> Virtual IP Address of Tunnel Device Leaks to Network Adjacent Participant
> X41 recommends to mitigate the issue by setting the kernel parameter arp_ignore to 1 on Linux.
> It is also recommended to randomize the virtual IP address for each user on each connection if possible.
... isn't randomizing the virtual IP address makes the situation worse? sounds like the best solution would be just give every user the same boring static IP address like 169.254.199.1/30.
For each session. Keys are rotated frequently, so a lot of noise could be produced. The only and one address is a good strategy for anti fingerprint though, but it is not easy to achieve for WG tunnels and pure L3 routing.
Personally I don't really get their multi hop when you connect on a predefined port on an ingress server to get redirected to egress in a different region. Easy guessable for a powerful observer.
Anyway any VPN is only an encryption tool, not an anonymizer.
A key selling point of WireGuard is it can roam between networks very well, without interruption to the connections within tunnel. Rotating IP address once you roam to another network (or just flaky wifi) ruins this.
... isn't randomizing the virtual IP address makes the situation worse? sounds like the best solution would be just give every user the same boring static IP address like 169.254.199.1/30.