This is an automated archive.
The original was posted on /r/wireguard by /u/superhardtack on 2024-01-18 05:09:29+00:00.
Hi, I'm new to Wireguard, so please bear with me.
I'm using this guide:
I successfully used the guide to make a private server that's behind a CGNAT open to the public by creating a tunnel to a VPS with WG server.
I decided to go with the "Default Route" so that the private server still has IP information of the visitors and presumably can continue blocking bots with Fail2Ban.
Everything is working beautifully. The only change I had to make that wasn't on the guide was to add the following lines to the public server's wg0.conf:
PostUp = ufw route allow in on wg0 out on eth0
PostUp = ufw route allow in on eth0 out on wg0
My question is, from a security standpoint, if someone compromises the public VPS account, will they have complete access to all services running on the private server. Or, will UFW on the private server continue blocking all ports except for the ones that are enabled?
Realistically, I only need traffic on port 443 piped back and forth in the wireguard tunnel.