Rename option to --preshared-key and add to README

2025-09-09 06:18:31 -04:00 · 2023-10-02 17:21:32 -04:00 · 2023-10-02 17:21:32 -04:00 · 1333ea8a7c
commit 1333ea8a7c
parent 6f143280d1
3 changed files with 14 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -188,6 +188,13 @@ You can bind to a static address instead using `--endpoint-bind-addr`:
 onetun --endpoint-bind-addr 0.0.0.0:51820 --endpoint-addr 140.30.3.182:51820 [...]
 ```

+The security of the WireGuard connection can be further enhanced with a **pre-shared key** (PSK). You can generate such a key with the `wg genpsk` command, and provide it using `--preshared-key`.
+The peer must also have this key configured using the `PresharedKey` option.
+
+```shell
+onetun --preshared-key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' [...]
+```
+
 ## Architecture

 **In short:** onetun uses [smoltcp's](https://github.com/smoltcp-rs/smoltcp) TCP/IP and UDP stack to generate IP packets
--- a/src/config.rs
+++ b/src/config.rs
@ -17,7 +17,7 @@ pub struct Config {
    pub remote_port_forwards: Vec<PortForwardConfig>,
    pub private_key: Arc<X25519SecretKey>,
    pub endpoint_public_key: Arc<X25519PublicKey>,
-    pub endpoint_preshared_key: Option<[u8; 32]>,
+    pub preshared_key: Option<[u8; 32]>,
    pub endpoint_addr: SocketAddr,
    pub endpoint_bind_addr: SocketAddr,
    pub source_peer_ip: IpAddr,
@ -74,12 +74,12 @@ impl Config {
                    .long("endpoint-public-key")
                    .env("ONETUN_ENDPOINT_PUBLIC_KEY")
                    .help("The public key of the WireGuard endpoint (remote)."),
-                Arg::with_name("endpoint-preshared-key")
+                Arg::with_name("preshared-key")
                    .required(false)
                    .takes_value(true)
-                    .long("endpoint-preshared-key")
-                    .env("ONETUN_ENDPOINT_PRESHARED_KEY")
-                    .help("The pre-shared key of the WireGuard endpoint (remote)."),
+                    .long("preshared-key")
+                    .env("ONETUN_PRESHARED_KEY")
+                    .help("The pre-shared key (PSK) as configured with the peer."),
                Arg::with_name("endpoint-addr")
                    .required(true)
                    .takes_value(true)
@ -271,9 +271,7 @@ impl Config {
                parse_public_key(matches.value_of("endpoint-public-key"))
                    .with_context(|| "Invalid endpoint public key")?,
            ),
-            endpoint_preshared_key: parse_preshared_key(
-                matches.value_of("endpoint-preshared-key"),
-            )?,
+            preshared_key: parse_preshared_key(matches.value_of("preshared-key"))?,
            endpoint_addr,
            endpoint_bind_addr,
            source_peer_ip,
--- a/src/wg.rs
+++ b/src/wg.rs
@ -221,7 +221,7 @@ impl WireGuardTunnel {
        Tunn::new(
            config.private_key.clone(),
            config.endpoint_public_key.clone(),
-            config.endpoint_preshared_key,
+            config.preshared_key,
            config.keepalive_seconds,
            0,
            None,