WireGuard: simpler, faster VPN tunnel

WireGuard

OpenVPN is a very familiar name to those using VPN on Linux. While it’s old and tested, there’s no way an individual can audit the code and confirm there are no security loopholes. This is a major problem if you consider the fact that newer and deadlier ways to breach security are being developed actively everyday. In areas of networking and security, simpler but more robust alternatives are always welcome. WireGuard is a secure under-development VPN tunneling utility with a refined approach.

WireGuard is a kernel module, which is one of its major benefits. Performance on a WireGuard tunnel is better that userspace solutions.

Holistic features

  • Simplicity: a simple interface to exchange public keys and establish a connection. No connection, state or daemon management.
  • Built-in roaming: roam between IP addresses like Mosh. IP roaming is supported both at client and server ends.
  • Latest cryptography: noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions.
  • Few lines of reviewble code.
  • Performance: high speed cryptography and in-kernel solution. Can work on routers or backbones.
  • Designed and developed after thorough technical research (whitepaper).

Basic working

Network interfaces are named wgN (where N is the interface number, e.g. wg0, wg1). Regular network utilities like ifconfig, ip-address, route and ip-route work with WireGuard interfaces. WireGuard-specific features are controlled by the userspace utility wg.

WireGuard encapsulates IP over UDP and uses dynamic peer lists in each client node.

WireGuard uses a concept called Cryptokey Routing where public keys are associated with a list of tunnel IP addresses allowed inside the tunnel. Each network interface has a private key and a list of peers. Each peer has a public key. Public keys are short and simple, and are used by peers to authenticate each other. They can be passed around for use in configuration files by any out-of-band method, similar to how one might send their SSH public key to a friend for access to a shell server.

Installation

WireGuard has to be compiled from source at the time of writing.

Dependencies

  • libmnl (for wg utility)
  • Linux kernel Linux ≥ 4.1, with CONFIG_NET_UDP_TUNNEL, CONFIG_IPV6, and CONFIG_NETFILTER_XT_MATCH_HASHLIMIT

To compile on Ubuntu, run:

$ sudo apt-get install libmnl-dev linux-headers-$(uname -r) build-essential
$ git clone https://git.zx2c4.com/WireGuard
$ cd WireGuard/src
$ make
$ sudo make install

Usage

As the solution is under development, the instructions are subject to frequent changes. Head over to the quickstart section of the WireGuard website for the latest guideline. They also have a demo server to test your setup.

Webpage: WireGuard

One thought on “WireGuard: simpler, faster VPN tunnel”

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s