"any peer public IP can impersonate any other (if it has the required WireGuard peer key"
Right. So you want to put in IP filtering on top of that, having already had a compromised connection?
The biggest issue I have with wireguard is the tendancy for clients to actually show the private key. It shouldn't generally be visible, there's no needs.
It makes a little sense, for instance say you've got a public server on a fixed IP that an attacker manages to exfiltrate the key but nothing else. This'd keep them out of your network.
But I think it'd probably be better to alert the administrator rather than simply blocking them.
loading story #41521632