How to get wireguard client public key from private key in LuCI

In the latest snapshot (see screenshot attached), when setting up a wireguard interface using LuCI, there seems to be no way of entering only the "client" private key generated/provided from the VPN host/server.

It appears that the user is required to generate the public key from the private key elsewhere before they can enter the details in LuCI, or generate new key pair and send the generated public key to the VPN host/server. After many many hours of googling, I couldn't find anywhere where this change is documented.

Looking at previous LuCI versions and guides on the internet, only the private key was required and and the rest was sorted out in the background. This seems to be a much better approach for noobs like me. The pros can do everything they need from the terminal :wink:

Can I suggest a better approach would be to have the option of importing the .conf file generated from the VPN provider / server and parsing it for the relevant details, just like how its done for OpenVPN.

Can anyone explain the reason for the change?

The foundation of security in this system is that no one else must ever know your private key. A private key should never be sent over a network, especially the Internet. Always generate private keys locally and transmit only your public key to the server. Using an out of band authentication method they would validate that it is the genuine user submitting the key, and then register that public key into their system.

A VPN provider that does not adhere to this basic security principle should not be used.


Fair Point. I think the change/improvement and the justification should be documented somewhere hence why I posted my findings.

I don't see a change. It's just an option to generare a local key for the interface by pressing a button in the web GUI...from what i can see. Maybe I missed something?

I never seen an option to enter a peer's private key. There is a per-peer Pre Shared Key option, though.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.