The NowSecure Network Broker runs in a NowSecure customer's network and establishes a WireGuard tunnel back to a NowSecure hub. It proxies HTTP/HTTPS traffic for configured domains through the tunnel, allowing NowSecure platform assessments to reach internal applications without exposing them to the public internet.
Note: The NowSecure Network Broker is currently available via an early access program. Please contact your NowSecure support team if you are interested in taking part in the early access program.
The broker uses WireGuard to establish a secure tunnel back to NowSecure. Before
you can configure it, you will need to generate a cryptographic key pair — a
private key that stays on your system and a public key to be shared with
NowSecure. The wg command-line tool (part of the WireGuard tooling) is used
to do this.
Install the WireGuard tools for your platform from
https://www.wireguard.com/install/. You
do not need to configure a WireGuard VPN interface on your machine — you only
need the wg CLI tool to generate the keys.
Run the following commands to generate your private and public keys:
wg genkey > private.key
wg pubkey < private.key > public.keyprivate.key— this is your broker's private key. It should be kept secret. Never share it, check it into source control, or transmit it to anyone, including NowSecure. If it is compromised, anyone holding it could impersonate your broker.public.key— this key should be shared with NowSecure.
Send the contents of public.key to your NowSecure contact. NowSecure uses
this to register and authorize your specific broker on the Hub. Without this
step, your broker will not be permitted to connect.
You will need to collect the domains that will be proxied via the Network
Broker. These will be added to the config.yaml file. Work with your internal
team to create this list. The list of domains will be provided to NowSecure
when the Network Broker connects to the NowSecure Hub.
Once NowSecure has registered your public key, they will provide you with the following values, which you will need when configuring the broker:
hubURL— the HTTPS endpoint of the NowSecure Hub your broker will connect to (used inconfig.yaml)hubPublicKey— the WireGuard public key of the NowSecure Hub (used insecret.yaml)
These values are covered in the Configuration section below.
The broker uses YAML config files loaded via the -c flag. Multiple
files can be specified and are merged in order, with later files
overriding earlier ones. This allows separating secrets from general
configuration.
hubURL: "https://hub.example.com"
proxy:
dns:
domains:
- "internal.example.com"See config.example.yaml for a fully annotated
reference of config.yaml.
Keep sensitive values in a separate file with restricted permissions.
The second file overrides only the fields it specifies, so
wireguard.privateKey is merged into the base config.
See Getting Started above for how to generate your key pair and obtain the values below from NowSecure.
wireguard:
# Your broker's private key — generated by you, never shared.
privateKey: "oGo7PB3JCu/oBjrFGCVWS0hIijBaFUrh9LW1qdOqCW4="
# The NowSecure hub's public key — provided by NowSecure.
hubPublicKey: "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="Download the latest binary from GitHub releases:
curl -L https://github.com/nowsecure/nowsecure-network-broker/releases/download/v0.1.0/nowsecure-network-broker-linux-arm64 \
-o ./broker
chmod +x ./broker
./broker start -c config.yaml -c secret.yamldocker run --rm \
-v ./path/to/config.yaml:/etc/broker/config.yaml:ro \
-v ./path/to/secret.yaml:/etc/broker/secret.yaml:ro \
nowsecure/nowsecure-network-broker:stable \
start -c /etc/broker/config.yaml -c /etc/broker/secret.yaml