boringtun icon indicating copy to clipboard operation
boringtun copied to clipboard
verified publisher icon cloudflare

Log handshake keys into a keylog file to allow WireGuard traffic decryption with Wireshark

Open ntqbit opened this issue 1 year ago • 0 comments

This pull request implements logging of handshake wireguard keys into a file compatible with WireShark's key log file for WireGuard protocol, allowing to decrypt WireGuard traffic in Wireshark.

WireShark allows to decrypt WireGuard traffic given a keylog file in the following format:

      LOCAL_STATIC_PRIVATE_KEY = QChaGDXeH3eQsbFAhueUNWFdq9KfpF3yl+eITjZbXEk=
      REMOTE_STATIC_PUBLIC_KEY = HzgTY6aWXtuSyW/PUquZtg8LB/DyMwEXGkPiEmdSsUU=
      LOCAL_EPHEMERAL_PRIVATE_KEY = UNGdRHuKDeqbFvmiV5FD4wP7a8PqI6v3Xnnz6Jc6NXQ=
      PRESHARED_KEY = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

More about WireGuard decryption in Wireshark: https://wiki.wireshark.org/WireGuard

Checklist

  • A new option for boringtun-cli was added: keylog, can be set with WGKEYLOGFILE environment variable. Specifies the path to the key lof file.
  • A public set_handshake_keys_listener method was added to Tunn, that allows to set HandshakeKeysListener, that is called once handshake is completed, with the handshake keys passed to it as argument. The public method allows users of boringtun crate to extract handshake keys.

I made sure that there were no breaking changes.

ntqbit avatar Jan 08 '25 15:01 ntqbit