49
Wireguard over IPv6 (lemmy.world)
submitted 6 months ago by filister@lemmy.world to c/selfhosted@lemmy.world
12 comments fedilink hide all child comments

Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.

I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn't require further hardening? What's your opinion?

you are viewing a single comment's thread
view the rest of the comments
[-] WaterWaiver@aussie.zone 38 points 6 months ago* (last edited 6 months ago)

As far as I understand, wireguard is designed so that it can't be portscanned. Replies are never sent to packets unless they pass full auth.

This is both a blessing and a curse. It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party, no error messages or the likes, it's as if the other party doesn't exist.

EDIT: Yep, as per https://www.wireguard.com/protocol/

In fact, the server does not even respond at all to an unauthorized client; it is silent and invisible.

[-] non_burglar@lemmy.world 10 points 6 months ago

It unfortunately means that if you misconfigure a key then your packets get silently ignored by the other party

After ipsec troubleshooting phase 1 & 2, WG is still a blessing.

this post was submitted on 15 Dec 2025
49 points (100.0% liked)

Selfhosted

59955 readers
302 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world