Knowledgebase

How We Secure our WireGuard Endpoints

Intro

We care deeply about your privacy.

We go far.

Some say too far, but any step you can take at not logging your user's IPs and connection details is one that should be taken!! >:|

All our endpoints run CentOS with encrypted storage, unnecessary services and ports removed/blocked, logs piped to /dev/null, scrub all non-endpoint and service IPs from our site and databases... That's just the beginning!

But now WireGuard. Damn!

 

The story with WireGuard 

When it comes to WireGuard, it's default nature is to have endpoint and allowed IPs along with Keys visible on the system/server interface.

Not only is that 109% against our privacy-policy, it kinda sucks from a privacy perspective. However, WireGuard in it's current state is really only meant for PRIVATE networks where knowledge of those details is generally not an issue at some level.

 

Our Solution 

We searched high and low to land on our friend AzireVPN's solution: a root-kit-like module that would prevent any account on that endpoint from querying 'wg' for any IP or key aside from the endpoint's public.

Of course, there COULD be ways around this, but none that we know of effectively making it impossible to 'compell' us into providing the information.

This module also removes the ability to run tcpdump & netstat, restricts access to /dev/kmem, /dev/mem, /dev/port & /proc/kcore along with disallowing future modules to load.

AzireVPN has provided this source HERE.

 

Check out some actual examples!

root@wgsea1:~# tcpdump -ni eth0
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)
root@wgsea1:~# rmmod disconnected_droid_mode
rmmod: ERROR: ../libkmod/libkmod-module.c:777 kmod_module_remove_module() could not remove 'disconnected_droid_mode': Operation not permitted
rmmod: ERROR: could not remove disconnected_droid_mode: Operation not permitted

(We call ours 'disconnected_droid_mode' as we have some awesome blind friends who can kick our asses again.)

root@wgsea1:~# wg
interface: wg0
  public key: a1uTMwo72+QFXfleuwEEg/wdNDvWJLfJ/MruQKw5BYo=
  private key: (hidden)
  listening port: 1443

peer: (hidden)
  allowed ips: (none)
  latest handshake: 11 seconds ago
  transfer: 165.54 MiB received, 1.07 GiB sent

peer: (hidden)
  allowed ips: (none)

 

API and the Site

We go one step further with our custom API. We only allow one locked-down account access to the API and WireGuard. To be honest, we don't even have root access once the endpoint is confirmed setup and running.

We only communicate via API and if net goes down, a restricted maintenance account.

Each connection and call is secured with a set of credentials unique to the endpoint and wrapped in a warm TLS blanket. These aren't seen by any admins, just our billing platform and the endpoint during setup.

The credentials are salted, hashed & encrypted in our database and only usable by the system in YOUR account session on our website and in limited admin actions.

These include:

Creation/Provision

Un/Suspension

& Termination for admin actions

 

For your Client Portal it includes:

Retrieving/Viewing your configuration info and QR codes

& Regenerating/Removing your configuration which you can do at any time

 

Our Ongoing Commitment

There is no security practice, protocol or service that is 100% locked-down and 'unhackable'.

The only way you can strive for this is to be PROACTIVE.

We're constantly seeking and contracting independent 3rd parties to provide feedback and if needed, fixes on our security practices, measures, software, network and threat models. We're serious about it! <3

  • 4 Users Found This Useful
Was this answer helpful?

Related Articles

Removing & Regenerating your WireGuard Profile

Removing & Regenerating your WireGuard Profile   We want you to have full control over your...

View WireGuard QR Code & Configuration

Viewing Your Wireguard Configuration   Step 1. Login to the Client Portal and select 'VPNs'...

Connecting to WireGuard with a CentOS/RHEL Client

Step 1. Sign in to the Metahuman VPN Client Portal (If you are already logged in and know how...

Connecting to WireGuard with an Android Client (Official App)

Step 1. Open Google Play and Install the 'WireGuard' App GOOGLE PLAY LINK   Step 2.  Open...

Connecting to WireGuard with an iOS Client (Official App)

Step 1. Open App Store and Install 'WireGuard' App APP STORE LINK   Step 2.  Open App from...

Powered by WHMCompleteSolution