Page 1 of 1
Wireguard generate Preshared key
Posted: Sat Mar 26, 2022 12:30 pm
by mikey
Good morning
I am setting up a wireguard tunnel. the tunnel is working as expected but I would like to add an extra layer of security by using a preshared key.
This preshared key has to be a 256-bit symmetric encryption key following the wireguard document. How can I generate such key in routerOS without using 3rd party tools?
When I installing a wireguard server on Debian (or any other linux distro's) it comes with the command "wg genpsk" to generate such keys. However I do not find the equivalent on RouterOS.
Thank you on advance for your help
Re: Wireguard generate Preshared key
Posted: Sat Mar 26, 2022 8:32 pm
by Sob
RouterOS doesn't seem to have any generator for that. You could probably just create temporary WG interface and take its generated key to use as pre-shared key elsewhere. It's the same size and format. It won't have the ideal cryptographic randomness, but I can't tell how big problem it could be.
Re: Wireguard generate Preshared key
Posted: Sat Mar 26, 2022 9:43 pm
by kevinlukas
I see the WG Peer allow to create Preshared key, but when I enter the key and press apply, it gives the error "Couldn't add New Wireguard Peer - invalid preshared key (6)"
How can I make this preshared key, without having to use Private Key & Public Key automatically generated by WG ?
Please help ! Thanks !
Re: Wireguard generate Preshared key
Posted: Tue Mar 29, 2022 10:12 pm
by Sob
You can't use any random string. It's supposed to be exactly 256-bit key (32 bytes) encoded using base64 algorithm. It looks the same as Public Key in your screenshot. If you don't have anything better, Google found this:
https://www.wireguardconfig.com/ It says that any info doesn't leave your browser, but I didn't verify that.
Re: Wireguard generate Preshared key
Posted: Thu Mar 31, 2022 1:05 am
by kevinlukas
You can't use any random string. It's supposed to be exactly 256-bit key (32 bytes) encoded using base64 algorithm. It looks the same as Public Key in your screenshot. If you don't have anything better, Google found this:
https://www.wireguardconfig.com/ It says that any info doesn't leave your browser, but I didn't verify that.
Thank you very much !
Re: Wireguard generate Preshared key
Posted: Wed Mar 13, 2024 10:14 pm
by alaine
I used a linux machine (or Windows Debian, or MAC CLI...).
# Create Preshared Key
> wg genpsk
KH8nrvx0cuczwE3R56qH5/vyLyHAEBv0QwogCA50ZjU=
# Create keys, first is private key, then public key
> wg genkey | tee /dev/tty | wg pubkey
+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=
7+C0DcBwtIozJXrZ7tjIbDRbtfgwRVnC/MPBmwe3Rms=
For Presahed key, the RouterOS seems to have "Preshared Key = auto", where ROS (now tested RouterOS 7.14.1) generates you one.
For less unixy titityyyy-people, you can create the private key first. Then you can feed the private key to extract its partnering public key:
# Create private key
> wg genkey
+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=
# Create public key
echo "+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=" | wg pubkey
7+C0DcBwtIozJXrZ7tjIbDRbtfgwRVnC/MPBmwe3Rms=
Re: Wireguard generate Preshared key
Posted: Thu Mar 14, 2024 5:27 am
by mantouboji
no need any other linux box, just do it all in RouterOS command line:
/interface/wireguard/peers/add interface=YOUR_WG_IF private-key="auto" preshared-key="auto" allowed-address=YOUR_CLIENT_IP/32
Re: Wireguard generate Preshared key
Posted: Tue Mar 19, 2024 1:31 pm
by Daniel678675555
I spent some time in the last few days reading many forum posts and trying to have a basic understanding of the capabilities of the RouterOS, after - while looking for a possible better solution to my current failover setup (none or manual/caveman) - I learned from posts and links by Sob on this thread: