Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.
I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn’t require further hardening? What’s your opinion?
As far as I understand, wireguard is designed so that it can’t be portscanned. Replies are never sent to packets unless they pass full auth.
This is both a blessing and a curse. It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party, no error messages or the likes, it’s as if the other party doesn’t exist.
EDIT: Yep, as per https://www.wireguard.com/protocol/
In fact, the server does not even respond at all to an unauthorized client; it is silent and invisible.
It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party
After ipsec troubleshooting phase 1 & 2, WG is still a blessing.
Wireguard has very little attack surface
You could also secure what peers inside the tunnel can access, particularly if you plan to give other people access. I.e. only allow only port 443 on a given server using a reverse proxy. It’s not a major threat either way but it would reduce the amount of access if someone gets into your phone/laptop etc.
