6. Risks
6. Risks
Features
| Feature | Description |
|---|---|
| Private service mesh | Services communicate via WG-only network |
| Host-level isolation | Public/LAN ingress blocked to service ports |
| Deterministic validation | Clear checks to confirm behavior |
Caveats
| Caveat | Impact |
|---|---|
| Service owners manage app-level configs | WG-only design requires service binding changes by owners |
| No service-level TLS requirement | WG encryption may be the only layer if TLS is not added |
Loopholes
| Loophole | Impact |
|---|---|
| Misbound service ports | Services bound to public interfaces become reachable |
| Firewall drift | Manual changes can override intended policy |
Risks
| ID | Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|---|
| R1 | Public port exposure due to misbinding | Medium | High | Enforce WG-only binding in deploy reviews |
| R2 | WG peer downtime | Medium | Medium | Monitor handshake freshness and alert |
| R3 | Firewall misconfiguration | Medium | High | Define policy and verify during deployment |
| R4 | Port inventory drift | Medium | Medium | Update port inventory alongside service changes |
Mitigations
| Risk ID | Mitigation |
|---|---|
| R1 | Deployment checklist includes WG binding requirement |
| R2 | Alert on missing handshakes or no traffic |
| R3 | Apply standard UFW policy and validate |
| R4 | Keep resources table in sync with compose changes |
End of Risks — RFC-WG-0001