Wireguard over WAN hardening

Hello everyone!

I need to make my home network accessible through Wireguard externally. Unfortunately things like Tailscale or Cloudflare tunnel aren't an option for me, so let's keep discussion to this specific setup.

Googling gives me an idea that exposing Wireguard should be pretty safe because it shouldn't expose itself to port scans. And without knowing on which specific port it runs + having valid keys it shouldn't be possible to do any damage. Does it sound correct?

On the client side I can't restrict IPs from which connection will come as it's intended to be used from a mobile network, however I was thinking I can select a non-default port for the client and restrict connections to be made only from that port (to reduce attack surface even further). Does that make any sense?

Also within my network I am going to restrict access such that only WAN and a homeserver:443 will be available to external connections.

What other steps could I take to harden this? Maybe some considerations?

Nothing that'll practically add any real security. As you've already discovered Wireguard doesn't respond unless the connection has the correct keys. Only open up the required port in the firewall and keep your keys safe. You'll be fine.

4 Likes

What he said. In addition you can consider a preshared key if you aren't already using one.

Not sure whether a clients port will be guaranteed to survive NATP masquerading...

Thank you!

One question I am wondering about is how this scanning this port will look like from the outside. My settings for the firewall are default meaning they set to REJECT. I am wondering if Wireguard will do DROP on an open port and thus will highlight the difference. If so then would it make sense to change other settings to DROP as well?

Thanks for suggestion, I'll use preshared keys

1 Like

Probably depends on the scanning software. But quickly testing at ShieldsUP! my wireguard ports report back as closed (so the probe was rejected rather than dropped).

Not that it really matters either way. Even if the WG port did respond differently there's not a lot an attacker could do with that knowledge.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.