We don't leave any ports open anymore. Everything is behind Wireguard. No key? Your packet goes into the blackhole.
Silent by default.
We don't leave any ports open anymore. Everything is behind Wireguard. No key? Your packet goes into the blackhole.
Silent by default.
That is a good idea. My example is for people that expose ssh/sftp on purpose such as a public SFTP server for sharing who knows what.
be sure to add iptables to drop packets if there's no back and forth exchange of data, then you're good2go as fake/wrong keys don't use resources to determine if a key is legit or not. not that big of a deal and wg just doesn't reply anyways
And good choice on the wireguard only, only issue I had is devops/testing things and not being connected to the wireguard because I'd be connected to another wireguard and couldn't ssh in to the server.
WireGuard _all_ of the things
> add iptables to drop packets if there's no back and forth exchange of data, then you're good2go as fake/wrong keys don't use resources to determine if a key is legit or not.
How does an initial connection work in that scheme?
Seems like a pretty big footgun for questionable benefit, since a main benefit of Wireguard is that it’s very lean in terms of resources.