Package: wireguard-tools Version: 0.0.20180625-1 Severity: normal When installing wireguard-tools, the /etc/wireguard directory is created that can contain configuration files for the wg-quick service to use.
These configuration files will contain the private key of the local machine for the VPN configuration, and as such, the default mode (755) for the directory is unsuitable for production use, since it creates an opportunity for any user to be able to print out the contents of the configuration files (if they were not changed to mode 600 themselves), and potentially break the security model of the Wireguard VPN altogether. I propose changing the default mode of the /etc/wireguard directory to 600. I do this on my own machines and there is no functionality impact for the software, only that the private keys become completely inaccessible for anyone but root.

