I wish (Linux) WireGuard had a simple way to restrict peer public IPs
https://utcc.utoronto.ca/~cks/space/blog/linux/WireGuardIPRestrictionWish"any peer public IP can impersonate any other (if it has the required WireGuard peer key"
Right. So you want to put in IP filtering on top of that, having already had a compromised connection?
The biggest issue I have with wireguard is the tendancy for clients to actually show the private key. It shouldn't generally be visible, there's no needs.
It makes a little sense, for instance say you've got a public server on a fixed IP that an attacker manages to exfiltrate the key but nothing else. This'd keep them out of your network.
But I think it'd probably be better to alert the administrator rather than simply blocking them.
Swiss cheese theory, or defense in depth.
loading story #41521345
loading story #41521759
loading story #41479003
loading story #41521642