> Several people described to you that there is no exposure as every invalid > packet will be silently dropped and you still insist there is a flaw in WG > which will hurt it's adoption. Perhaps a bit of misunderstanding here. Nowhere I stated that WG in particularly has a flaw but exposing potential attack surfaces unnecessarily. Having searched the net for wireguard vetting/(security) audit/scrutiny I came up empty. Thus so far any statement on WG security seems to be stemming from the horse's mouth (no pun intended just the old saying). With a thread model considering every piece of software being flawed in mind, and with whatever CVE unearthed being a point in case, it should be of little surprise that the question of mitigating surface exposure is raised. Once WG would gain traction beyond a niche app it is likely to be subjected to malicious attacks with increased frequency. I am having trouble seeing a server admin going happy with WG spawning all over the network (0.0.0.0) and neither being able to constrain ipv4/6 sockets. But again that is just my opinion whilst you may have sampled some to the contrary from server/system admins. Truly understanding and appreciating simplicity and ease of use but without options to fine tune some (security) aspects of the app, and which don't need to be exposed in the default setup, it may fall short for certain deployment markets/adaption. Yet the latter should not be my concern. This thread started as question of how to and perhaps my end tuning it more into a suggestion but I am far from asking for it. Like stated earlier everyone is at liberty to deploy either this app or another, whatever suits. It seems moot to ride this subject any further. > For constructive discussion I propose this: > present us PoC which will show that listening on 0.0.0.0 and ::1 can be > exploited with WG and binding it exclusively to x.x.x.x will help to mitigate > it. It would not be within my capacity to produce such PoC. But then not every potential WG user (system/server admin) will be able too. Will that stop them from wanting to be in control of sockets/binds? > At least try to describe such scenario. That would move this discussion > forward and may even lead to WG code improvements. > > ​Jordan Any sort of attack inside a corporate lan, probably brute force or cypher cracking/padding attempts, with zero knowledge of the network layout since WG is offering on the wildcard and ipv4/ipv6 sockets and no limit to unsuccessful connection attempts (unless I missed that). All it needs is a compromised machine in the lan with malicious code incl. a suitable udp port scanner/probe.