A question about WireGuard security

[TheLyppardMan]

I've tried WireGuard and it seems to work OK, but I can't find any information about possible security risks when using it on a portable device (e.g., a mobile phone).

I primarily use it for watching video content on my mobile phone (stored on my Synology NAS) while waiting to pick up my daughter from our local university. But it has occurred to me that if my phone fell into the hands of someone else (e.g., if it were stolen), the only thing stopping someone gaining access to my home network would be the PIN on my device, even assuming that it had automatically locked, so I'm wondering why WireGuard doesn't ask for a log-in password, like OpenVPN does?

 

[bennor]

Why not just password protect the Wireguard app either using the phone's built in app lock feature or a third party app lock program?

How to lock apps on your Android phone to prevent unauthorized access

Lock your apps to keep your data safe from prying eyes.

www.xda-developers.com

10 best applocks and privacy lock apps for Android

Applocks are simple, effective security apps. Use them to lock up apps you don't want others to see. Here are the best applocks for Android!

www.androidauthority.com

How to Passcode Lock an App on iPhone

Apple doesn't have an official method for individually locking sensitive apps like Photos with a passcode, but there is a workaround that was...

www.macrumors.com

6 Ways to Lock Apps on iPhone

What to know Apple doesn’t offer an official way to lock apps on the iPhone to secure them from prying eyes. But you can use Apple’s Shortcuts app to create an automation or home-…

nerdschalk.com

 

[ZebMcKayhan]

I've tried WireGuard and it seems to work OK, but I can't find any information about possible security risks when using it on a portable device (e.g., a mobile phone).

I primarily use it for watching video content on my mobile phone (stored on my Synology NAS) while waiting to pick up my daughter from our local university. But it has occurred to me that if my phone fell into the hands of someone else (e.g., if it were stolen), the only thing stopping someone gaining access to my home network would be the PIN on my device, even assuming that it had automatically locked, so I'm wondering why WireGuard doesn't ask for a log-in password, like OpenVPN does?

Wireguard is just a means for the encrypted tunnel, protocol if you wish. It would be up to any 3rd part developer to add extra security such as app looks, 2FA et.c.

But I may agree with you, that app developers may atleast give this as an option. Android WG even gives any user the ability to export all tunnels to a zip file. So any one could snatch your phone, export the tunnels, send to themselves and put your phone back without you knowing. Atleast if your phone is lost you know and could kill the keys and if you are fast enough there may be no harm done.

Running the app in a protected enviromenent may be your best bet right now.

 

[bbunge]

If your phone is lost or stolen, simply delete the Wireguard profile for the phone. Easy as each device uses a different profile. OpenVPN and Instantguard...not so.
For my $.02, wireguard is a better bet.

 

[RMerlin]

OpenVPN and Instantguard...not so.

OpenVPN can be as secure as you want it to be, and that`s part of its strength. For instance, I have a client whose OpenVPN is behind 2FA. This was achieved by having OpenVPN use an LDAP backend for authentication, and Jumpcloud (the LDAP directory we use) supports 2FA. That means every time we connect through OpenVPN, 2FA is required.

You can also use user-issued certificates with OpenVPN, and simply revoke any leaked certificate. That's what I use for another client.

Or, you can use user/pass authentication by using a PAM authentication interface, and change a leaked password as needed.

The options are all there.

 

[bbunge]

OpenVPN can be as secure as you want it to be, and that`s part of its strength. For instance, I have a client whose OpenVPN is behind 2FA. This was achieved by having OpenVPN use an LDAP backend for authentication, and Jumpcloud (the LDAP directory we use) supports 2FA. That means every time we connect through OpenVPN, 2FA is required.

You can also use user-issued certificates with OpenVPN, and simply revoke any leaked certificate. That's what I use for another client.

Or, you can use user/pass authentication by using a PAM authentication interface, and change a leaked password as needed.

The options are all there.

Sure and I agree for cone heads. But for the average consumer, OpenVPN can be daunting.

Also, do not loose your phone!

 

[RMerlin]

But for the average consumer, OpenVPN can be daunting.

Just as easy as with Wireguard. Import config file into OpenVPN client. Boom - you're done.

 

[Justinh]

The hard part is getting the config file to the mobile device LOL Maybe the USB-C port on the mobile can read a flash drive now? Haven't tried it.

 

[Tech9]

The hard part is getting the config file to the mobile device

Just email it to yourself.

Also, do not loose your phone!

How easy is to access a locked phone?

 

[bennor]

The hard part is getting the config file to the mobile device

Hard? Ridiculously easy. Just scan the QR code from the Wireguard server page on the router. Or save the WireGuard config file from the router using the phone to access the router or save the file to a PC then either email it to yourself, or use a file manager app on the phone to copy the file from a PC or NAS, or just connect a USB cable from the phone to the PC to copy the file are just a few ways. Easy peezy.

 

[PunchCardBoss]

primarily use it for watching video content on my mobile phone (stored on my Synology NAS) while waiting to pick up my daughter from our local university.

Why not Synos Reverse Proxy with restricted user account login, access control and 2FA.
Lose your phone and the worse thing that happens is others can watch your movies (but no access to your network at large).

 

[RMerlin]

The hard part is getting the config file to the mobile device LOL Maybe the USB-C port on the mobile can read a flash drive now? Haven't tried it.

On Android phones the easiest is to use Google Drive, since every Android user has a free Google Drive. On Apple, same thing but using iCloud.

 

[TheLyppardMan]

Why not Synos Reverse Proxy with restricted user account login, access control and 2FA.
Lose your phone and the worse thing that happens is others can watch your movies (but no access to your network at large).

I store all my data on my Synology Diskstation, but normally I restrict access from my mobile phone to just the media share, which only has videos and my music library (read only). If I needed access to my more sensitive data (e.g., if I were on holiday and needed to view/edit a document), I'd have to make sure that I only did that where my phone couldn't be stolen if using the Wireguard VPN (e.g., while in a hotel bedroom).

 

[TheLyppardMan]

I've put App Lock by Trusted Tools on my phone and it seems to be working well so far.

 

[PunchCardBoss]

If I needed access to my more sensitive data (e.g., if I were on holiday and needed to view/edit a document), I'd have to make sure that I only did that where my phone couldn't be stolen if using the Wireguard VPN (e.g., while in a hotel bedroom).

This is where our use-case differs. I too have access to non-critical Syno apps and files (eg. DS-Cam and Photos) from my phone - always through a user account with restricted access and 2FA.

But for higher level admin and edits, I use my laptop and phone 2FA through Syno's Secure Signin.

If I loose my phone, I can fall back to email login with my laptop.

The syno reverse proxy was easy to setup and I require all users to use 2FA. I had OpenVPN set up, which is more versatile for wider LAN access. But I decided in favor of Syno's reverse proxy because of the 2FA option not available with VPN unless I wanted to spend more $$$.

App Lock by Trusted Tools

+1
And/or put the VPN app in an Android password protected secure folder .

Also, do not loose your phone!

 

[TheLyppardMan]

Why not Synos Reverse Proxy with restricted user account login, access control and 2FA.
Lose your phone and the worse thing that happens is others can watch your movies (but no access to your network at large).

I have it set up so that the Synology user account I use for remote access, only has read-only access to the share that I have all my videos saved. All other shares are set to "no access." I also have a very strong password for the Synology admin account, using numbers, small and capital letters and symbols based on a phrase in a little-known ancient language that is well-saved in my mind. For recovery of said password if I were to die suddenly or suffer dementia, I have a copy of it saved at home in a place that no intruder would ever think to look. Do you think this is adequate security?

 

[DJones]

I have it set up so that the Synology user account I use for remote access, only has read-only access to the share that I have all my videos saved. All other shares are set to "no access." I also have a very strong password for the Synology admin account, using numbers, small and capital letters and symbols based on a phrase in a little-known ancient language that is well-saved in my mind. For recovery of said password if I were to die suddenly or suffer dementia, I have a copy of it saved at home in a place that no intruder would ever think to look. Do you think this is adequate security?

Well I’d never trust a turn-key solution like sinology, qnap, asustor. Too many possible vulnerabilities due to inadequate infrequent updates by the manufacturers. Apps, and Linux kernels are pitifully maintained. And as I’ve experienced the manufactures don’t care about your data or acquiring the keys for ransomware.

For you though adequate security is subjective. You can always shoot for zero trust, but sometimes you got to take the tin foil hat off and just accept the stuff that’s most important to you should be backed up multiple times and offline.

I don’t use ddns even, I find I get way more hits to my firewall when I use one. Personally I just find my dynamic wan ip and update the WireGuard config on my peer device when I want to connect to my NAS. Different methods of figuring out your homes wan ip remotely.

 

[PunchCardBoss]

Do you think this is adequate security?

Yes and No. I know folks in this forum that would say VPN is not security. They would say it is for anonymity (and possibly for Man-in-the-middle attacks?). I don't hold this viewpoint.

And there are others that would say a syno reverse proxy (like I have) is a security risks because of its reliance on Synology's systems.

For each of us, our respective practices are good enough till they aren't.

It would appear we both have thought through many "what-if" situations. There is always more that could be done... more $$$ and more time.

Understanding your practices has helped me think of some alternative approaches for my security needs. Thank you for sharing.

 

[DJones]

Well. I’m more on the side of a VPN is a type of security, but it’s not immutable to human error or vulnerabilities. A VPN service has its advantages for preventing MITM attacks and for tunnelling into your network, but that’s all. Anything extra is just safe dns filtering or Adblocking the vpn provider provides. But when you give your data to a VPN provider they can see the same data your router sees.. so it’s not real Anonymity except to dump your vpn’s IP when finished using it. Truth is they the VPN company has full access to your network when you use them, unless you use a segmented network that has limited systems they can access.

In terms of running your own VPN server that’s fully in your control that’s real secure tunnelling so long as what you’re using it for is equivalent to your browsing habits at home without a VPN. Because that’s not meant to be used for Anonymity.

The key differences are in use case, unfortunately VPN is just being used as a catch all phrase with claims equivalent to snake oil by VPN companies who are simply using the same software we are for tunnelling.

 

[Tech9]

I store my passwords in a 400Gal tank with Serrasalmus rhombeus also know as black piranha. I keep them hungry for extra protection.