Merge pull request #51 from george-hopkins/psk

Cargo.lock

@@ -445,6 +445,7 @@ dependencies = [
  "anyhow",
  "async-recursion",
  "async-trait",
+ "base64",
  "boringtun",
  "bytes",
  "clap",

Cargo.toml

@@ -22,6 +22,7 @@ async-trait = "0.1"
 priority-queue = "1.3.0"
 smoltcp = { version = "0.8.2", default-features = false, features = ["std", "log", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-udp", "socket-tcp"] }
 bytes = "1"
+base64 = "0.13"
 
 # forward boringtuns tracing events to log
 tracing = { version = "0.1", default-features = false, features = ["log"] }

README.md

@@ -188,6 +188,13 @@ You can bind to a static address instead using `--endpoint-bind-addr`:
 onetun --endpoint-bind-addr 0.0.0.0:51820 --endpoint-addr 140.30.3.182:51820 [...]
 ```
 
+The security of the WireGuard connection can be further enhanced with a **pre-shared key** (PSK). You can generate such a key with the `wg genpsk` command, and provide it using `--preshared-key`.
+The peer must also have this key configured using the `PresharedKey` option.
+
+```shell
+onetun --preshared-key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' [...]
+```
+
 ## Architecture
 
 **In short:** onetun uses [smoltcp's](https://github.com/smoltcp-rs/smoltcp) TCP/IP and UDP stack to generate IP packets

src/config.rs

@@ -17,6 +17,7 @@ pub struct Config {
     pub remote_port_forwards: Vec<PortForwardConfig>,
     pub private_key: Arc<X25519SecretKey>,
     pub endpoint_public_key: Arc<X25519PublicKey>,
+    pub preshared_key: Option<[u8; 32]>,
     pub endpoint_addr: SocketAddr,
     pub endpoint_bind_addr: SocketAddr,
     pub source_peer_ip: IpAddr,
@@ -73,6 +74,12 @@ impl Config {
                     .long("endpoint-public-key")
                     .env("ONETUN_ENDPOINT_PUBLIC_KEY")
                     .help("The public key of the WireGuard endpoint (remote)."),
+                Arg::with_name("preshared-key")
+                    .required(false)
+                    .takes_value(true)
+                    .long("preshared-key")
+                    .env("ONETUN_PRESHARED_KEY")
+                    .help("The pre-shared key (PSK) as configured with the peer."),
                 Arg::with_name("endpoint-addr")
                     .required(true)
                     .takes_value(true)
@@ -264,6 +271,7 @@ impl Config {
                 parse_public_key(matches.value_of("endpoint-public-key"))
                     .with_context(|| "Invalid endpoint public key")?,
             ),
+            preshared_key: parse_preshared_key(matches.value_of("preshared-key"))?,
             endpoint_addr,
             endpoint_bind_addr,
             source_peer_ip,
@@ -304,6 +312,17 @@ fn parse_public_key(s: Option<&str>) -> anyhow::Result<X25519PublicKey> {
         .with_context(|| "Invalid public key")
 }
 
+fn parse_preshared_key(s: Option<&str>) -> anyhow::Result<Option<[u8; 32]>> {
+    if let Some(s) = s {
+        let psk = base64::decode(s).with_context(|| "Invalid pre-shared key")?;
+        Ok(Some(psk.try_into().map_err(|_| {
+            anyhow::anyhow!("Unsupported pre-shared key")
+        })?))
+    } else {
+        Ok(None)
+    }
+}
+
 fn parse_keep_alive(s: Option<&str>) -> anyhow::Result<Option<u16>> {
     if let Some(s) = s {
         let parsed: u16 = s.parse().with_context(|| {

src/wg.rs

@@ -221,7 +221,7 @@ impl WireGuardTunnel {
         Tunn::new(
             config.private_key.clone(),
             config.endpoint_public_key.clone(),
-            None,
+            config.preshared_key,
             config.keepalive_seconds,
             0,
             None,