Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.
I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn’t require further hardening? What’s your opinion?
Yes, that’s fine as long as whatever you’re hosting is designed to be safely used on the internet. Just keep it up to date and only expose the stuff you need to. I would suggest setting up fail2ban to block IPs that repeatedly fail to log in though. Depending on what you’re hosting, you may need bot protection, but if all they can see is a login page, they shouldn’t be too much of an issue.