WireGuard deployment considerations for improved privacy
stromberg at mullvad.net
Fri Jan 18 09:19:42 CET 2019
On Wed, Jan 16, 2019 at 5:34 PM Jose Marinez <jedi_papi at yahoo.com> wrote:
> I appreciate this proposition as well as your summary for the current state of Wireguard for this particular case. I agree with you wholeheartedly that before the mass adoption of Wireguard happens these use cases should be addressed properly. I'd love to hear what Jason has to say about this and what he proposes.
I agree. Let's see what Jason says.
> I too have been thinking about all the edge cases for Wireguard. My approach has been to look at it from a penetration test perspective. Reality is that Wireguard doesn't live in isolation. As a system - hardware, OS and all it's settings + Wireguard - connected to the Internet and a user(s) presents many hostile dynamics.
> Ultimately, whatever solution emerges needs to supplement the goals and features of Wireguard, otherwise it deafts the purpose.
> Would it make sense to create a small group to tackle this and other use cases - scaling, simplicity, etc? On my end, I'm not a cryptologist, but I can write software that would test the security of any system. I'm sure other members of this list have a ton of skills and experience to bring to this.
> Here's a list of things I'd like to see and would be willing to participate/create if they don't exist yet:
> 1. A honeypot server with public logs for a small team to gather and record real-time traffic as an authorized user of the server - root.
> 2. A test suite that goes through all the domain specific scenarios from the results of #1 and provides a verification at the end once completed.
> 3. Provide feedback from all this back to Jason for enhancements, etc. in upstream Wireguard.
Honestly I'm very focused on the two issues I brought up. Those are
the most important things we don't see a clear solution to yet.
Well, we'd also like userspace to be notified of new handshakes, and
be able to reply to the kernel module whether it's a known pubkey or
not. Or something. That's a different discussion though.
More information about the WireGuard