Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.
I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn’t require further hardening? What’s your opinion?
You are pretty much as safe as it gets as long as you update that container. Ip/Port scanning basically isnt a thing in ipv6 land as youd have to scan the entire /64 which amounts to 18,446,744,073,709,551,616 addresses.
Not entirely true! There are ways to scan IPv6 space efficiently without brute force that are in RFCs