Is it better to use Wireguard before SSH?
The only advantage I can see to double-encryption is that as unlikely as it is that any of the algorithms will be broken these many decades into the development of strong crypto, you get to square that for both algorithms being broken at the same time. My local SSH server does have WG's algo built into it, but it's last in priority, so it's unlikely that both ends will agree on it first, negating this advantage.
That having been said, I have the same basic setup, and I don't bother with double encryption when my destination is SSH to the internal host. I bring the WG tunnel up for everything else.
@anav suggested that they back each other up, and that's true. Between its port-forwarding and SOCKS features, SSH can function as a poor-man's VPN, and if the SSH server ever goes down, you've got the WG path to get in via another path, e.g. VNC.
I do have the server itself secured with public key authentication only.
Have you tested to find out if password auth is truly disabled?
Surprise: on macOS, setting PasswordAuthentication=no in sshd_config isn't sufficient to disable this. You also have to disable ChallengeResponseAuthentication.
Not until you get this right would I say SSH is as secure as WG.
Statistics: Posted by tangent — Sun Jan 21, 2024 5:43 am