WG interface to ipv4
vtol at gmx.net
Mon May 7 18:34:32 CEST 2018
> There is no need for a nob in wireguard to ensure that the wireguard
> traffic goes through a specific interface or is bound to a specific ip
All those statements are solely off the WG community and are certainly
commendable. However, there is no (regular) external audit of WG, at
least publicly available, neither confirming or contradicting. Intel
probably thought their CPU programming as safe and sound until is was
not, or maybe they knew and just buggered along till found out.
If the consensus is that WG does not need a knob then that is fine by
all accounts and no sweat off anybody's brow.
> You can use iptables if you want to drop packets that are not for the
> intended interface / ip address.
Sure, that has been repeatedly mentioned but there also folks who like
to start at the source and not the tail end but that seems to be rather
a matter of perspective/flavor.
Notwithstanding seen a bit of a fair share of netfilter rules getting
convoluted in a complex network landscape and creating havoc, but then
those sysmin folks might not have really know what they were doing.
> You can disable ipv6 if you don't want ipv6.
Yes, but that is no black/white (on/off), like mentioned previously.
> If you think that wireguard could be flawed, why would you trust this
> as a wireguard option?
Because there are tools for checking/auditing sockets/binds.
> If you do not trust it, enforce it from the outside.
Why not to start from the inside, I was about to ask, but reckon that
been explained lengthily in previous postings and hence no need to
invite the same all over again ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4174 bytes
Desc: S/MIME Cryptographic Signature
More information about the WireGuard