Skip to main content WG-easy Is it safe? : r/WireGuard
Go to WireGuard

WG-easy Is it safe?

As the title suggests, I am using wg-easy from GitHub (https://github.com/wg-easy) on an Ubuntu Linux server with Docker. It's very easy to use and create peers. I only allow certain WAN IPs to access the firewall to reach my Wireguard server. However, monitoring the firewall shows connections to a range of IP addresses as shown in the image below. I am not sure if this is secure or if the public and private keys are being leaked by being sent backdoor to another server.

r/WireGuard - WG-easy Is it safe?
r/WireGuard - WG-easy Is it safe?
r/WireGuard - WG-easy Is it safe?
Apple Card is a no-fee credit card that gives you up to 3% unlimited Daily Cash back on all of your purchases. Apply now and use right away. Terms apply.
Apply Now
learn.applecard.apple
Thumbnail image: Apple Card is a no-fee credit card that gives you up to 3% unlimited Daily Cash back on all of your purchases. Apply now and use right away. Terms apply.
Sort by:
Best
Open comment sort options

I am not sure if this is secure or if the public and private keys are being leaked by being sent backdoor to another server.

Do you have some kind of proof of this? (sending the keys)

If I understand it correctly, those IP addresses you were suspecting were incoming connections, and not the destination.

Well in the firewall it shows those as incoming connections, but it is accepted from the firewall, however the wg-easy edit history does not show any connections coming from those public IPs and I do not share those peers with anyone. anyone else because only certain WAN IPs are allowed to access, and that IP is definitely not a WAN IP on my allowed list.

More replies More replies

This IP range is given to ISPs for CGNAT.

CGNAT has its own reserved IP range between 100.64. 0.0 and 100.127. 255.255.

Great to know. Didn’t realize there was a net between my net and the ‘net.

More replies

Post the rule 21 config. I’m not convinced that’s setup correctly otherwise if you say you’re only allowing certain CIDRs only then this is not a WG issue but rather the config on the Fortigate.

100.64.0.0/10 is shared address space and not globally unique.

https://en.wikipedia.org/wiki/IPv4_shared_address_space

if the public and private keys are being leaked by being sent backdoor to another server

You linked to the GitHub repo, didn't you?

Why not audit it yourself? Read the code. If you're so paranoid about deploying an open source app, why not take the time to read the code itself? It's open source, read it.

And I did the job you're supposed to do and searched through the source code myself. It doesn't create the IP you mentioned and the only IP it reserves is in the 10.8.0.x range by default which it reserves for itself and its peers. You would know that if you actually checked the code yourself.

See your trade from every angle with a fully customizable trading platform.
Learn More
tradestation.com
Thumbnail image: See your trade from every angle with a fully customizable trading platform.

wg-easy is open-source and audited by many.

Of course you can never be entirely sure, but I haven't noticed any incoming connections on my end.

First!

Sorry, I don’t have anything to add. I clicked on the post because I have used wg-easy in the past and then jumped at the chance to be the first comment. I hope you find the answers you’re looking for.

Actually, maybe I can add something. Looking at those IP addresses, they are CGNAT which you would typically get from a mobile carrier.

Do you have any clients connecting via 4G/5G?

More replies
More replies