wg showconf

Luis Ressel aranea at aixah.de
Sun Nov 5 00:01:22 CET 2017


On Sat, 4 Nov 2017 14:25:28 -0700
Markus Woschank <markus.woschank at gmail.com> wrote:

> While searching for arguments I realised that wireguard will allow a
> peer to connect with a different IP from the one set in the
> configuration.
> Not sure if this is the best behaviour (I understand that the peer
> needs to know the secret key, anyway not sure).

Yes, wg does this. It's a deliberate design decision which is important
to supporting roaming peers.

This is not a security problem. Since wg uses UDP as a transport
protocol, source IPs can be trivially forged by an attacker; therefore
checking source IPs wouldn't add any real value.

Cheers,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20171105/00fdd5b1/attachment.asc>


More information about the WireGuard mailing list