[lug] Security - Wireguard

[Bucky Carr]

On 6/29/2019 1:06 PM, Zan Lynx wrote:
>
> With UDP there's no connection so NAT routers need to have a timeout 
> or they'd just fill up with UDP tracking entries. They have to time 
> out TCP also but they can use a longer timeout since most TCP 
> connections mark themselves closed one way or another.
>
> I went and read some stuff about Wireguard and searched around. As 
> best I can tell it defaults to 10 second heartbeat packets. So are 
> you *sure* it's idle in the background? Because you'd have needed to 
> set something for that.

By "idle" I meant that I left the ssh window open and didn't have any 
activity in it after logging in. Wireguard allows for keepalive 
packets if you need them, time selectable with 25 (seconds) 
recommended. I have that functionality turned off.

So I dunno. The VPN client software I'm using (TunSafe for Windows) 
has a window which shows the time since the last "handshake" and it 
refreshes about every 2 minutes, but I'm thinking that is the key 
re-negotiation time.

Admittedly, I don't know much about this.

I still need to use tcpdump to look at the traffic to be sure it is 
encrypted, though many others have done this and report that it is.