WireGuard deployment considerations for improved privacy

Matthias Urlichs matthias at urlichs.de
Mon Jan 14 13:53:13 CET 2019

> 3. The attacker uses the VPN server static private key to decrypt the
> recorded handshakes, revealing client static pubkeys.

Create a service that sets a new temporary pubkey. Call it *before*
connecting with WG.

Switching during a connection doesn't help much IMHO, because if you
have recorded WG traffic you probably can correlate by IP address.

> Make it possible for clients to request a dynamically assigned IP
> address from the VPN server.

Use the above service to also assign a new dynamic IP address.

Both can and probably should be done at some arbitrary time, thus
decoupling this step from using the WG connection.

I haven't seen a compelling argument for augmenting the WG protocol
(and/or its in-kernel implementation) with support for this. However,
there may be a case for creating a standardized userspace
protocol+library to implement this and possibly a few other higher-level
features, so that people don't need to reinvent their wheels.

-- Matthias Urlichs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190114/2ae98ea2/attachment.asc>

More information about the WireGuard mailing list