search

NHAS / wag

Simple Wireguard 2FA
BSD 3-Clause "New" or "Revised" License
486 stars 27 forks source link

WebAuthn is not supported on sites with TLS certificate errors. #74

Closed uplight-dev closed 8 months ago

uplight-dev commented 8 months ago

I'm trying to do MFA registration by using the internal wireguard network and without exposing 443 to the internet.

  1. If I use a self-signed cert, I get the title error. To use LetsEncrypt, the domain needs to be exposed to internet with port 443 open, so it defeats the purpose of using it in my internal network.

In the WAG README.md:

  1. I didn't see anything related to setting up SSL for the MFA page at 443 port
  2. There is no CertPath/KeyPath in Tunnel section. Without those, the MFA page doesn't show up in browser. 
    "Webserver": {
      "Public": {
          "ListenAddress": "192.168.121.61:8080",
          "CertPath": "/etc/example/cert/path",
          "KeyPath": "/etc/ssl/private/somecert.key"
      },
      "Tunnel": {
          "Port": "8080"
      }
  },
  3. Isn't it better to use Tunnel.Port=443 instead of 8080, so there's no TLS validation issues in browsers?
  4. In the example json config, the Wireguard server 192.168.1.1 doesn't appear in any of the Allowed sections. Not an issue as the MFA page still appears, but for me it'd make it more clear that I can connect to MFA page having it there:
 "*": {
                "Mfa": [
                     "10.0.0.2/32 8080/any"
                ],
                "Allow": [
                    "192.168.1.1 443/tcp", <-- HERE
                    "10.7.7.7/32",
                    "google.com"
                ]
            },

Thank you!

NHAS commented 8 months ago

Sorry this issue appears to be multiple statements baked in to one.

First off. You can do dns based acme with caddy/reverse proxy of your choice to get a valid tls certificate without exposing your internal services to the Internet.

Secondly, there isn't anything I can do to alter how Web browsers implement the webauthn protocol, and thus they will require a valid certificate, it's part of the spec (unless you're using it on local host).

NHAS commented 8 months ago

2 & 3: the documentation lists that the tunnel option also takes the cert and key path arguments. This is the example config, I expected that having it just in the public option would be enough. The MFA page will still be avaliable regardless of whether it uses tls or not, not sure what you mean by this, in the example it just isn't on 443

4: A tls certificate isn't tied to the port it's used on, it's tied to the host address so using an alternate port makes no difference. You're more than welcome to use 443 as you can change the port in your own config

5: You can put this in your configuration if you like. However it doesn't make a lot of sense to remove the automatic additional of the rule to allow access to the MFA endpoint, and you can see this in your rules via the Web interface or cli when wag is running. Considering also that this would require everyone who uses wag to add effectively the same entry to their config it reduces work, plus I'm definitely not changing it now as it would break lots of wag deployments.