[antoniomika]

It's important to note that if you're not self hosting this, you're giving unlimited internal network access to this service (unless you properly firewall of course). It's not specific to the single port/address that is used when downloading the config.

Disclaimer: I wrote a similar tool that is self-hosted and uses SSH as the tunneling service. Does HTTP(S) with TLS termination, TCP, TLS (via SNI), and internal tunneling (unexposed tunnels that are authenticated using SSH) [0].

[0] https://github.com/antoniomika/sish

[tarasglek]

Author should include an iptables line to limit traffic from wireguard interface to only that port. Pre/Post commands in configuration will work for this

[zekica]

Not exactly true. It gives access to the computer you are running the tunnel on. Your computer still has to forward packets to others (if you can compromise another service on another computer without any two-way communication) and others still have to know how to route packets back to 10.101.0.1 that this service uses.

[antoniomika]

Sorry, meant internal network access related to the computer you set the tunnel up on. I usually refer to local network when speaking about the LAN :)

For reference though, all that is needed are some poorly written POSTROUTING rules and ip forwarding enabled on the client to allow access to the local network. More people have these set than you think!