Hi, > 3. The attacker uses the VPN server static private key to decrypt the > recorded handshakes, revealing client static pubkeys.
Create a service that sets a new temporary pubkey. Call it *before* connecting with WG. Switching during a connection doesn't help much IMHO, because if you have recorded WG traffic you probably can correlate by IP address. > Make it possible for clients to request a dynamically assigned IP > address from the VPN server. Use the above service to also assign a new dynamic IP address. Both can and probably should be done at some arbitrary time, thus decoupling this step from using the WG connection. I haven't seen a compelling argument for augmenting the WG protocol (and/or its in-kernel implementation) with support for this. However, there may be a case for creating a standardized userspace protocol+library to implement this and possibly a few other higher-level features, so that people don't need to reinvent their wheels. -- -- Matthias Urlichs
signature.asc
Description: OpenPGP digital signature
_______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
