Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.

I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn’t require further hardening? What’s your opinion?

  • WaterWaiver@aussie.zoneEnglish
    35·
    2 days ago

    As far as I understand, wireguard is designed so that it can’t be portscanned. Replies are never sent to packets unless they pass full auth.

    This is both a blessing and a curse. It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party, no error messages or the likes, it’s as if the other party doesn’t exist.

    EDIT: Yep, as per https://www.wireguard.com/protocol/

    In fact, the server does not even respond at all to an unauthorized client; it is silent and invisible.

    • non_burglar@lemmy.worldEnglish
      9·
      2 days ago

      It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party

      After ipsec troubleshooting phase 1 & 2, WG is still a blessing.