WG interface to ipv4

ѽ҉ᶬḳ℠ vtol at gmx.net
Mon May 7 18:34:32 CEST 2018


> There is no need for a nob in wireguard to ensure that the wireguard 
> traffic goes through a specific interface or is bound to a specific ip 
> address.

All those statements are solely off the WG community and are certainly 
commendable. However, there is no (regular) external audit of WG, at 
least publicly available, neither confirming or contradicting. Intel 
probably thought their CPU programming as safe and sound until is was 
not, or maybe they knew and just buggered along till found out.

If the consensus is that WG does not need a knob then that is fine by 
all accounts and no sweat off anybody's brow.

> You can use iptables if you want to drop packets that are not for the 
> intended interface / ip address.
Sure, that has been repeatedly mentioned but there also folks who like 
to start at the source and not the tail end but that seems to be rather 
a matter of perspective/flavor.
Notwithstanding seen a bit of a fair share of netfilter rules getting 
convoluted in a complex network landscape and creating havoc, but then 
those sysmin folks might not have really know what they were doing.
> You can disable ipv6 if you don't want ipv6.
Yes, but that is no black/white (on/off), like mentioned previously.
> If you think that wireguard could be flawed, why would you trust this 
> as a wireguard option?
Because there are tools for checking/auditing sockets/binds.
> If you do not trust it, enforce it from the outside.
Why not to start from the inside, I was about to ask, but reckon that 
been explained lengthily in previous postings and hence no need to 
invite the same all over again ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4174 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180507/c1c03cad/attachment.p7s>


More information about the WireGuard mailing list