WG interface to ipv4

ѽ҉ᶬḳ℠ vtol at gmx.net
Sun May 6 16:12:59 CEST 2018


> Jason already explained it but maybe it needs to be repeated several more
> times.

No need, it is understood.

> WG security model doesn't rely on which interface, port or subnet it's
> listening on. You can screw your network configuration in myriad ways and
> WG will still save you due to it's design. Private keys are all that matters.
> Keep them secure and forget about the rest of things you know about
> unbound, dnsmasq, bind, ssh, openvpn and ipsec. Use route tables and
> netfilter rules to choose where the network traffic should go. That's all.
>
> ​Jordan

That seems a bit of narrow focus, and sort of insinuating that WG due to 
its design is invincible, when WG is just one piece integrating into a 
broader (server) network landscape.

Also wondering how ssh is discarded when the WG online presence stating:

"WireGuard aims to be as easy to configure and deploy as SSH. A VPN 
connection is made simply by exchanging very simple public keys – 
exactly like exchanging SSH keys"

For that matter it is pretty easy in ssh to limit its socket and 
iface/ip range exposure. Is it due to the inferior design of ssh that 
such security hardening features are made available/considered? If you 
keep the ssh keys safe that should be all that matters, should it not?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4174 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180506/e18e1fed/attachment.p7s>


More information about the WireGuard mailing list