Intro
We care deeply about your privacy.
We go far.
Some say too far, but any step you can take at not logging your user's IPs and connection details is one that should be taken!! >:|
All our endpoints run CentOS with encrypted storage, unnecessary services and ports removed/blocked, logs piped to /dev/null, scrub all non-endpoint and service IPs from our site and databases... That's just the beginning!
But now WireGuard. Damn!
The story with WireGuard
When it comes to WireGuard, it's default nature is to have endpoint and allowed IPs along with Keys visible on the system/server interface.
Not only is that 109% against our privacy-policy, it kinda sucks from a privacy perspective. However, WireGuard in it's current state is really only meant for PRIVATE networks where knowledge of those details is generally not an issue at some level.
Our Solution
We searched high and low to land on our friend AzireVPN's solution: a root-kit-like module that would prevent any account on that endpoint from querying 'wg' for any IP or key aside from the endpoint's public.
Of course, there COULD be ways around this, but none that we know of effectively making it impossible to 'compell' us into providing the information.
This module also removes the ability to run tcpdump & netstat, restricts access to /dev/kmem, /dev/mem, /dev/port & /proc/kcore along with disallowing future modules to load.
AzireVPN has provided this source HERE.
Check out some actual examples!
root@wgsea1:~# tcpdump -ni eth0
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)
root@wgsea1:~# rmmod disconnected_droid_mode
rmmod: ERROR: ../libkmod/libkmod-module.c:777 kmod_module_remove_module() could not remove 'disconnected_droid_mode': Operation not permitted
rmmod: ERROR: could not remove disconnected_droid_mode: Operation not permitted
(We call ours 'disconnected_droid_mode' as we have some awesome blind friends who can kick our asses again.)
root@wgsea1:~# wg
interface: wg0
public key: a1uTMwo72+QFXfleuwEEg/wdNDvWJLfJ/MruQKw5BYo=
private key: (hidden)
listening port: 1443
peer: (hidden)
allowed ips: (none)
latest handshake: 11 seconds ago
transfer: 165.54 MiB received, 1.07 GiB sent
peer: (hidden)
allowed ips: (none)
API and the Site
We go one step further with our custom API. We only allow one locked-down account access to the API and WireGuard. To be honest, we don't even have root access once the endpoint is confirmed setup and running.
We only communicate via API and if net goes down, a restricted maintenance account.
Each connection and call is secured with a set of credentials unique to the endpoint and wrapped in a warm TLS blanket. These aren't seen by any admins, just our billing platform and the endpoint during setup.
The credentials are salted, hashed & encrypted in our database and only usable by the system in YOUR account session on our website and in limited admin actions.
These include:
Creation/Provision
Un/Suspension
& Termination for admin actions
For your Client Portal it includes:
Retrieving/Viewing your configuration info and QR codes
& Regenerating/Removing your configuration which you can do at any time
Our Ongoing Commitment
There is no security practice, protocol or service that is 100% locked-down and 'unhackable'.
The only way you can strive for this is to be PROACTIVE.
We're constantly seeking and contracting independent 3rd parties to provide feedback and if needed, fixes on our security practices, measures, software, network and threat models. We're serious about it! <3