Good morning
I am setting up a wireguard tunnel. the tunnel is working as expected but I would like to add an extra layer of security by using a preshared key.
This preshared key has to be a 256-bit symmetric encryption key following the wireguard document. How can I generate such key in routerOS without using 3rd party tools?
When I installing a wireguard server on Debian (or any other linux distro's) it comes with the command "wg genpsk" to generate such keys. However I do not find the equivalent on RouterOS.
Thank you on advance for your help
Re: Wireguard generate Preshared key
RouterOS doesn't seem to have any generator for that. You could probably just create temporary WG interface and take its generated key to use as pre-shared key elsewhere. It's the same size and format. It won't have the ideal cryptographic randomness, but I can't tell how big problem it could be.
-
-
kevinlukas
just joined
- Posts: 2
- Joined:
Re: Wireguard generate Preshared key
I see the WG Peer allow to create Preshared key, but when I enter the key and press apply, it gives the error "Couldn't add New Wireguard Peer - invalid preshared key (6)"
How can I make this preshared key, without having to use Private Key & Public Key automatically generated by WG ?
Please help ! Thanks !
How can I make this preshared key, without having to use Private Key & Public Key automatically generated by WG ?
Please help ! Thanks !
Re: Wireguard generate Preshared key
You can't use any random string. It's supposed to be exactly 256-bit key (32 bytes) encoded using base64 algorithm. It looks the same as Public Key in your screenshot. If you don't have anything better, Google found this: https://www.wireguardconfig.com/ It says that any info doesn't leave your browser, but I didn't verify that.
-
-
kevinlukas
just joined
- Posts: 2
- Joined:
Re: Wireguard generate Preshared key
Thank you very much !You can't use any random string. It's supposed to be exactly 256-bit key (32 bytes) encoded using base64 algorithm. It looks the same as Public Key in your screenshot. If you don't have anything better, Google found this: https://www.wireguardconfig.com/ It says that any info doesn't leave your browser, but I didn't verify that.
Re: Wireguard generate Preshared key
I used a linux machine (or Windows Debian, or MAC CLI...).
For Presahed key, the RouterOS seems to have "Preshared Key = auto", where ROS (now tested RouterOS 7.14.1) generates you one.
For less unixy titityyyy-people, you can create the private key first. Then you can feed the private key to extract its partnering public key:
Code: Select all
# Create Preshared Key
> wg genpsk
KH8nrvx0cuczwE3R56qH5/vyLyHAEBv0QwogCA50ZjU=
# Create keys, first is private key, then public key
> wg genkey | tee /dev/tty | wg pubkey
+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=
7+C0DcBwtIozJXrZ7tjIbDRbtfgwRVnC/MPBmwe3Rms=
For less unixy titityyyy-people, you can create the private key first. Then you can feed the private key to extract its partnering public key:
Code: Select all
# Create private key
> wg genkey
+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=
# Create public key
echo "+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=" | wg pubkey
7+C0DcBwtIozJXrZ7tjIbDRbtfgwRVnC/MPBmwe3Rms=
-
-
mantouboji
Frequent Visitor
- Posts: 58
- Joined:
- Location: Shanghai
Re: Wireguard generate Preshared key
no need any other linux box, just do it all in RouterOS command line:
Code: Select all
/interface/wireguard/peers/add interface=YOUR_WG_IF private-key="auto" preshared-key="auto" allowed-address=YOUR_CLIENT_IP/32
-
-
Daniel678675555
just joined
- Posts: 1
- Joined:
Re: Wireguard generate Preshared key
I spent some time in the last few days reading many forum posts and trying to have a basic understanding of the capabilities of the RouterOS, after - while looking for a possible better solution to my current failover setup (none or manual/caveman) - I learned from posts and links by Sob on this thread: