Wireguard key exchange #175
Description
We are happy to answer your questions about the code or discuss technical ideas.
Please complete the following checklist (by adding [x]):
- I have searched open and closed issues for duplicates
- This isn't a feature request
- This is not a report about my app not working as expected
Hello!
I have a question regarding Wireguard authentication.
I know, that Wireguard config needs PublicKey for com.wireguard.config.Peer and PrivateKey for com.wireguard.config.Interface to be set.
As I understood, PublicKey is received from com.protonvpn.android.servers.api.ConnectingDomain during VPN servers fetch.
And PrivateKey is generated locally by creating KeyPair (com.proton.gopenpgp.ed25519.KeyPair#toX25519Base64).
But how do you get to know that user with certificateRepository.getX25519Key(sessionId) is allowed to connect to server with connectingDomain?.publicKeyX25519?
Do you somehow implement a "handshake" and send locally generated key to endpoint?
Maybe this action is done by @POST("vpn/v1/certificate"), because this is the only place, where locally generated key (com.protonvpn.android.vpn.CertInfo.publicKeyPem) is sent to the endpoint?