WireGuard deployment considerations for improved privacy
Matthias Urlichs
matthias at urlichs.de
Mon Jan 14 13:53:13 CET 2019
Hi,
> 3. The attacker uses the VPN server static private key to decrypt the
> recorded handshakes, revealing client static pubkeys.
Create a service that sets a new temporary pubkey. Call it *before*
connecting with WG.
Switching during a connection doesn't help much IMHO, because if you
have recorded WG traffic you probably can correlate by IP address.
> Make it possible for clients to request a dynamically assigned IP
> address from the VPN server.
Use the above service to also assign a new dynamic IP address.
Both can and probably should be done at some arbitrary time, thus
decoupling this step from using the WG connection.
I haven't seen a compelling argument for augmenting the WG protocol
(and/or its in-kernel implementation) with support for this. However,
there may be a case for creating a standardized userspace
protocol+library to implement this and possibly a few other higher-level
features, so that people don't need to reinvent their wheels.
--
-- Matthias Urlichs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190114/2ae98ea2/attachment.asc>
More information about the WireGuard
mailing list