Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.
I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn’t require further hardening? What’s your opinion?
As far as I understand, wireguard is designed so that it can’t be portscanned. Replies are never sent to packets unless they pass full auth.
This is both a blessing and a curse. It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party, no error messages or the likes, it’s as if the other party doesn’t exist.
EDIT: Yep, as per https://www.wireguard.com/protocol/
In fact, the server does not even respond at all to an unauthorized client; it is silent and invisible.
It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party
After ipsec troubleshooting phase 1 & 2, WG is still a blessing.