WireGuard config not shown in export (7.1 and 7.2rc1)

Jotne · December 22, 2021, 11:07am

When you do an export of WireGuard config on 7.1 and 7.2rc2, it does not show the public and private keys doing an export.
As far as I have seen only way to get the keys are in WinBox.

Peer configuration shows the remote key:

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.2.0/24 endpoint-address=10.82.10.74 endpoint-port=13231 interface=wireguard1 \
    public-key="rMfud1xwXI/PUWSXAcQ6rFW8SIZQBcHrQQtznXwsIl8="

export should show all keys
export hide-sensitive should not show it.

Support case sent.

anav · December 22, 2021, 11:29am

yeah that is strange, the straight export should show both keys and the hide-sensitive neither.
Also regardless of settings all the zerotier config is displayed.

eworm · December 22, 2021, 11:30am

You have to export with show-sensitive.

Jotne · December 22, 2021, 12:04pm

Did not know about that command, but still does not give the public key?

/interface/wireguard> export  show-sensitive
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key="xxxxxxxxxxxxxx/b6WPzqcBXUeMClAQiBjZZ7YSKVfnQ="

emils · December 22, 2021, 12:12pm

Public key is not a configurable field, there is no need to export it. Public key is generated from the private key, so as long as the private key is the same, public key will also not change.

Jotne · December 22, 2021, 12:18pm

Ok

So after import the private key, it will then generate the public key.
And a print on the interface show both key.

Still learning some every day

/interface/wireguard> print
Flags: X - disabled; R - running
 0  R name="wireguard1" mtu=1420 listen-port=13231 private-key="xxxxxxxx/b6WPzqcBXUeMClAQiBjZZ7YSKVfnQ="
      public-key="xxxxxxxxV/dMOD0Ovl4UhB45IFuQKjit5K3pVY="

But what is exactly the difference of

export
export  hide-sensitive
export  show-sensitive

Manual does not show any information
https://wiki.mikrotik.com/wiki/Manual:Configuration_Management

eworm · December 22, 2021, 1:53pm

/export

… exists since the beginning (I guess).

/export hide-sensitive

… was added to hide sensitive information. This should prevent posting sensitive data to forum, etc.

But a lot of people do not know about, or just forget to use it. Thus the logic was reversed for RouterOS v7:

/export show-sensitive

Now hiding is the default (I think the old parameter hide-sensitive still works for compatibility), you have to give extra parameter to show sensitive data.

eworm · December 22, 2021, 1:57pm

BTW, with the upstream utility you can generate private keys…

eworm@linux ~ % wg genkey
MDN53/55iX0JK+VHKUEbhAprXUkFaSv1wYdB934yu3g=

… and calculate the matching public key…

eworm@linux ~ % echo MDN53/55iX0JK+VHKUEbhAprXUkFaSv1wYdB934yu3g= | wg pubkey
FXfZepw6fiWoUHKAK/h6XzSNRNXK0WMCB7bd5lPeVxQ=

And as a bonus: Give private and public key pair in one command…

eworm@linux ~ % wg genkey | tee /dev/stderr | wg pubkey
MDN53/55iX0JK+VHKUEbhAprXUkFaSv1wYdB934yu3g=
FXfZepw6fiWoUHKAK/h6XzSNRNXK0WMCB7bd5lPeVxQ=