Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.
I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn’t require further hardening? What’s your opinion?
@filister You should keep in mind that every “normal” HTTPS certificate is recorded publicly (certificate transparency, see e.g. crt.sh). If you do expose services, you most likely won’t get security by obscurity. You might be able to keep your services a bit more hidden when you expose them with IPv6 only, but not when you use a Let’s Encrypt certificate with a proper DNS entry.
True, maybe the best way then is to expose them only within your Wireguard network.