add posts/2021-11-06-wireguard-is-awesome.md

1 files changed, 125 insertions, 0 deletions

diff --git a/content/posts/2021-11-06-wireguard-is-awesome.md b/content/posts/2021-11-06-wireguard-is-awesome.md
new file mode 100644
index 0000000..51096a4
--- /dev/null
+++ b/content/posts/2021-11-06-wireguard-is-awesome.md
@@ -0,0 +1,125 @@
+---
+slug: wireguard-is-awesome
+title: "Wireguard is Awesome"
+date: "2021-11-06T01:29:02-04:00"
+---
+I've been using [WireGuard][] since late 2019.  Several months ago I
+installed the [Android client][] on my phone and tablet, and the
+[Windows client][] in a [Windows 10][] [VM][].
+
+A few months ago I was able to disable external [SSH][] on my home
+network and public servers, and a few weeks ago I disabled external
+[IMAPS][] access too.
+
+What's so great about [WireGuard][]?
+
+* Extremely fast.
+* Scan-resistant and [DoS][]-resistant.  Exposes a single [UDP][] port
+  which does not reply to unauthenticated messages.
+* [Noise][]-based protocol provides [perfect forward secrecy][pfs] and 
+  immunity to downgrade attacks.
+* Appears as a regular networx interface which can be managed with
+  standard [Linux][] networking tools (`ip`, `nft`, etc).
+* Clients for all major operating systems ([Android][], [Linux][],
+  [Windows][windows 10], etc).  Packages for [Debian][] and derivatives
+  ([Ubuntu][], [Raspberry Pi OS][]).
+* Static list of safe, modern crypto algorithms:
+  [ChaCha20][]-[Poly1305][] ([AEAD][]), [Curve25519][] ([ECDHE][]),
+  [Blake2][] ([cryptographic hash][]), etc.  No ciphersuites,
+  symmetric cipher modes, or padding algorithms to misconfigure.
+* Did I mention that it's fast?
+* Peers are identified by short, [Base64][]-encoded [elliptic curve
+  public keys][ecc].
+* Easy to configure (see below).
+
+Here's a complete [WireGuard][] client configuration file from my laptop
+with the keys, hosts, and subnets changed:
+
+```ini
+[Interface]
+PrivateKey = sEJqK6KqBVkYdMi/66ORZXyD5NFzVcPcq/m0/Sd29m0=
+Address = 192.168.43.1/32
+
+[Peer]
+PublicKey = WMoOWb0FMF516mGgKMyQefjMvD7xTO8NNCrQJJQnpUE=
+PresharedKey = jhhJ1oFjHKEZ8pMK+hmar9SaQEQtJrd2lW6710kQ/d8=
+EndPoint = vpn.example.com:53141
+AllowedIPs = 192.168.42.0/24
+```
+ 
+
+That's it.
+
+If you've ever struggled with the mountain of configuration needed for
+[IPsec][] or a [TLS][] [VPN][vpn] like [OpenVPN][], then the example
+above should be a breathe of fresh air.
+
+By the way, if you're trying to route traffic from a client on a common
+reserved subnet (ex: `192.168.1.0/24`) to network behind a [VPN][] with
+the same subnet, take a look at the [DNATs and Maps section of my
+NFtables Examples article][dnats-and-maps].
+
+[wireguard]: https://wireguard.com/
+  "WireGuard VPN"
+[android client]: https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en_US&gl=US
+  "WireGuard client for Android."
+[android]: https://android.com/
+  "Android operating system."
+[windows client]: https://www.wireguard.com/install/#windows-7-81-10-11-2008r2-2012r2-2016-2019-2022
+  "WireGuard client for Windows."
+[windows 10]: https://en.wikipedia.org/wiki/Windows_10
+  "Windows 10 operationg system."
+[vm]: https://en.wikipedia.org/wiki/Virtual_machine
+  "Virtual Machine"
+[noise]: https://noiseprotocol.org/
+  "Noise protocol framework."
+[chacha20]: https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant
+  "ChaCha20 symmetric cipher."
+[poly1305]: https://en.wikipedia.org/wiki/Poly1305
+  "Cryptographic MAC algorithm."
+[aead]: https://en.wikipedia.org/wiki/Authenticated_encryption#Authenticated_encryption_with_associated_data_(AEAD)
+  "Authentication encryption with associated data."
+[curve25519]: https://en.wikipedia.org/wiki/Curve25519
+  "Fast elliptic curve algorithm designed for Diffie-Hellman key exchange."
+[ecdhe]: https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman
+  "Ephemeral Ellyptic Curve Diffie-Hellman Key Exchange."
+[blake2]: https://www.blake2.net/
+  "Blake2 cryptographic hash algorithm."
+[cryptographic hash]: https://en.wikipedia.org/wiki/Cryptographic_hash_function
+  "Cryptographic hash function."
+[linux]: https://en.wikipedia.org/wiki/Linux
+  "Linux operating system."
+[udp]: https://en.wikipedia.org/wiki/User_Datagram_Protocol
+  "Unreliable Datagram Protocol"
+[ipsec]: https://en.wikipedia.org/wiki/IPsec
+  "Internet Protocol security."
+[tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security
+  "Transport Layer Security"
+[vpn]: https://en.wikipedia.org/wiki/Virtual_private_network
+  "Virtual Private Network"
+[openvpn]: https://en.wikipedia.org/wiki/OpenVPN
+  "OpenVPN"
+[ecc]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography
+  "Elliptic-curve cryptography."
+[base64]: https://en.wikipedia.org/wiki/Base64
+  "Base64 encoding scheme."
+[nft]: https://en.wikipedia.org/wiki/Nftables
+  "nft command-line tool and nftables Linux firewall subsystem"
+[nftables examples]: {{< ref "/articles/nftables-examples.md" >}}
+  "Nftables Examples"
+[dnats-and-maps]: {{< ref "/articles/nftables-examples.md" >}}#bonus-dnats-and-maps
+  "NFtables Examples: DNATs and Maps"
+[debian]: https://debian.org/
+  "Debian Linux distribution."
+[ubuntu]: https://ubuntu.com/
+  "Ubuntu Linux distribution."
+[raspberry pi os]: https://en.wikipedia.org/wiki/Raspberry_Pi_OS
+  "Raspberry Pi OS"
+[ssh]: https://en.wikipedia.org/wiki/Secure_Shell
+  "Secure Shell"
+[imaps]: https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
+  "Secure Internet Message Access Protocol"
+[pfs]: https://en.wikipedia.org/wiki/Forward_secrecy
+  "Perfect forward secrecy."
+[dos]: https://en.wikipedia.org/wiki/Denial-of-service_attack
+  "Denial-of-service attack."