WireGuard Privacy Enhancements

At AzireVPN, we care about our no-logging policy, that's why all of our servers are running on diskless hardware and all log files are piped to /dev/null.

But when it comes to WireGuard the default behaviour is to have endpoint and allowed-ip visible in the server interface, which does not really work with our privacy policy. We shouldn't know about your source IP and cannot accept having it visible on our servers.

For this reason, we consulted the creator of WireGuard, Jason, whom has been been really helpful since day one on this matter, and we came to the conclusion that AzireVPN was going to hire Jason to write a rootkit-like module that removes the ability of an ordinary system administrator to query endpoint or allowed-ip information about WireGuard peers and disable the ability to run tcpdump. Of course there are ways around these protections, but none that we actually know about, which means we can't be compelled to carry out something we don't know how to do.

All of our servers are now running this module and the source code of the module can be found here.

The module is built in a way that doesn't allow it to be unloaded once it has been loaded. It also restricts access to /dev/kmem, /dev/mem, /dev/port, /proc/kcore, and disallows future modules to load.

root@es1-wg1:~# tcpdump -ni eth0 tcpdump: eth0: You don't have permission to capture on that device (socket: Operation not permitted)
root@es1-wg1:~# rmmod blind_operator_mode rmmod: ERROR: ../libkmod/libkmod-module.c:777 kmod_module_remove_module() could not remove 'blind_operator_mode': Operation not permitted rmmod: ERROR: could not remove module blind_operator_mode: Operation not permitted
root@es1-wg1:~# wg | head -n 15 interface: wg0 public key: ZcFmXAL9JWCQoS//5w9WRDKTzTcOlhXXNOX/8d/cSF8= private key: (hidden) listening port: 51820 peer: xxx allowed ips: (none) latest handshake: 1 minute, 20 seconds ago transfer: 5.14 GiB received, 1.64 GiB sent peer: yyy allowed ips: (none)