jwhited/wgsd

Security question: can peer information be queried without the public key?

ijustlovemath opened this issue · 2 comments

I just found this project, and it looks like it solves an important problem for me (fully open source tail scale alternative). However, I didn't understand from the post how peer information is secured. Could an adversary theoretically connect to the registry and then directly to a peer just by issuing the registry a DNS query from the open internet?

If so, you'd basically be able to scan the entire IPv4 space for registries, and connect to internal mesh networks that the owners thought were secure.

The registry distributes public keys over DNS, and the DNS server can be secured however you want (obvious and easiest being to restrict it to only be accessible over the registry's WireGuard interface via CoreDNS config or firewall).

If you find a random DNS server returning public keys that does not enable you to establish a WireGuard tunnel to any of the peers contained, those peers would also need to be configured with your public key.

I am a Tailscale employee and wgsd existed before my knowledge of Tailscale, but if you feel like sharing any Tailscale-specific feedback please do.

Amazing, but at the first time when I read your blog and realized you need to install a wgsd-client to at least a peer, I thought about "why not just use the already configured wireguard tunnel to the registry for the other peer's endpoint info transition."

I think it can be possible if it's a http server which only serve the requested peer's endpoint with html? This way it's even easier and possible to manually configure mobile peer's to connect (it's harder to do dns query on them).

For example a dynamic webpage only hosts through registry's wireguard interface and serve the output of sudo wg? Maybe in json form, too.