--- slug: wireguard-is-awesome title: "Wireguard is Awesome" date: "2021-11-06T01:29:02-04:00" --- I've been using [WireGuard][] since late 2019. Several months ago I installed the [Android client][] on my phone and tablet, and the [Windows client][] in a [Windows 10][] [VM][]. A few months ago I was able to disable external [SSH][] access to my home network and public servers, and a few weeks ago disabled external [IMAPS][] access too. What's so great about [WireGuard][]? * Extremely fast. * Scan-resistant and [DoS][]-resistant. Exposes a single [UDP][] port which does not reply to unauthenticated messages. * [Noise][]-based protocol provides [perfect forward secrecy][pfs] and immunity to downgrade attacks. * Appears as a regular networx interface which can be managed with standard [Linux][] networking tools (`ip`, `nft`, etc). * Clients for all major operating systems ([Android][], [Linux][], [Windows][windows 10], etc). Packages for [Debian][] and derivatives ([Ubuntu][], [Raspberry Pi OS][]). * Static list of safe, modern crypto algorithms: [ChaCha20][]-[Poly1305][] ([AEAD][]), [Curve25519][] ([ECDHE][]), [Blake2][] ([cryptographic hash][]), etc. No ciphersuites, symmetric cipher modes, or padding algorithms to misconfigure. * Did I mention that it's fast? * Peers are identified by short, [Base64][]-encoded [elliptic curve public keys][ecc]. * Easy to configure (see below). Here's a complete [WireGuard][] client configuration file from my laptop with the keys, hosts, and subnets changed: ```ini [Interface] PrivateKey = sEJqK6KqBVkYdMi/66ORZXyD5NFzVcPcq/m0/Sd29m0= Address = 192.168.43.1/32 [Peer] PublicKey = WMoOWb0FMF516mGgKMyQefjMvD7xTO8NNCrQJJQnpUE= PresharedKey = jhhJ1oFjHKEZ8pMK+hmar9SaQEQtJrd2lW6710kQ/d8= EndPoint = vpn.example.com:53141 AllowedIPs = 192.168.42.0/24 ```   That's it. If you've ever struggled with the mountain of configuration needed for [IPsec][] or a [TLS][] [VPN][vpn] like [OpenVPN][], then the example above should be a breathe of fresh air. By the way, if you're trying to route traffic from a client on a common reserved subnet (ex: `192.168.1.0/24`) to network behind a [VPN][] with the same subnet, take a look at the [DNATs and Maps section of my NFtables Examples article][dnats-and-maps]. [wireguard]: https://wireguard.com/ "WireGuard VPN" [android client]: https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en_US&gl=US "WireGuard client for Android." [android]: https://android.com/ "Android operating system." [windows client]: https://www.wireguard.com/install/#windows-7-81-10-11-2008r2-2012r2-2016-2019-2022 "WireGuard client for Windows." [windows 10]: https://en.wikipedia.org/wiki/Windows_10 "Windows 10 operationg system." [vm]: https://en.wikipedia.org/wiki/Virtual_machine "Virtual Machine" [noise]: https://noiseprotocol.org/ "Noise protocol framework." [chacha20]: https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant "ChaCha20 symmetric cipher." [poly1305]: https://en.wikipedia.org/wiki/Poly1305 "Cryptographic MAC algorithm." [aead]: https://en.wikipedia.org/wiki/Authenticated_encryption#Authenticated_encryption_with_associated_data_(AEAD) "Authentication encryption with associated data." [curve25519]: https://en.wikipedia.org/wiki/Curve25519 "Fast elliptic curve algorithm designed for Diffie-Hellman key exchange." [ecdhe]: https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman "Ephemeral Ellyptic Curve Diffie-Hellman Key Exchange." [blake2]: https://www.blake2.net/ "Blake2 cryptographic hash algorithm." [cryptographic hash]: https://en.wikipedia.org/wiki/Cryptographic_hash_function "Cryptographic hash function." [linux]: https://en.wikipedia.org/wiki/Linux "Linux operating system." [udp]: https://en.wikipedia.org/wiki/User_Datagram_Protocol "Unreliable Datagram Protocol" [ipsec]: https://en.wikipedia.org/wiki/IPsec "Internet Protocol security." [tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security "Transport Layer Security" [vpn]: https://en.wikipedia.org/wiki/Virtual_private_network "Virtual Private Network" [openvpn]: https://en.wikipedia.org/wiki/OpenVPN "OpenVPN" [ecc]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography "Elliptic-curve cryptography." [base64]: https://en.wikipedia.org/wiki/Base64 "Base64 encoding scheme." [nft]: https://en.wikipedia.org/wiki/Nftables "nft command-line tool and nftables Linux firewall subsystem" [nftables examples]: {{< ref "/articles/nftables-examples.md" >}} "Nftables Examples" [dnats-and-maps]: {{< ref "/articles/nftables-examples.md" >}}#bonus-dnats-and-maps "NFtables Examples: DNATs and Maps" [debian]: https://debian.org/ "Debian Linux distribution." [ubuntu]: https://ubuntu.com/ "Ubuntu Linux distribution." [raspberry pi os]: https://en.wikipedia.org/wiki/Raspberry_Pi_OS "Raspberry Pi OS" [ssh]: https://en.wikipedia.org/wiki/Secure_Shell "Secure Shell" [imaps]: https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol "Secure Internet Message Access Protocol" [pfs]: https://en.wikipedia.org/wiki/Forward_secrecy "Perfect forward secrecy." [dos]: https://en.wikipedia.org/wiki/Denial-of-service_attack "Denial-of-service attack."