Hi all, I am behind CGNAT, but my ISP router is allocating real IPv6 addresses to my devices that can be exposed. I have a Proxmox and I have installed Wireguard on an LXC container and configured it to listen to the IPv6 address.
I was wondering if I need to do something else to protect my Wireguard installation? I have exposed only the default UDP port to the outside and port scanners are not working on UDP ports as far as I know. Shall I do something else to protect my installation or the attack vector is already minimal and doesn’t require further hardening? What’s your opinion?
You could also secure what peers inside the tunnel can access, particularly if you plan to give other people access. I.e. only allow only port 443 on a given server using a reverse proxy. It’s not a major threat either way but it would reduce the amount of access if someone gets into your phone/laptop etc.