Title: Wireguard and forward secrecy for clients Date: 2020-03-08 13:30 [Wireguard](https://www.wireguard.com/) got [merged upstream](https://www.phoronix.com/scan.php?page=news_item&px=Net-Next-For-Linux-5.6): time to deploy it, throw OpenVPN in a fire, and to celebrate! Unfortunately, there is a major design issue with Wireguard if you're using it with a VPN provider: the lack of *forward secure identity hiding*. This means that an attacker recording your traffic and gaining access to the server's private key would be able to retroactively tie users (via their public keys) back to their connections. This property isn't really hidden away, but I haven't found significant discussions about it, and it took me a bit of reading of the spec to realize that. Wireguard is [using](https://www.wireguard.com/protocol/) [Noise_IK](https://noiseexplorer.com/patterns/IK/) for its crypto protocol, [meaning](https://noiseprotocol.org/noise.html#interactive-handshake-patterns-fundamental) that to initiate a connection, the initiator (client) will send its public key to the responder (server), but as the documentation says: > Message contents benefit from message secrecy and some forward secrecy: the > compromise of the responder's long-term private keys, even at a later date, > will lead to message contents being decrypted by the attacker. This is a deliberate design choice: it keeps the protocol simple, saves roundtrips, and it allows to simply drop unauthenticated packets. After this article was published, some people asked about other *tunneling* protocols: [Tor](https://www.torproject.org/) doesn't have this *property*, nor does [I2P](https://geti2p.net/en/) [OpenVPN](https://openvpn.net/) with modern ciphers, and [IPSEC](https://en.wikipedia.org/wiki/IPsec). So keeps this in mind before blindly using a commercial VPN provider with Wireguard. (Thanks to *joe* for spending some of his time discussing this with me, which resulted in this blogpost.) Edits: - [dkg](https://fifthhorseman.net/) reached out to me about [wg-dynamic](https://git.zx2c4.com/wg-dynamic/about/) as a potential solution. - ivpn wrote an [interesting blogpost]( https://www.ivpn.net/knowledgebase/254/Using-WireGuard-for-Privacy-Protection.html ) about this issue.