Out of the box, WireGuard is a simple tool that solves a simple issue. Securely connect this system to that system. But what if that’s not quite enough? If a malicious actor obtains your WireGuard config then they are free to connect as you do!
In reality, your connection should still place restrictions on what you can access using whatever authentication mechanisms the remote network or system requires, place you into a mediation zone or take steps to ensure being connected isn’t your only trust mechanism.
This is where NHAS/Wag comes in.
WAG provides a means of using a One Time Password (for Multi-factor Authentication) that works with WireGuard and the Linux eBPF firewall. This means I now require a public/private key pair to authenticate with WireGuard, but then I must provide a one time password from an authenticator phone app like FreeOTP or Google Authenticator to enable the firewall to actually allow me on to something inside the network.
WAG manages your user registration process and sets up the WireGuard config ready for them. You can send them a link where they can obtain their configuration file, and when they first try to authenticate it even gives them the QR code to scan into the authenticator app.
The process is very simple.
- Register the user with WAG
- Send the user the registration link
- The user installs the WireGuard config they received
- The user connects with WireGuard
- The user visits the OTP page, eg. http://otp and enters the code from their phone
- If successful, WAG opens the firewall rules to allow the user access