diff options
-rw-r--r-- | TODO.md | 2 | ||||
-rw-r--r-- | content/posts/2021-11-06-wireguard-is-awesome.md | 125 |
2 files changed, 126 insertions, 1 deletions
@@ -25,7 +25,6 @@ this stuff may not make any sense. * pi notes * k3 notes * compiler surprises: https://godbolt.org/z/ZQbZ2R -* wireguard notes * model 3 (3 months, notes, cost per mile comparison) * temperature sensors (see SA post, add bit about "meat"): https://forums.somethingawful.com/showthread.php?threadid=3468084&userid=0&perpage=40&pagenumber=176#post494884256 * weather charts @@ -80,3 +79,4 @@ this stuff may not make any sense. * removed `script-src unsafe-inline`, A+ score on securityheaders * fix RSS to show full feed * feedbloater +* wireguard notes diff --git a/content/posts/2021-11-06-wireguard-is-awesome.md b/content/posts/2021-11-06-wireguard-is-awesome.md new file mode 100644 index 0000000..51096a4 --- /dev/null +++ b/content/posts/2021-11-06-wireguard-is-awesome.md @@ -0,0 +1,125 @@ +--- +slug: wireguard-is-awesome +title: "Wireguard is Awesome" +date: "2021-11-06T01:29:02-04:00" +--- +I've been using [WireGuard][] since late 2019. Several months ago I +installed the [Android client][] on my phone and tablet, and the +[Windows client][] in a [Windows 10][] [VM][]. + +A few months ago I was able to disable external [SSH][] on my home +network and public servers, and a few weeks ago I disabled external +[IMAPS][] access too. + +What's so great about [WireGuard][]? + +* Extremely fast. +* Scan-resistant and [DoS][]-resistant. Exposes a single [UDP][] port + which does not reply to unauthenticated messages. +* [Noise][]-based protocol provides [perfect forward secrecy][pfs] and + immunity to downgrade attacks. +* Appears as a regular networx interface which can be managed with + standard [Linux][] networking tools (`ip`, `nft`, etc). +* Clients for all major operating systems ([Android][], [Linux][], + [Windows][windows 10], etc). Packages for [Debian][] and derivatives + ([Ubuntu][], [Raspberry Pi OS][]). +* Static list of safe, modern crypto algorithms: + [ChaCha20][]-[Poly1305][] ([AEAD][]), [Curve25519][] ([ECDHE][]), + [Blake2][] ([cryptographic hash][]), etc. No ciphersuites, + symmetric cipher modes, or padding algorithms to misconfigure. +* Did I mention that it's fast? +* Peers are identified by short, [Base64][]-encoded [elliptic curve + public keys][ecc]. +* Easy to configure (see below). + +Here's a complete [WireGuard][] client configuration file from my laptop +with the keys, hosts, and subnets changed: + +```ini +[Interface] +PrivateKey = sEJqK6KqBVkYdMi/66ORZXyD5NFzVcPcq/m0/Sd29m0= +Address = 192.168.43.1/32 + +[Peer] +PublicKey = WMoOWb0FMF516mGgKMyQefjMvD7xTO8NNCrQJJQnpUE= +PresharedKey = jhhJ1oFjHKEZ8pMK+hmar9SaQEQtJrd2lW6710kQ/d8= +EndPoint = vpn.example.com:53141 +AllowedIPs = 192.168.42.0/24 +``` + + +That's it. + +If you've ever struggled with the mountain of configuration needed for +[IPsec][] or a [TLS][] [VPN][vpn] like [OpenVPN][], then the example +above should be a breathe of fresh air. + +By the way, if you're trying to route traffic from a client on a common +reserved subnet (ex: `192.168.1.0/24`) to network behind a [VPN][] with +the same subnet, take a look at the [DNATs and Maps section of my +NFtables Examples article][dnats-and-maps]. + +[wireguard]: https://wireguard.com/ + "WireGuard VPN" +[android client]: https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en_US&gl=US + "WireGuard client for Android." +[android]: https://android.com/ + "Android operating system." +[windows client]: https://www.wireguard.com/install/#windows-7-81-10-11-2008r2-2012r2-2016-2019-2022 + "WireGuard client for Windows." +[windows 10]: https://en.wikipedia.org/wiki/Windows_10 + "Windows 10 operationg system." +[vm]: https://en.wikipedia.org/wiki/Virtual_machine + "Virtual Machine" +[noise]: https://noiseprotocol.org/ + "Noise protocol framework." +[chacha20]: https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant + "ChaCha20 symmetric cipher." +[poly1305]: https://en.wikipedia.org/wiki/Poly1305 + "Cryptographic MAC algorithm." +[aead]: https://en.wikipedia.org/wiki/Authenticated_encryption#Authenticated_encryption_with_associated_data_(AEAD) + "Authentication encryption with associated data." +[curve25519]: https://en.wikipedia.org/wiki/Curve25519 + "Fast elliptic curve algorithm designed for Diffie-Hellman key exchange." +[ecdhe]: https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman + "Ephemeral Ellyptic Curve Diffie-Hellman Key Exchange." +[blake2]: https://www.blake2.net/ + "Blake2 cryptographic hash algorithm." +[cryptographic hash]: https://en.wikipedia.org/wiki/Cryptographic_hash_function + "Cryptographic hash function." +[linux]: https://en.wikipedia.org/wiki/Linux + "Linux operating system." +[udp]: https://en.wikipedia.org/wiki/User_Datagram_Protocol + "Unreliable Datagram Protocol" +[ipsec]: https://en.wikipedia.org/wiki/IPsec + "Internet Protocol security." +[tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security + "Transport Layer Security" +[vpn]: https://en.wikipedia.org/wiki/Virtual_private_network + "Virtual Private Network" +[openvpn]: https://en.wikipedia.org/wiki/OpenVPN + "OpenVPN" +[ecc]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography + "Elliptic-curve cryptography." +[base64]: https://en.wikipedia.org/wiki/Base64 + "Base64 encoding scheme." +[nft]: https://en.wikipedia.org/wiki/Nftables + "nft command-line tool and nftables Linux firewall subsystem" +[nftables examples]: {{< ref "/articles/nftables-examples.md" >}} + "Nftables Examples" +[dnats-and-maps]: {{< ref "/articles/nftables-examples.md" >}}#bonus-dnats-and-maps + "NFtables Examples: DNATs and Maps" +[debian]: https://debian.org/ + "Debian Linux distribution." +[ubuntu]: https://ubuntu.com/ + "Ubuntu Linux distribution." +[raspberry pi os]: https://en.wikipedia.org/wiki/Raspberry_Pi_OS + "Raspberry Pi OS" +[ssh]: https://en.wikipedia.org/wiki/Secure_Shell + "Secure Shell" +[imaps]: https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol + "Secure Internet Message Access Protocol" +[pfs]: https://en.wikipedia.org/wiki/Forward_secrecy + "Perfect forward secrecy." +[dos]: https://en.wikipedia.org/wiki/Denial-of-service_attack + "Denial-of-service attack." |