Opinions of Wireguard security

[TheLyppardMan]

I've only ever used OpenVPN and Wireguard VPN servers on my routers, but when I was recently setting up my ISP-supplied AVM router as a backup device, I noted that they had added Wireguard support (the only other option they had with the previous firmware would not work with my Android phone), so I decided to give it a try. I subsequently set it up on my new RT-AX88U Pro and it was very easy to do. However, one thing that concerned me a bit was the lack of an option to set up a password or security PIN on the client device (in my case, my Galaxy A22 android phone). In my particular case, that's not really a problem because I have added the app to my list of locked apps on untrusted networks with Bitdefender mobile security (part of my Bitdefender suite of security apps). Also, I have created a read-only user on my Synology Diskstation, so that even if someone were to gain access to the Wireguard app on my phone, they wouldn't be able to delete any of my files. So I thought it might be interesting to start a discussion on comparing security issues with the various VPNs available to us on our ASUS routers. As I've only ever used OpenVPN and Wireguard as I said, security relating to those two VPNs would be of particular interest to me, but comments about other alternatives would also be useful I'm sure, especially for non-experts like me.

 

[DocUmibozu]

I've only ever used OpenVPN and Wireguard VPN servers on my routers, but when I was recently setting up my ISP-supplied AVM router as a backup device, I noted that they had added Wireguard support (the only other option they had with the previous firmware would not work with my Android phone), so I decided to give it a try. I subsequently set it up on my new RT-AX88U Pro and it was very easy to do. However, one thing that concerned me a bit was the lack of an option to set up a password or security PIN on the client device (in my case, my Galaxy A22 android phone). In my particular case, that's not really a problem because I have added the app to my list of locked apps on untrusted networks with Bitdefender mobile security (part of my Bitdefender suite of security apps). Also, I have created a read-only user on my Synology Diskstation, so that even if someone were to gain access to the Wireguard app on my phone, they wouldn't be able to delete any of my files. So I thought it might be interesting to start a discussion on comparing security issues with the various VPNs available to us on our ASUS routers. As I've only ever used OpenVPN and Wireguard as I said, security relating to those two VPNs would be of particular interest to me, but comments about other alternatives would also be useful I'm sure, especially for non-experts like me.

If someone gains phisical access to your phone and bypasses the fingerprint/PIN to log into It, you are dead anyway...

 

[bbunge]

I've only ever used OpenVPN and Wireguard VPN servers on my routers, but when I was recently setting up my ISP-supplied AVM router as a backup device, I noted that they had added Wireguard support (the only other option they had with the previous firmware would not work with my Android phone), so I decided to give it a try. I subsequently set it up on my new RT-AX88U Pro and it was very easy to do. However, one thing that concerned me a bit was the lack of an option to set up a password or security PIN on the client device (in my case, my Galaxy A22 android phone). In my particular case, that's not really a problem because I have added the app to my list of locked apps on untrusted networks with Bitdefender mobile security (part of my Bitdefender suite of security apps). Also, I have created a read-only user on my Synology Diskstation, so that even if someone were to gain access to the Wireguard app on my phone, they wouldn't be able to delete any of my files. So I thought it might be interesting to start a discussion on comparing security issues with the various VPNs available to us on our ASUS routers. As I've only ever used OpenVPN and Wireguard as I said, security relating to those two VPNs would be of particular interest to me, but comments about other alternatives would also be useful I'm sure, especially for non-experts like me.

Am on the first vacation in three years. Wireguard is working very well for me on Windows and Andriod devices. I have no security concerns.

 

[TheLyppardMan]

If someone gains phisical access to your phone and bypasses the fingerprint/PIN to log into It, you are dead anyway...

I'm considering increasing the security of some of the user (non-admin) accounts on my NAS and I think I may be able to require files access to ask for a password each time (on my phone). Also, if my phone did get lost or stolen, I would immediately turn off VPN access and/or delete my Wireguard user account, just to be on the safe side. I have a very strong password for admin access to my NAS and my files are automatically backed up each night to my IDrive account. I'll have to give all of this some more thought before I decide whether I need to make any changes.

Just one other little bit of information. I used Plex to watch media files stored on my Synology NAS, but I don't have remote access to the Plex server turned on. Instead, I connect via the Wireguard VPN and then use the Plex app on my phone. I presume doing it that way makes for a reasonably secure methology, but am I correct in my assumption?

 

[JimbobJay]

WireGuard is extremely secure. Unlike OpenVPN, it doesn't rely on an external ssl library (OpenVPN is most commonly built using OpenSSL) for its cyrptography. WireGuard is, as its creator describes it, "cryptographically opinionated". All this means is that the encryption WireGuard uses is implicit in using WireGuard, whereas OpenVPN was built to be agile, and can use whatever encryption is made available by the library it was built with. It then negotiates with every client on a common algorithm they can both use. OpenVPN when configured correctly is very secure, but it relies on being configured correctly. The encryption WireGuard uses is modern and very secure, and if a weakness is found, WireGuard would be updated to use something different.

In terms of your specific question, when creating the WireGuard server, you created a private and public key pair for the WireGuard interface on your server. It then created another public key pair for your client device, i.e. your android phone, and saved the public key in its list of approved peers. On your client, you have its private key saved on the app, as well as your server's public key. On your server, you have its (the server's WireGuard interface) private key saved, as well as your phone's public key (as well as any other client devices you want to install your VPN config to).

The only way to do this is to have control of the server, so there shouldn't be any need to password protect the key pairs further. If someone has added a public key to your server's list of clients, then you're already in trouble security wise.

If you are worried about someone tampering with the app itself on your phone...Which app are you using on your Galaxy? I don't know about android exactly, but I know on iPhone if you use the official WireGuard app, you can secure against tampering with any VPN configs or viewing their key pairs with the phone's passcode and FaceID / TouchID. WireGuard is just cryptography using private and public key pairs, so there is nothing binding you to the app you are currently using if not the WireGuard one.

 

[JimbobJay]

Also, if my phone did get lost or stolen, I would immediately turn off VPN access and/or delete my Wireguard user account, just to be on the safe side.

If your phone did get stolen, you could simply revoke that key pair from your server, and it would be impossible for that key pair to be used to authenticate to your WireGuard server again. And unlike OpenVPN, the stolen device wouldn't be able to DDOS your server with repeated negotiations, as WireGuard just drops any traffic to its interface that it can't decrypt. This is one of the biggest benefits to WireGuard, especially in large corportae settings with hundreds or thousands of clients. I think on a residential server with just a few client key pairs, it probably would be no hassle to just delete the old one and create a new server, but if you didn't want to go through the hassle of installing new pairs to every single client device you want to use to connect to the server, you can just delete the stolen key pair form the server and be done with it.

Just one other little bit of information. I used Plex to watch media files stored on my Synology NAS, but I don't have remote access to the Plex server turned on. Instead, I connect via the Wireguard VPN and then use the Plex app on my phone. I presume doing it that way makes for a reasonably secure methology, but am I correct in my assumption?

Yes that's correct. Safer to do it that way than open ports on your router just for plex. Access your private LAN via a VPN, such as WireGuard or OpenVPN, then access Plex through that interface. From Plex's point of view, you are a local device, but all your traffic is being encrypted by your VPN server and routed out to wherever you are remotely.

 

[TheLyppardMan]

Thanks for all the detailed information in your responses. It's much appreciated.

 

[Clark Griswald]

Casa Griswald uses OVPN/WG to access our Plex server located on our 918+ without issues (except stupidly low upload speed from comcrap).

 

[Crimliar]

Used Wireguard with my phone setup as an access point on our last holiday whenever we went out. Nothing is 100% secure, and you still have to use your brain!

 

[TheLyppardMan]

I've made some changes to the Synology access from my phone to only allow access to folders containing the media I might want watch and restricting access to read-only mode.

 

[sfx2000]

WG is fine - for now...

One of the challenges with WG is that the cyrpto is hard-linked inside the lib...

Not a bad or good thing, just that if there is a vuln found at some point, it's a major update on both ends of the link...