aboutsummaryrefslogtreecommitdiff
path: root/content/posts
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2021-11-06 04:36:32 -0400
committerPaul Duncan <pabs@pablotron.org>2021-11-06 04:36:32 -0400
commita35c6864ad64d0f2948c70b2a0ce69f43aa27dd0 (patch)
tree3d8c32f7c47678e56f32bf6a34d81186b7305627 /content/posts
parente71c8c7be84ddd5175817d2e48eed24e18ff26b9 (diff)
downloadpablotron.org-a35c6864ad64d0f2948c70b2a0ce69f43aa27dd0.tar.bz2
pablotron.org-a35c6864ad64d0f2948c70b2a0ce69f43aa27dd0.zip
add posts/2021-11-06-wireguard-is-awesome.md
Diffstat (limited to 'content/posts')
-rw-r--r--content/posts/2021-11-06-wireguard-is-awesome.md125
1 files changed, 125 insertions, 0 deletions
diff --git a/content/posts/2021-11-06-wireguard-is-awesome.md b/content/posts/2021-11-06-wireguard-is-awesome.md
new file mode 100644
index 0000000..51096a4
--- /dev/null
+++ b/content/posts/2021-11-06-wireguard-is-awesome.md
@@ -0,0 +1,125 @@
+---
+slug: wireguard-is-awesome
+title: "Wireguard is Awesome"
+date: "2021-11-06T01:29:02-04:00"
+---
+I've been using [WireGuard][] since late 2019. Several months ago I
+installed the [Android client][] on my phone and tablet, and the
+[Windows client][] in a [Windows 10][] [VM][].
+
+A few months ago I was able to disable external [SSH][] on my home
+network and public servers, and a few weeks ago I disabled external
+[IMAPS][] access too.
+
+What's so great about [WireGuard][]?
+
+* Extremely fast.
+* Scan-resistant and [DoS][]-resistant. Exposes a single [UDP][] port
+ which does not reply to unauthenticated messages.
+* [Noise][]-based protocol provides [perfect forward secrecy][pfs] and
+ immunity to downgrade attacks.
+* Appears as a regular networx interface which can be managed with
+ standard [Linux][] networking tools (`ip`, `nft`, etc).
+* Clients for all major operating systems ([Android][], [Linux][],
+ [Windows][windows 10], etc). Packages for [Debian][] and derivatives
+ ([Ubuntu][], [Raspberry Pi OS][]).
+* Static list of safe, modern crypto algorithms:
+ [ChaCha20][]-[Poly1305][] ([AEAD][]), [Curve25519][] ([ECDHE][]),
+ [Blake2][] ([cryptographic hash][]), etc. No ciphersuites,
+ symmetric cipher modes, or padding algorithms to misconfigure.
+* Did I mention that it's fast?
+* Peers are identified by short, [Base64][]-encoded [elliptic curve
+ public keys][ecc].
+* Easy to configure (see below).
+
+Here's a complete [WireGuard][] client configuration file from my laptop
+with the keys, hosts, and subnets changed:
+
+```ini
+[Interface]
+PrivateKey = sEJqK6KqBVkYdMi/66ORZXyD5NFzVcPcq/m0/Sd29m0=
+Address = 192.168.43.1/32
+
+[Peer]
+PublicKey = WMoOWb0FMF516mGgKMyQefjMvD7xTO8NNCrQJJQnpUE=
+PresharedKey = jhhJ1oFjHKEZ8pMK+hmar9SaQEQtJrd2lW6710kQ/d8=
+EndPoint = vpn.example.com:53141
+AllowedIPs = 192.168.42.0/24
+```
+&nbsp;
+
+That's it.
+
+If you've ever struggled with the mountain of configuration needed for
+[IPsec][] or a [TLS][] [VPN][vpn] like [OpenVPN][], then the example
+above should be a breathe of fresh air.
+
+By the way, if you're trying to route traffic from a client on a common
+reserved subnet (ex: `192.168.1.0/24`) to network behind a [VPN][] with
+the same subnet, take a look at the [DNATs and Maps section of my
+NFtables Examples article][dnats-and-maps].
+
+[wireguard]: https://wireguard.com/
+ "WireGuard VPN"
+[android client]: https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en_US&gl=US
+ "WireGuard client for Android."
+[android]: https://android.com/
+ "Android operating system."
+[windows client]: https://www.wireguard.com/install/#windows-7-81-10-11-2008r2-2012r2-2016-2019-2022
+ "WireGuard client for Windows."
+[windows 10]: https://en.wikipedia.org/wiki/Windows_10
+ "Windows 10 operationg system."
+[vm]: https://en.wikipedia.org/wiki/Virtual_machine
+ "Virtual Machine"
+[noise]: https://noiseprotocol.org/
+ "Noise protocol framework."
+[chacha20]: https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant
+ "ChaCha20 symmetric cipher."
+[poly1305]: https://en.wikipedia.org/wiki/Poly1305
+ "Cryptographic MAC algorithm."
+[aead]: https://en.wikipedia.org/wiki/Authenticated_encryption#Authenticated_encryption_with_associated_data_(AEAD)
+ "Authentication encryption with associated data."
+[curve25519]: https://en.wikipedia.org/wiki/Curve25519
+ "Fast elliptic curve algorithm designed for Diffie-Hellman key exchange."
+[ecdhe]: https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman
+ "Ephemeral Ellyptic Curve Diffie-Hellman Key Exchange."
+[blake2]: https://www.blake2.net/
+ "Blake2 cryptographic hash algorithm."
+[cryptographic hash]: https://en.wikipedia.org/wiki/Cryptographic_hash_function
+ "Cryptographic hash function."
+[linux]: https://en.wikipedia.org/wiki/Linux
+ "Linux operating system."
+[udp]: https://en.wikipedia.org/wiki/User_Datagram_Protocol
+ "Unreliable Datagram Protocol"
+[ipsec]: https://en.wikipedia.org/wiki/IPsec
+ "Internet Protocol security."
+[tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security
+ "Transport Layer Security"
+[vpn]: https://en.wikipedia.org/wiki/Virtual_private_network
+ "Virtual Private Network"
+[openvpn]: https://en.wikipedia.org/wiki/OpenVPN
+ "OpenVPN"
+[ecc]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography
+ "Elliptic-curve cryptography."
+[base64]: https://en.wikipedia.org/wiki/Base64
+ "Base64 encoding scheme."
+[nft]: https://en.wikipedia.org/wiki/Nftables
+ "nft command-line tool and nftables Linux firewall subsystem"
+[nftables examples]: {{< ref "/articles/nftables-examples.md" >}}
+ "Nftables Examples"
+[dnats-and-maps]: {{< ref "/articles/nftables-examples.md" >}}#bonus-dnats-and-maps
+ "NFtables Examples: DNATs and Maps"
+[debian]: https://debian.org/
+ "Debian Linux distribution."
+[ubuntu]: https://ubuntu.com/
+ "Ubuntu Linux distribution."
+[raspberry pi os]: https://en.wikipedia.org/wiki/Raspberry_Pi_OS
+ "Raspberry Pi OS"
+[ssh]: https://en.wikipedia.org/wiki/Secure_Shell
+ "Secure Shell"
+[imaps]: https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
+ "Secure Internet Message Access Protocol"
+[pfs]: https://en.wikipedia.org/wiki/Forward_secrecy
+ "Perfect forward secrecy."
+[dos]: https://en.wikipedia.org/wiki/Denial-of-service_attack
+ "Denial-of-service attack."