Key is not valid 44-character (32-bytes) base64

[drose12]

Package version

1.0.20210914

Firmware version

v2.0.9-hotfix.4

Device

EdgeRouter X (SFP, 10 X, EP-R6) - e50

Issue description

Following: https://blog.usman.network/posts/wireguard-vpn-on-a-ubiquiti-edgerouter/

Using pkg e50-v2-v1.0.20210606-v1.0.20210914.deb

Steps to reproduce:

ubnt@erx:~/my_phone$ pwd
/home/ubnt/my_phone
ubnt@erx:~/my_phone$ wg genkey | tee privatekey | wg pubkey > publickey
ubnt@erx:~/my_phone$ cat publickey
7S3hnt/A96Vg9UUM5QBu9eSc2YhyLqzsx1sVVSMy5mc=
ubnt@erx:~/my_phone$ configure
[edit]
ubnt@erx# set interfaces wireguard wg0 peer /home/ubnt/my_phone/publickey
Key is not valid 44-character (32-bytes) base64

Value validation failed
Set failed
[edit]
ubnt@erx#

Code Location ?

Testing the key using the included script ?

ubnt@erx:~/my_phone$ bash -x /opt/wireguard/is_valid_key.sh /home/ubnt/my_phone/publickey
+ set -eEu -o pipefail
+ KEY=/home/ubnt/my_phone/publickey
+ '[' -e /home/ubnt/my_phone/publickey ']'
++ cat /home/ubnt/my_phone/publickey
+ KEY=7S3hnt/A96Vg9UUM5QBu9eSc2YhyLqzsx1sVVSMy5mc=
+ [[ 7S3hnt/A96Vg9UUM5QBu9eSc2YhyLqzsx1sVVSMy5mc= =~ ^[0-9a-zA-Z/+]{43}=$ ]]
+ exit 0

Configuration and log output

No response

[dc361]

As far as I know the "set interfaces wireguard wg0 peer" command requires that a Base64 key be entered as text:

dc-er4# set interfaces wireguard wg0 peer
Possible completions:
  <text>        Base64 encoded public key

This is different that the syntax for the private key:

dc-er4# set interfaces wireguard wg1 private-key
Possible completions:
  <text>        44-character (32-bytes) base64 key
  <text>        File in /config/auth

So the key that you generated is valid but the text of the path to the publickey file is not a valid key.

[cmdrogogov]

The package seems to be unable to take input of any keyfiles as a file.

If I set the keys directly in config everything works as intended, but the moment I set them as a file path things stop working. Of course, we don't want keys stored in the config file if we can help it..

[FossoresLP]

@cmdrogogov As dc361 pointed out, it should be possible to use key files for private keys. If that's not the case, that is a bug and I would appreciate if you could point out where that's the case.
When it comes to public keys however, there is very little security benefit in storing them in separate files so it has not really been considered.

[KlavsKlavsen]

This fails for me too.. Tried this:

cd /home/klavs/klavs_phone_wg/
wg genkey | tee privatekey | wg pubkey > publickey
# and then
klavs@ubnt# set interfaces wireguard wg0 peer /home/klavs/klavs_phone_wg/privatekey
Key is not valid 44-character (32-bytes) base64

Value validation failed
Set failed
[edit]
klavs@ubnt# set interfaces wireguard wg0 peer $(cat /home/klavs/klavs_phone_wg/privatekey)
Key is not valid 44-character (32-bytes) base64

[KlavsKlavsen]

Using package https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20210606-2/e50-v1-v1.0.20210606-v1.0.20210914.deb

[KlavsKlavsen]

It accepts it only if I put contents of privatekey file directly on command

[FossoresLP]

@KlavsKlavsen Please make sure you understand when to use public vs private keys.
Private keys only need to be set once per interface (set interfaces wireguard wg0 private-key <file>). When creating peers, you need their public keys which must be specified directly instead of using files.
This is not a security issue for the most part, since public keys are meant to be just that, public.

[adamsmith34]

Same guide as reported. Same issue. ER-X v2.0.9-hotfix.4. Going to try hotfix.6 as soon as I am able. Installed e50-v2-v1.0.20210606-v1.0.20210914.deb as per guide.

I'm doing it backwards though: the ER-X is my remote peer. The "server" peer is a Debian Linux box and I'm using Angristan's WireGuard script to add clients/peers. I pasted the server public key from the remote peer's .conf file created with that script into a file I created on the ER-X using sudo vi. When I tried to add the server peer's public key to the remote peer's interface (set interfaces wireguard wg0 peer /path/to/server/public/key) I get the exact same error.

After that failed, I installed the latest version, e50-v2-v1.0.20220627-v1.0.20210914.deb, over top the recommended package. Same results.

[Edit] I also tried this through the config tree and it errors out.
[Edit] Upgrading to hotfix.6 and using guide-recommended and latest .deb did not change results.

[FossoresLP]

Public keys MUST be specified directly on the command line.
It is NOT supported to use files for public keys.
Due to the way the configuration is implemented, this is not that easy to change and since there is no security benefit, I see no reason to change this.
Private keys can and should be stored in files.
I'll update the documentation to make this very clear.