Phillips via 44net 44net@mailman.ampr.org *Sent:* Monday, February 13, 2023 13:18 *To:* Joshua McDonald josh@2cold.net *Cc:* Kris Kirby kris@catonic.us; ken boyle ken@kc2idb.net; David Harris KE6GAE@hotmail.com; 44net@mailman.AMPR.org < 44net@mailman.ampr.org> *Subject:* [44net] Re: IPIP Tunnel
I was just going to add Wireguard VPN as a solution for the Cellphone hotspot.
Available at 10 Hamgates and many other nodes. Mikrotik V7 OS works well. Go here for a howto http://hamgatepa.ampr.org/docs/Programming%20the%20MikroTik%20hAP%20lite%20f...
On Mon, Feb 13, 2023 at 12:44 PM Joshua McDonald via 44net < 44net@mailman.ampr.org> wrote:
On the client side, using Mikrotik can be done with Wireguard if on RouterOS v7. Use an AP as a client to the Cellular Hotspot and build Wireguard tunnel back to âVPN Concentratorâ somewhere.
Of course would require someone on remote end to have public IP to terminate tunnel and route the 44net subnet allocation.
I have done this, but both ends of tunnel and subnet allocation are all in my control. If interested, I can go more in depth.
On Feb 13, 2023, at 12:21 PM, Kris Kirby via 44net <
44net@mailman.ampr.org> wrote:
I don't think this is possible with a hotspot from a cellular connection.
You are behind a nat on cellular, which shares one public IP with many and doesn't allow routable ports/protocols.
The only solution would be to get a public IP address from a home connection or a vps, and setup a VPN to access it from remote.
I could be wrong, but that is my understanding at this point.
Not only that, but some VPSs do not allow loading the IPIP module,
which
means that a full KVM virtualized private server is the only solution short of setting up a VPS to announce a /24 via BGP.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network
Mismanager_______________________________________________
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org