1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
---
slug: wireguard-is-awesome
title: "Wireguard is Awesome"
date: "2021-11-06T01:29:02-04:00"
---
I've been using [WireGuard][] since late 2019. Several months ago I
installed the [Android client][] on my phone and tablet, and the
[Windows client][] in a [Windows 10][] [VM][].
A few months ago I was able to disable external [SSH][] access to my
home network and public servers, and a few weeks ago disabled external
[IMAPS][] access too.
What's so great about [WireGuard][]?
* Extremely fast.
* Scan-resistant and [DoS][]-resistant. Exposes a single [UDP][] port
which does not reply to unauthenticated messages.
* [Noise][]-based protocol provides [perfect forward secrecy][pfs] and
immunity to downgrade attacks.
* Appears as a regular networx interface which can be managed with
standard [Linux][] networking tools (`ip`, `nft`, etc).
* Clients for all major operating systems ([Android][], [Linux][],
[Windows][windows 10], etc). Packages for [Debian][] and derivatives
([Ubuntu][], [Raspberry Pi OS][]).
* Static list of safe, modern crypto algorithms:
[ChaCha20][]-[Poly1305][] ([AEAD][]), [Curve25519][] ([ECDHE][]),
[Blake2][] ([cryptographic hash][]), etc. No ciphersuites,
symmetric cipher modes, or padding algorithms to misconfigure.
* Did I mention that it's fast?
* Peers are identified by short, [Base64][]-encoded [elliptic curve
public keys][ecc].
* Easy to configure (see below).
Here's a complete [WireGuard][] client configuration file from my laptop
with the keys, hosts, and subnets changed:
```ini
[Interface]
PrivateKey = sEJqK6KqBVkYdMi/66ORZXyD5NFzVcPcq/m0/Sd29m0=
Address = 192.168.43.1/32
[Peer]
PublicKey = WMoOWb0FMF516mGgKMyQefjMvD7xTO8NNCrQJJQnpUE=
PresharedKey = jhhJ1oFjHKEZ8pMK+hmar9SaQEQtJrd2lW6710kQ/d8=
EndPoint = vpn.example.com:53141
AllowedIPs = 192.168.42.0/24
```
That's it.
If you've ever struggled with the mountain of configuration needed for
[IPsec][] or a [TLS][] [VPN][vpn] like [OpenVPN][], then the example
above should be a breathe of fresh air.
By the way, if you're trying to route traffic from a client on a common
reserved subnet (ex: `192.168.1.0/24`) to network behind a [VPN][] with
the same subnet, take a look at the [DNATs and Maps section of my
NFtables Examples article][dnats-and-maps].
[wireguard]: https://wireguard.com/
"WireGuard VPN"
[android client]: https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en_US&gl=US
"WireGuard client for Android."
[android]: https://android.com/
"Android operating system."
[windows client]: https://www.wireguard.com/install/#windows-7-81-10-11-2008r2-2012r2-2016-2019-2022
"WireGuard client for Windows."
[windows 10]: https://en.wikipedia.org/wiki/Windows_10
"Windows 10 operationg system."
[vm]: https://en.wikipedia.org/wiki/Virtual_machine
"Virtual Machine"
[noise]: https://noiseprotocol.org/
"Noise protocol framework."
[chacha20]: https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant
"ChaCha20 symmetric cipher."
[poly1305]: https://en.wikipedia.org/wiki/Poly1305
"Cryptographic MAC algorithm."
[aead]: https://en.wikipedia.org/wiki/Authenticated_encryption#Authenticated_encryption_with_associated_data_(AEAD)
"Authentication encryption with associated data."
[curve25519]: https://en.wikipedia.org/wiki/Curve25519
"Fast elliptic curve algorithm designed for Diffie-Hellman key exchange."
[ecdhe]: https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman
"Ephemeral Ellyptic Curve Diffie-Hellman Key Exchange."
[blake2]: https://www.blake2.net/
"Blake2 cryptographic hash algorithm."
[cryptographic hash]: https://en.wikipedia.org/wiki/Cryptographic_hash_function
"Cryptographic hash function."
[linux]: https://en.wikipedia.org/wiki/Linux
"Linux operating system."
[udp]: https://en.wikipedia.org/wiki/User_Datagram_Protocol
"Unreliable Datagram Protocol"
[ipsec]: https://en.wikipedia.org/wiki/IPsec
"Internet Protocol security."
[tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security
"Transport Layer Security"
[vpn]: https://en.wikipedia.org/wiki/Virtual_private_network
"Virtual Private Network"
[openvpn]: https://en.wikipedia.org/wiki/OpenVPN
"OpenVPN"
[ecc]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography
"Elliptic-curve cryptography."
[base64]: https://en.wikipedia.org/wiki/Base64
"Base64 encoding scheme."
[nft]: https://en.wikipedia.org/wiki/Nftables
"nft command-line tool and nftables Linux firewall subsystem"
[nftables examples]: {{< ref "/articles/nftables-examples.md" >}}
"Nftables Examples"
[dnats-and-maps]: {{< ref "/articles/nftables-examples.md" >}}#bonus-dnats-and-maps
"NFtables Examples: DNATs and Maps"
[debian]: https://debian.org/
"Debian Linux distribution."
[ubuntu]: https://ubuntu.com/
"Ubuntu Linux distribution."
[raspberry pi os]: https://en.wikipedia.org/wiki/Raspberry_Pi_OS
"Raspberry Pi OS"
[ssh]: https://en.wikipedia.org/wiki/Secure_Shell
"Secure Shell"
[imaps]: https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
"Secure Internet Message Access Protocol"
[pfs]: https://en.wikipedia.org/wiki/Forward_secrecy
"Perfect forward secrecy."
[dos]: https://en.wikipedia.org/wiki/Denial-of-service_attack
"Denial-of-service attack."
|
