offend skirt ink recognise pot include society water memorize quack
This post was mass deleted and anonymized with Redact
Wireguard is the most secure VPN, and is designed for that use case. It also has very small config files, to reduce the chance of misconfiguration. If that’s not safe, nothing else on internet is. Your bank’s nginx webpage is less secure in comparison.
I would consider it safe. I have almost the same setup in the cloud. The advantage of WireGuard is that it responds only to properly decryptable UDP packets. The rest is simply ignored, which is seen from outside as closed port. You don’t need any extra DPI or application layer firewall. 
My router at home also exposes WireGuard to the open wild. No issues at all! 
It’s extremely safe, you can’t even port scan it. The very first packet needs to be encrypted by a trusted key to get a response. Also buffer overflow is impossible all in the variables are fixed length and malloc is not used.
Your question is really two:
-
How secure is your firewall with a default deny policy inbound? This basic, normal firewall stuff.
-
How secure is whichever implementation of Wireguard you’re running?
Have you considered Cloudflare?
Just make sure to isolate the network with wireguard and your home network.
Another option is to use tailscale tunnel and route traffic through the DNS entry. This way you’d setup a CNAME to the tailscale DNS entry and in turn you wouldn’t expose your own IP afaik. Tailscale is based on wireguard, also.
That’s a silly question. Any system is always as save as its weakest link. Since you did not mention ANY links except wireguard I’m forced to say: No. Wireguard is a VPN that encrypts your traffic between node A and B, that’s it. There is no security baked in or whatever. If the client device is compromised, all malicious traffic will flow via VPN directly into the heart of your network and so on.
So, no, there is also no “absolute security” only tradeoffs and risks.
Probably safe enough for what you want.
Wireguard doesn’t protect the keys well. Malware can steal them. Wireguard also doesn’t have any built-in 2FA.
If you mean your network’s closed except for a port to let you connect via Wireguard from outside, you’re just slightly less safe than having no ports open. Weakest link breaks the chain, so be sure to protect your Wireguard server and its clients.
Big business should be using Envoy imo
I learned something new about WireGuard’s design - it doesn’t use malloc. This is reassuring since it means remote code execution attacks through memory allocation vulnerabilities wouldn’t be possible.
yoke sink piquant ten secretive tart fuel heavy full growth
This post was mass deleted and anonymized with Redact
Do you know how to do this on opnsense? I’m learning about this stuff and I just setup a wireguard VPN on opnsense, but my wireguard IP is just my wan IP, so idk if that’s secure or not.
vegetable bright enjoy fuzzy panicky pet somber aloof brave plants
This post was mass deleted and anonymized with Redact
Yes it does protect against malware stealers. This is better than other vpns that are available and no other vpns do this
How do you protect it?
I’m not sure, if you’ve followed the opnsense guide it should be correct. Wireguard should be setting up its own CIDR, though, so it doesn’t seem right that the wan and wireguard IPs match.
I would argue that all that software hosted on that Pi is probably not secure.
I think I’m misinformed on how it works. Where are the WG keys stored? How are they protected? I thought they were in a file on disk? Is it different depending on the OS?