Blog

Follow us with monthly transparency reports and latest news about our service.

WireGuard privacy enhancements

Published on 2017-11-15 by William

At AzireVPN, we care about our no-logging policy, that's why all of our servers are running on diskless hardware and all log files are piped to /dev/null.

But when it comes to WireGuard the default behaviour is to have endpoint and allowed-ip visible in the server interface, which does not really work with our privacy policy. We shouldn't know about your source IP and cannot accept having it visible on our servers.

For this reason, we consulted the creator of WireGuard, Jason, whom has been been really helpful since day one on this matter, and we came to the conclusion that AzireVPN was going to hire Jason to write a rootkit-like module that removes the ability of an ordinary system administrator to query endpoint or allowed-ip information about WireGuard peers and disable the ability to run tcpdump. Of course there are ways around these protections, but none that we actually know about, which means we can't be compelled to carry out something we don't know how to do.

All of our servers are now running this module and the source code of the module can be found here.

The module is built in a way that doesn't allow it to be unloaded once it has been loaded. It also restricts access to /dev/kmem, /dev/mem, /dev/port, /proc/kcore, and disallows future modules to load.

root@es1-wg1:~# tcpdump -ni eth0
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)
root@es1-wg1:~# rmmod blind_operator_mode
rmmod: ERROR: ../libkmod/libkmod-module.c:777 kmod_module_remove_module() could not remove 'blind_operator_mode': Operation not permitted
rmmod: ERROR: could not remove module blind_operator_mode: Operation not permitted
root@es1-wg1:~# wg | head -n 15
interface: wg0
  public key: ZcFmXAL9JWCQoS//5w9WRDKTzTcOlhXXNOX/8d/cSF8=
  private key: (hidden)
  listening port: 51820

peer: xxx
  allowed ips: (none)
  latest handshake: 1 minute, 20 seconds ago
  transfer: 5.14 GiB received, 1.64 GiB sent

peer: yyy
  allowed ips: (none)
Go back

Published on 2017-11-15 by William