[frumplestlatz]

Yes, and those two true things are:

- You should be using WireGuard.

- “Port knocking” is pointless theater.

[Joel_Mckay]

CVE-2024-26950 is also true, and while I respect your opinion... a VPN has a lot of additional links in the chain trivially broken by competent hostiles or incompetent client installations.

IPSec is simply a luxury unavailable on some LANs =3

[tptacek]

I don't understand what you think CVE-2024-26950 has to do with this thread. Do you understand what that vulnerability actually is, or did you just go search "WireGuard CVE" to find ammunition?

[Joel_Mckay]

Firewall administrative network port traffic priority is important for systems under abnormal stress.

[tptacek]

I don't know what this even means. Do you understand the vulnerability you cited? Can you explain it here?

[Joel_Mckay]

The relatively benign legacy kernel level pointer-bug CVE chosen is hardly the worst thing from WireGuard or strongSwan over the years. However, it makes the point a priority reliable network side-channel administrative login is more robust under some use-cases.

Adding layers of complexity rarely improves security, and doesn't usually address the underlying issue of accountability. And I often ponder if a bastion host is even still meaningful in modern clouds. =3

[tptacek]

The bug you cited is in Netlink. It's not exposed on the network. What's the "worse" thing you're referring to? I think you just searched "WireGuard CVE" and tried to play it off.