Skip to main content

Search

How to set up the WireGuard VPN Canarytoken

  • Updated

 

Description: This token creates fake WireGuard VPN configurations to install on your phone or on servers that will alert when used. The value of this Canarytoken as a signal of compromise, is that the attacker —once they land on your device— will want to check what further privileged access the VPN gets them to spread their compromise further and grab more data. For more on the thinking behind this WireGuard Canarytoken see this blog post.

Step 1:

Log in to your Console.

Login.png

Step 2:

Select the Canarytokens tile. 

Token

Step 3:

Select the WireGuard VPN Canarytoken from the list.

Select

Step 4:

Note: Over time, you will deploy thousands of tokens all over the place. Make sure that your Reminder is as descriptive as possible, and will remind you in the future of where the token was dropped. It may create confusion if a token generated an alert that reads “test" - and not remembering where you placed it.

Give a friendly name to remind you where this WireGuard VPN is configured and click on Create token.

WG

Step 5:

The Canarytoken will then give you two options to deploy the WireGuard VPN Canarytoken.

WG-Config.png

 

Deploy using the QR code.

Step 1:

On your phone, open the WireGuard app and click Add a tunnel and then click Create from QR code.

Add

Step 2:

Scan the QR code under the WireGuard VPN Canarytoken

WG-Config-QR.png

Step 3:

Give the tunnel a name and click Save.

Note: we named our tunnel Head Office VPN


Name

Step 4:

Your WireGuard VPN Canarytoken is now active and waiting for someone to trip on it!

QR-Done.png

 

That's it, you're done :-)

 

How does this Canarytoken alert?     

When the connection is activated, you'll be alerted!

WG-Config-Enable.png

Sample Alert:

Alert.png

Deploy using the config file. 

Alternatively, if the device you want to add the Canarytoken to doesn't support scanning of QR codes, you can simply download the Canarytoken configuration as a file, and import it into WireGuard:

Step 1:

Download the WireGuard VPN Config File.

WG-Config

Step 2:

On the device you want to install the Token on, open the WireGuard application and click Import tunnel(s) from file.

import

Step 3:

Select the Token file, and click Allow when prompted.

Allow.png

Step 4:

Your WireGuard VPN Canarytoken is now active and waiting for someone to trip on it!

File-Done.png

How does this Canarytoken alert?

When the connection is activated, you'll be alerted!

Activate.png

Sample Alert:

Alert.png

 

That's it, you're done :-)

Was this article helpful?
6 out of 6 found this helpful
Return to top