With the recent news of OpenSSH getting haxed…again, I was wondering if it would be possible to marry Wireguard’s not-so-chatty traffic model with ssh.
Then it hit me…why not just only listen on (or allow traffic from) Wireguard interfaces? So I whipped up a test Ubuntu 24 instance and starting banging rocks together.
First, lets get Wireguard installed.
$ sudo apt install -y wireguard wireguard-tools
Second, lets make a new Wireguard conf for the server and ourselves.
#The server
[Interface]
Address = fd80:892b:9b39::1/64
PrivateKey = lolLmaoEVEN==
ListenPort = 51820
[Peer]
Publickey = EWdRFVVrfaE9PsRaKIX9a8h3BpS/EaUr/F0sxT09+UI=
AllowedIPs = fd80:892b:9b39::2/64
#The client
[Interface]
Address = fd80:892b:9b39::2/64
PrivateKey = lolLmaoEVEN==
ListenPort = 51820
[Peer]
Publickey = HagDqXuHxulbxKvGgPLtWy7LCv1IGwAJb1wLB40ligk=
AllowedIPs = fd80:892b:9b39::1/64
Endpoint = myserver.example.com:51820
Third, lets enable the service, add a firewall rule to allow SSH traffic on our new interface, bring up the interface, and test the port.
$ sudo systemctl enable wg-quick@wgsshd0.service
$ sudo ufw allow in on wgsshd0 to any port 22
$ sudo wg-quick up wgssh0
$ sudo screen -S testing bash -c "ufw delete allow 22/tcp; sleep 120; ufw allow 22/tcp"
Now let’s test it from another machine.
$ ssh abc@myserver.exmaple.com # should fail.
$ ssh abc@[fd80:892b:9b39::1] # should succeed.
Finally, if everything works delete any other SSH port rules you may have.
Final Thoughts
Probably the biggest issue I can see is that this requires another service to be running before remote management of the machine is possible. Though with most popular hosts have a feature that lets you access the console thru other means. So this might be a none issue for most. Might be prudent to still have some firewall rules letting thru traffic from a limited subset of addresses to the sshd on the server’s pubic IP address.
Second biggest would be that every admin would need a Wireguard interface setup on every machine they use. While we’d need to get their ssh keys configured, it’s another thing to keep track of.