WireGuard Session Token

Kape uses a unique post-quantum implementation to authenticate WireGuard connections as described in the whitepaper.

Fetching a WireGuard Token

//Example Configuration
let endpointConfiguration = EndpointConfiguration.wireGuard(
    ip: IpAddress.v4(ipV4: "194.62.107.176"), 
    port: 123, 
    authIp: IpAddress.v4(ipV4: "194.62.107.176"), 
    authPort: 443, 
    certDn: "Server-11882-5a", 
    obfuscation: WireguardObfuscation.none)
    
let search_options = TokenSearchOptions(
    subscriptionId: "1", 
    ipAddress: nil,
    endpointConfiguration: endpointConfiguration,  
    forceRefresh: false);
    
let result = kapeSdkManger.tokens().fetchTokenByType(
    tokenType: TokenNames.wireGuardToken, 
    advancedSearchOptions: search_options)

//use the below values to establish the WireGuard VPN Connection     
let psk = result.token_meta_data?.wireguard_auth?.psk ?? ""
let server_public_key = result.token_meta_data?.wireguard_auth?.server_public_key ?? ""
let internal_ip = result.token_meta_data?.wireguard_auth?.internal_ip ?? "" 
let client_private_key = result.token_meta_data?.wireguard_auth?.client_private_key ?? ""

val endpointConfiguration = EndpointConfiguration.wireGuard(
    ip = IpAddress.V4("194.62.107.176"),
    port = 123,
    authIp = IpAddress.V4("194.62.107.176"),
    authPort = 443,
    certDn = "Server-11882-5a",
    obfuscation = WireguardObfuscation.none
)
    
val searchOptions = AdvancedSearchOptions(
    subscriptionId = "1",
    ipAddress = null,
    endpointConfiguration = endpointConfiguration,
    forceRefresh = false
)

val result = kapeSdkManager.tokens().fetchTokenByType(
    tokenType = TokenNames.wireguardToken,
    advancedSearchOptions = searchOptions
)

//use the below value to establish the WireGuard VPN Connection
val psk = result.tokenMetaData?.wireguardAuth?.psk ?: ""
val serverPublicKey = result.tokenMetaData?.wireguardAuth?.serverPublicKey ?: ""
val internalIp = result.tokenMetaData?.wireguardAuth?.internalIp ?: ""
let clientPrivateKey = result.tokenMetaData?.wireguardAuth?.clientPrivatekey?: ""

In the example, a WireGuard Token is retrieved for a specific endpoint. You must not create this endpoint configuration manually like in the example but instead forward the configuration received from the get_instances call for the specified instance.

To establish a VPN connection, the SDK generates an anonymous Connection Authorization Token if it's not already in cache. It then creates a new public/private key pair and a pre-shared secret. The public key is securely sent to the WireGuard Authentication Endpoint, determined by authIp and authPort, with the TLS certificate verified against certDn. The app uses the internal IP, server's public key, client's private key, and pre-shared secret to connect to the specified endpoint.

The information is not cached and is regenerated each time a WireGuard Token is requested. These details are valid only for the specific endpoint instance that the app is connecting to and, for anonymity reasons, cannot be reused for any other endpoint. Additionally, these authentication details will be invalidated by the endpoint instance if there is no traffic for a few hours. Therefore, apps should request new details for every new connection; however, they can reuse the existing details to reconnect after a brief disconnection.

PreviousConnection Authorization Token NextOpenID Tokens

Last updated 4 months ago

hashtagFetching a WireGuard Token

Fetching a WireGuard Token