Forum / Wayk Now - Support

Can you whitelist the Den Server?

  • Create an Issue
  • Cancel

Hello,
We are starting to ask our customer to install Wayk unattended access.
They are asking us a lot of security questions and unfortunately there is not a lot of information about your product around a security 'whitepaper'.
I have been directed by your team to the online help.
You have mentioned the Wayk uses TLS and the WaykDen server.

What ports does the WaykDen server require?
Can we Whitelist the WaykDen server?


Clock4 mths


Hi,

Unfortunately, it is still quite difficult to whitelist all of the IP addresses and ports required to work with the current Wayk Den deployment. There are two portions to consider:

1) Connecting to the Wayk Den server itself
2) The Wayk Now peer-to-peer connection

For the Wayk Den server connection, here is a brief list of URLs required:

  • wss://den.wayk.net (Wayk Den WebSocket connection)
  • https://api.den.wayk.net (Wayk Den REST API)
  • https://wayk.link (unique id discovery)

For the Wayk Now peer-to-peer connection, there are two options:

1) The "regular" connection uses the STUN/TURN protocols to open a connection either through NAT traversal or using a relay server. This requires UDP to be allowed, and because of the way these protocols work, the UDP port changes every time, making it hard to allow in a firewall. The STUN/TURN servers making the NAT traversal or UDP relaying possible at provided by https://xirsys.com/.

2) The newer connection option is activated if you check "Prioritize relay servers for peer-to-peer connections" under the Connectivity options. In this case, you need to allow outgoing TCP traffic to jet.wayk.net:8080. However, because jet.wayk.net is a DNS load-balanced URL, you would need to allow all of the individual TCP relay servers.

The UDP-based peer-to-peer connection option is difficult to allow in a firewall, so our long term goal is to deprecate this connection option in favour of TCP-based relays. However, we still have to add support for local network route discovery, and improve firewall traversal by making it possible to use WebSockets as a native Wayk Now transport in peer-to-peer connections.

As for security, peer-to-peer connections always use end-to-end TLS. We are not in a position to inspect peer-to-peer traffic, and there is no type of relay that could potentially let us do that. As for authentication, it is also performed between the Wayk Now client and the Wayk Now server, the Wayk Den does not authenticate on behalf on users.

Maybe the best would be to deploy your own Wayk Den on your infrastructure. We didn't advertise it yet but we have begun making the current Wayk Den available publicly here: https://github.com/devolutions/WaykDen-ps

We are still in the beta phase, trying to simplify deployment and configuration of the Wayk Den. We have yet to perform a first installation by an external customer. If you are interested, we will gladly walk you through it and take notes to help us improve it.

Best regards,


Marc-André Moreau

signaturesignature

Clock4 mths