WG interface to ipv4
vtol at gmx.net
Sun May 6 21:39:19 CEST 2018
> Several people described to you that there is no exposure as every invalid
> packet will be silently dropped and you still insist there is a flaw in WG
> which will hurt it's adoption.
Perhaps a bit of misunderstanding here. Nowhere I stated that WG in
particularly has a flaw but exposing potential attack surfaces
Having searched the net for wireguard vetting/(security) audit/scrutiny
I came up empty. Thus so far any statement on WG security seems to be
stemming from the horse's mouth (no pun intended just the old saying).
With a thread model considering every piece of software being flawed in
mind, and with whatever CVE unearthed being a point in case, it should
be of little surprise that the question of mitigating surface exposure
is raised. Once WG would gain traction beyond a niche app it is likely
to be subjected to malicious attacks with increased frequency.
I am having trouble seeing a server admin going happy with WG spawning
all over the network (0.0.0.0) and neither being able to constrain
ipv4/6 sockets. But again that is just my opinion whilst you may have
sampled some to the contrary from server/system admins.
Truly understanding and appreciating simplicity and ease of use but
without options to fine tune some (security) aspects of the app, and
which don't need to be exposed in the default setup, it may fall short
for certain deployment markets/adaption. Yet the latter should not be my
This thread started as question of how to and perhaps my end tuning it
more into a suggestion but I am far from asking for it. Like stated
earlier everyone is at liberty to deploy either this app or another,
whatever suits. It seems moot to ride this subject any further.
> For constructive discussion I propose this:
> present us PoC which will show that listening on 0.0.0.0 and ::1 can be
> exploited with WG and binding it exclusively to x.x.x.x will help to mitigate
It would not be within my capacity to produce such PoC. But then not
every potential WG user (system/server admin) will be able too. Will
that stop them from wanting to be in control of sockets/binds?
> At least try to describe such scenario. That would move this discussion
> forward and may even lead to WG code improvements.
Any sort of attack inside a corporate lan, probably brute force or
cypher cracking/padding attempts, with zero knowledge of the network
layout since WG is offering on the wildcard and ipv4/ipv6 sockets and no
limit to unsuccessful connection attempts (unless I missed that). All it
needs is a compromised machine in the lan with malicious code incl. a
suitable udp port scanner/probe.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4174 bytes
Desc: S/MIME Cryptographic Signature
More information about the WireGuard