In theory. In the same theory, someone would need your EC SSH key to do anything...

bjt12345 · 2026-01-12T12:43:42 1768221822

SSH is TCP though and the outside world can initiate a handshake, the point being that wireguard silently discards unauthenticated traffic - there's no way they can know the port is open for listening.

eqvinox · 2026-01-13T10:24:35 1768299875

Uh, you know you can scan UDP ports just fine, right? Hosts reply with an ICMP destination unreachable / port unreachable (3/3 in IPv4, 1/4 in IPv6) if the port is closed. Discarding packets won't send that ICMP error.

It's slow to scan due to ICMP ratelimiting, but you can parallelize.

(Sure, you can disable / firewall drop that ICMP error… but then you can do the same thing with TCP RSTs.)

apstls · 2026-01-13T22:03:04 1768341784

That's why you discard ICMP errors.

eqvinox · 2026-01-14T05:09:16 1768367356

If anything, that's why you discard ICMP port unreachable, which I assume you meant.

If you're blanket dropping all ICMP errors, you're breaking PMTUD. There's a special place reserved in hell for that.

(And if you're firewalling your ICMP, why aren't you firewalling TCP?)

JasonADrury · 2026-01-12T12:51:12 1768222272

Not even remotely comparable.

Wireguard is explicitly designed to not allow unauthenticated users to do anything, whereas SSH is explicitly designed to allow unauthenticated users to do a whole lot of things.

eqvinox · 2026-01-13T10:25:19 1768299919

> SSH is explicitly designed to allow unauthenticated users to do a whole lot of things

I'm sorry, what?