Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.
I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn’t require further hardening? What’s your opinion?
As far as I understand, wireguard is designed so that it can’t be portscanned. Replies are never sent to packets unless they pass full auth.
This is both a blessing and a curse. It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party, no error messages or the likes, it’s as if the other party doesn’t exist.
EDIT: Yep, as per https://www.wireguard.com/protocol/
In fact, the server does not even respond at all to an unauthorized client; it is silent and invisible.
It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party
After ipsec troubleshooting phase 1 & 2, WG is still a blessing.
You could also secure what peers inside the tunnel can access, particularly if you plan to give other people access. I.e. only allow only port 443 on a given server using a reverse proxy. It’s not a major threat either way but it would reduce the amount of access if someone gets into your phone/laptop etc.
Wireguard has very little attack surface
You are pretty much as safe as it gets as long as you update that container. Ip/Port scanning basically isnt a thing in ipv6 land as youd have to scan the entire /64 which amounts to 18,446,744,073,709,551,616 addresses.
Not entirely true! There are ways to scan IPv6 space efficiently without brute force that are in RFCs
I did basically the same a few months ago, works really well in combination with DDNS.
Just make sure to keep WireGuard up to date from time to time to get rid of any potential vulnerabilities :)
