12
Networking security question (self.selfhosted)
submitted 6 months ago* (last edited 6 months ago) by Dust0741 to c/selfhosted
8 comments fedilink hide all child comments

I'd like to run a VPN locally, and am just double checking I understand the security correctly.

I want to run Wirwguard easy via Casaos on Ubuntu server.

My router will port forward a high port number, check daily for updates, and I'll update the server weekly.

Is there anything I'm missing?

top 8 comments
sorted by: hot top controversial new old
[-] [email protected] 4 points 6 months ago

Wireguard runs over UDP, the port is undistinguishable from closed ports for most common port scanning bots. Changing the port will obfuscate the traffic a bit. Even if someone manages to guess the port, they'll still need to use the right key, otherwise the response is like from a wrong port - no response. Your ISP can still see that it's Wireguard traffic if they happen to be looking, but can't decipher the contents.

I would drop containers from the equation and just run Wireguard on the host. When issues arise, you'll have a hard time identifying the problem when container networking is in the mix.

[-] [email protected] 5 points 6 months ago

+1 on not using containers.for Network routing stuff That way lies pain and misery.

[-] Dust0741 1 points 6 months ago

Fair enough. I've had success with it though. I should probably just use the official wireguard not wg-easy

[-] [email protected] 3 points 6 months ago

VPN software usually is built strong to begin with, and any vulnerabilities discovered will be promptly fixed as well, so updating frequently should suffice. (Why not automate it with unattended-upgrades package?

Using a random high port number will probably hide it well enough for Internet-wide port scanners as well.

if you want to be extra paranoid, you can hide the VPN service behind a port knocker as well.

[-] [email protected] 6 points 6 months ago

Do you really know how Wireguard works?

Updating without a reboot only works for wireguard-go. The default implementation runs in the kernel. An update to it would require kernel live patching.

Wireguard doesn't answer to unsigned packets. Using obscure ports or even port knocking is rather pointless. It's indistinguishable from a closed port.

I'd rather take Casaos out of the equation and target Ubuntus' Wireguard stack instead.

[-] [email protected] 3 points 6 months ago

Good point, kernel updates should be paired with reboots to get kernel patches applied quickly.

Yes wireguard would only accept connections clfrom clients with known certificates, but this is "belt and suspenders" approach. What happens if there's a bug in wireguards packet parsing or certificate processing? Using port knocking would protect against this —very remote— possibility.

[-] brygphilomena 3 points 6 months ago

Not to knock on the security, but what is the threat model you are protecting against?

I see people harp on about security and you can do X or you need to do Y as if they hold a million bucks in Bitcoin to protect.

We make concessions every day with security for convenience. Most people's threat model doesn't include wire guard might respond to connection attempts without the proper key AND this will somehow allow an attacker to leverage a vulnerability in wire guard to gain access. However, I admit that some people's paranoia makes them want to add every bit of security they possibly can even if it's the most frustrating day to day usage.

Self hosting individuals aren't a lucrative target for ransomware. Nor is it for most targeted hacking attempts.

[-] [email protected] 1 points 6 months ago

i also think that it's overkill, especially for a minimalistic tool like wireguard. That's why I mentioned "if you want to be extra paranoid". This forum is for learning, and this question is an open ended learning question, hence, an opportunity to learn about port knocking, even if the actual real life benefit of that would be minuscule.

this post was submitted on 25 Oct 2023
12 points (92.9% liked)

Selfhosted

36999 readers
312 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 11 months ago
MODERATORS
ruud
Loki
CannaVet
devve
HybridSarcasm
[email protected]