Wireguard doesn't respond at all if you do not send the correct key from the start, so I'm not sure how you would write a probe for it. You receive the exact same response as if you send a UDP packet to a port with nothing listening.

Most real world firewall configurations I have seen use DROP instead of REJECT, so anecdotally I'm not sure about your claim.

I don't think it's particularly worrisome if someone knows I'm running Wireguard, though.

If there's a wireguard zero day, they gain no more access to the rest of my servers than if I had port 22 open to the internet - and I don't think that's a significant risk with key based auth to begin with. If there's an openssh zero day, then yeah that could be trouble, but now someone needs to have zero days for both wireguard and openssh to get in to my prod servers?

If they've got two private zero days for that and they're willing to burn them on me, I'm an incredibly high value target and pretty much everything we're discussing here isn't going to be enough to save me, and I've got much bigger problems.

> Wireguard doesn't respond at all if you do not send the correct key from the start, so I'm not sure how you would write a probe for it.

Is that really so? I'm not all that familiar with Wireguard but that seems like a debugging nightmare if the client has no way to get any error pointer from the server. At least my experience from setting up some IPsec infrastructures is that client logs are essential for troubleshooting.

> Most real world firewall configurations I have seen use DROP instead of REJECT, so anecdotally I'm not sure about your claim.

I do advocate for DROP, but most configurations I see are default REJECT. DROP has a bunch of disadvantages that most people don't want to deal with. It messes with TCP because of the lack of ICMP responses, and overall it makes troubleshooting harder because you end up with programs hanging and time outing instead of instantaneous failure.

Actually the use of REJECT is so widespread that it makes my life easier. When multiple levels of firewalls are involved, I can be quite sure that if the program hangs, it's a rule on my side, while a RST tells me that it's somewhere else.

> I don't think it's particularly worrisome if someone knows I'm running Wireguard, though.

Agree, though the subject is just port scanning here, not what happens beyond that.

>Is that really so? I'm not all that familiar with Wireguard but that seems like a debugging nightmare if the client has no way to get any error pointer from the server. At least my experience from setting up some IPsec infrastructures is that client logs are essential for troubleshooting.

Yep! Which, you're right, can make wireguard troubleshooting a pain... but it also mostly 'just works' with significantly less configuration overhead and chance of messing things up than your general IPSec IKE setup. IKEv2 definitely makes things nicer, but it's still not as generally painless as wireguard.

DROPping a UDP packet costs much less that REJECTing it. I cannot imagine why one would use REJECT for those.

I don't know why to mention them in the firewall at all. The kernel knows which ports it is listening on, and drops the rest without prompting.

> DROPping a UDP packet costs much less that REJECTing it. I cannot imagine why one would use REJECT for those.

Because 99.99% of people out there use iptables, with a single default rule for unmatched packets, whether it be UDP or TCP.

> I don't know why to mention them in the firewall at all.

Because you surely don't want your hosts to expose something unexpected to the internet .

> The kernel knows which ports it is listening on, and drops the rest without prompting.

Nope, and that's precisely the subject of the discussion here. In case nothing is listening, you will receive a nice ICMP "port unavailable".

OK, that's news.

Is that the same (externally seen) effect as a REJECT?