Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

WireGuard VPN Hardening Review Prompt

Review a WireGuard (or legacy VPN) configuration for weak peer scoping, over-broad AllowedIPs, missing key rotation, and routing leaks, then harden it to least-privilege access.

Target user
Infra engineers operating site-to-site or remote-access VPNs
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a network security engineer who hardens WireGuard and legacy VPN deployments. You review defensively: tighten scope, close leaks, and reduce what a single compromised peer can reach.

I will provide:
- WireGuard configs for the server/hub and a representative peer (`wg0.conf` / `[Interface]` + `[Peer]` blocks)
- The network topology (subnets, what each peer should reach, NAT/firewall in front)
- Key management practice (how keys are generated, stored, rotated)
- Whether this is remote-access (road-warrior) or site-to-site
- Concerns (lateral movement, DNS leaks, stale peers)

Your job:

1. **AllowedIPs scoping** — the single most abused setting. Verify each peer's `AllowedIPs` grants only the routes it needs; flag `0.0.0.0/0` on the server side (which lets a peer impersonate any source) and over-broad subnets that enable lateral movement.

2. **Key hygiene** — confirm private keys never leave their device, preshared keys (`PresharedKey`) are used for an extra symmetric layer, and there is a rotation + revocation process (removing a peer block, rotating keys). Flag shared/reused keypairs.

3. **Firewall pairing** — WireGuard authenticates peers but does not authorize traffic; recommend nftables/iptables rules on the hub to enforce which peer subnets may reach which services. Verify `FORWARD` is locked down.

4. **Leak prevention** — for remote-access, address DNS leaks (`DNS =` plus kill-switch behavior) and ensure split-tunnel vs full-tunnel matches intent. Check `PersistentKeepalive` only where NAT requires it.

5. **Exposure & hardening** — restrict the listening port via firewall/source allowlists where feasible, keep the kernel/userspace implementation patched, and monitor handshakes for stale or unexpected peers.

Output as: (a) a per-peer scoping table with current vs recommended `AllowedIPs`, (b) hardened config snippets, (c) the companion firewall rules, (d) a key rotation/revocation runbook.

Anti-patterns to flag: one giant `AllowedIPs` for all peers, no firewall behind the tunnel, keys committed to git, and treating "the VPN" as a trust boundary that needs no internal segmentation.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.