New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WANTED: DDoS protected VPS provider with wireguard filters + stateful filtering .
ilikebeans
Member
Hi, today I’m looking for DDoS protected VPS provider that has very good wireguard filters, as well as having stateful filters.
As far as I’m aware, only path.net do this (on a large scale) but if you can recommend any that AREN'T path.net, please feel free too.
Any VPS provider must host servers in England/ Netherlands for minimum ping. They also need to have good filters in general, but specifically a very good wireguard filter, as this is what I will be mainly using it for. It must also have a 1G port.
My knowledge for hosts are very slim, so for anything you comment, I thank you.
Comments
@RoyaleHosting
Thanks for the suggestion, however unfortunately they don’t have the best wireguard filter.
Hello @ilikebeans ,
I think our plans might work for you, the only “problem” is that our datacenter is in Germany so I don't know if it is close enough for your chosen location.
We have the ability to configure our firewall to your liking.
I would like to better understand what you mean by wireguard filter, do you by any chance want to host your own wireguard server and be protected in Layer 4?
In any case you can find our plans here
We use wanguard for our in-house scrub platform in the Netherlands.
Network test: http://ams-test.softshellhosting.com/
You can find our plans here
Our offers should meet your needs exactly!
You can see our VPS services here: https://royalehosting.net/store/vps
Thank you for the mention!
We can customize the filters to any application, so feel free to reach out through a ticket so that we can tune the protection for you!
Highly recommend royalehosting
Thank you!
Wireguard filters? Is there some application level vulnerability in Wireguard that you know about?
AFAIK its a pretty well designed protocol at the outer layer at-least.
No. If I run a wireguard VPN on a VPS with no wireguard filter, and that port got attacked, every bit of that DDoS attack is going to leak into my server, causing it to go down.
So therefore for accepting wireguard traffic you should be fine with just a basic stateful UDP filter.
Its a long lived connection after all with little / no turnover.
Not exactly, no lol. I have encountered leaks from VPS servers WITH wireguard protection. A simple UDP stateful filter would not be enough. A advanced ebpf XDP filter is expected. What you are saying is not true.
Leaks, you mean because you are forwarding traffic and an authenticated / accepted user can just see the outgoing IP and DDoS that?
No.
Leaks from the DDoS protected host.
Nothing leaks through the VPN (as in on the client side of the VPN, nothing is leaked) it only leaks into the VPS server, leaving the server useless.
Regardless of your desire something like wireguard is typically incredibly easy to protect generally in the unlikely event its an attack target (as normally tunnels are between trusted parties). Just limit the accepted rate of new sessions. Considering the encryption at play thats the best implementation option (outside of blocking specific attacks).
Sorry if I am wrong, I only tried to help.
No need to apologise, any input given i thank you for. However, i am not looking for something that limits the accepted rate of sessions (A ratelimit) as thats really not how I roll haha. I try to stay away from it as much as possible.
Theoretically, what you are saying can be done, but can most likely be bypassed easily.
And yes wireguard traffic (excl additional layers) can be recognised by bpf expression (... the GFW loves this). However, honestly I'm not really feeling like your problem is a real one. If it was, thats what you would be doing with any of the providers who provide BPF expressions and stateful filtering (including us).
AFAIK you can recognise the initiation packet for wireguard pretty easily with BPF.
If you do want (or need) to develop a solution with a provider like us
You can BPF on any expression
But ultimately that greatly depends on your ability and need to develop something like that. I'm still or the opinion that a session rate limit (paired with per client QoS) is simple, effective, and unlikely to have any collateral impact on existing sessions. Its unlikely that any additional complexity would add anything more than a small delay to someone willing to already jump through those hurdles (e.g to impersonate wireguard packets). Generally most people prefer not to over-filter for the potential reliability issues it causes (particularly in edge cases e.g PoP switches).
You're still better off getting it from a provider, since you are going to be limited by your port speed/packet rate from the NIC. they'd be doing filtering it before it hits your server, and that's the only way you'd survive (providing they have enough capacity, and nothing leaks through their DDoS protection)
Hi, do you have cutom wireguard filters and use stateful filtering?
You are stateless.
Hello @ilikebeans ,
Yes i confirm that, we can also adopt an always-on on your ip.