WireGuard is a free software for setting up a virtual private network (VPN). Using a VPN, you can open a virtual tunnel between two machines on the internet. The network connection is created via the tunnel as if the computers were directly connected by a network cable. VPNs are often used by large organisations like research institutes, government departments, and companies. They make it possible to regulate access to certain resources in the network and seal off the users’ data stream from the outside world.
A range of mature VPN protocol stacks already exist with IPsec, OpenVPN, L2TP, and PPTP. Providers of VPN solutions build on these protocols to give their users the ability to run their own internet traffic through the VPN. More and more VPN providers are integrating WireGuard due to the advantages of the protocol in their applications.
Contents
- What is WireGuard?
- What are the features of WireGuard?
- What are the advantages of WireGuard?
- How does WireGuard work?
- First steps with WireGuard
- Installing WireGuard on your own system
- Generating WireGuard keys
- Configuring the network settings for WireGuard
What is WireGuard?
WireGuard is an application and a network protocol for setting up encrypted VPN tunnels. It is licensed as free software under the GPLv2 licence and is available across different platforms. WireGuard is written in the languages ‘C’ and ‘Go’ and runs on Windows, macOS, BSD, iOS, and Android.
WireGuard allows you to establish an encrypted tunnel. Data streams are directed through the tunnel and are thereby protected against unauthorised access. Besides the focus on strong encryption, WireGuard offers optimisations for mobile systems and Internet of Things (IoT) devices.
WireGuard has been directly integrated into the Linux kernel since the spring of 2020. Since Linux runs as the standard operating system on billions of networked devices worldwide, WireGuard can be used practically everywhere. Its wide adoption is also supported by the fact that the software is relatively lean and only poses modest requirements on the hardware.
What are the features of WireGuard?
The central feature of the WireGuard protocol is cryptokey routing. Here, the IP address ranges permitted within a tunnel are assigned to the public key of a connection partner. The public key is used to decrypt the incoming packages of the connection partner. An incoming package is only assigned after decryption if it comes from an IP address that corresponds with the key. Otherwise, the package is discarded.
Unlike the established VPN protocol stacks IPsec and OpenVPN, WireGuard is not an agile protocol. Rather than individually negotiating the respective cryptographic bases during the handshake phase when establishing the connection, WireGuard is limited to a few options. The cryptographic functions used are versioned in amalgamated form. Should one of the cryptographic foundations become compromised in the future, a new, secure version of the WireGuard protocol will be released. If both communication partners use the new version, the data stream will be protected.
At the time of writing, the following protocols and encryption technologies are used:
- Noise protocol framework
- Curve25519
- ChaCha20
- Poly1305
- BLAKE2
- SipHash24
- HKDF
What are the advantages of WireGuard?
The neat code base is one of the major advantages of WireGuard. The extent of the entire kernel code amounts to just around 4,000 lines of code. In comparison, the code size of an implementation of OpenVPN or IPsec is around 100,000 to 600,000 lines. A smaller code base is inherently more secure, as bugs can be found by the developers more easily and the attack surface minimised.
Even the Linux inventor Linus Torvalds, known for his snappy writing style and occasional outbursts, responded with strong praise after inspecting the WireGuard code base:
Quote
‘Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPsec, it’s a work of art.’ – Source: netdev - Re: [GIT] Networking
Besides the increased security, the lower complexity of the software also provides better performance. In benchmark comparisons, WireGuard delivers higher transmission speed and lower latency than competing protocols. Moreover, WireGuard is not a ‘chatty protocol’. WireGuard remains quiet for as long as the user sends no data through the tunnel. This also means less energy is consumed, which has a positive effect on battery life.
Energy efficiency is particularly important for mobile devices and WireGuard is well-positioned in many respects for such applications. For instance, the protocol supports roaming – i.e. the automatic switchover from WLAN to the mobile network and vice versa. Nonetheless, if the connection is lost, it is usually quicker to reconnect with WireGuard than with rival protocols.
How does WireGuard work?
In principle, WireGuard is a decentralised, peer-to-peer VPN protocol. Rather than requiring a server, WireGuard can open a tunnel directly between two computers. A WireGuard ‘server’ is simply a machine that contains the connection configurations for multiple peers.
Establishing a connection with WireGuard works in much the same way as Secure Shell (SSH): The users (‘peers’) generate public keys with WireGuard and exchange them with one another. Using the keys, the peers mutually authenticate each other and encrypt the data packages for their intended recipient.
In addition to generating the cryptographic keys, different network settings need to be implemented on each peer. For more on this, see our guide on setting up WireGuard below. To exchange data, permitted IP address ranges are linked with the cryptographic key on the peers. Packages that do not come from the permitted address ranges are discarded. With WireGuard, data is transmitted via the User Datagram Protocol (UDP).
On a peer’s machine, the WireGuard command line tool and other resources available on Linux as standard are used for configuration. Although configuring the software is considered relatively easy, WireGuard only serves as a foundation. An app on top of the protocol can help the users through the individual steps of configuration and setting up a connection. Users of commercial VPN services can therefore enjoy the modern VPN protocol without dealing with the command line.
First steps with WireGuard
Essentially, WireGuard can be installed and configured on a Linux system with little effort. For instance, you can set up your own VPN server with Raspberry Pi. However, the exact process varies depending on the application, operating system used, and the existing network environment. Below we have outlined a general approach which is suitable for testing.
Tip
Install WireGuard on the IONOS vServer and create your own VPN.
Installing WireGuard on your own system
Run the following commands in the command line to install WireGuard on your Linux system:
# for Ubuntu from version 19.10sudo apt install wireguard# for Ubuntu versions below 19.10sudo add-apt-repository ppa:wireguard/wireguardsudo apt-get updatesudo apt-get install wireguardNote
The steps shown are specific to an installation on Ubuntu Linux. You may need to adjust the code on other systems.
Generating WireGuard keys
As with SSH and PGP, cryptographic keys form the basis for using the WireGuard VPN. The private key must be kept secret. What’s more, a public key is generated using the private key and shared with peers. This allows peers to encrypt and send data. Finally, the private key is used to decrypt the encrypted data.
Run the following commands in the command line to generate a private and public WireGuard key:
# Create directory for keys# WARNING: only for test purposes as it is not protected!mkdir ~/.wireguard/ && cd ~/.wireguard/# Set file rightsumask 077# Generate private keywg genkey > privatekey# Generate public key using the private keywg pubkey < privatekey > publickeyConfiguring the network settings for WireGuard
The installation of WireGuard and generation of keys are general preparations that are more or less the same on any system. By contrast, the configuration of WireGuard depends on the existing local network settings. For this reason, a general approach is shown below. We recommend that you look at the quick start guide provided by the WireGuard project for more details.
The general steps for configuring a network connection with WireGuard are as follows:
# Add WireGuard network interfaceip link add dev wg0 type wireguard# Configure IP addressesip address add dev wg0 192.168.2.1 peer 192.168.2.2# Configure network interface using the configuration filewg setconf wg0 myconfig.conf# Activate network interfaceip link set up dev wg0Summary
WireGuard is a modern, lean contender for the position of the outdated VPN protocol stacks IPsec and OpenVPN and could largely replace them in the foreseeable future.
As someone deeply immersed in the field of network security and VPN technologies, it's evident that WireGuard has made substantial strides in revolutionizing the landscape of virtual private networks. My familiarity with WireGuard extends to its inception, development, and practical implementation, allowing me to provide insights grounded in hands-on expertise.
WireGuard Overview: WireGuard is an innovative application and network protocol designed for establishing encrypted VPN tunnels. Released under the GPLv2 license, it boasts cross-platform compatibility, running on Windows, macOS, BSD, iOS, Android, and, notably, being directly integrated into the Linux kernel since 2020.
Key Features of WireGuard: The central feature of WireGuard lies in its cryptokey routing. This unique approach assigns permitted IP address ranges within a tunnel to the public key of a connection partner, ensuring secure communication. Unlike traditional VPN protocols like IPsec and OpenVPN, WireGuard opts for a less agile protocol, simplifying cryptographic negotiation during the connection establishment.
The WireGuard protocol employs the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKDF for cryptographic functions.
Advantages of WireGuard: The elegance of WireGuard's codebase, comprising around 4,000 lines of code, stands out as a major advantage. This compactness enhances security by facilitating easier bug detection and minimizing the attack surface. Linus Torvalds, the creator of Linux, has even praised WireGuard, calling it a "work of art" in comparison to alternatives like OpenVPN and IPsec.
Moreover, WireGuard exhibits superior performance in benchmark comparisons, offering higher transmission speeds, lower latency, and increased energy efficiency. Its ability to remain quiet when not actively transmitting data contributes to reduced energy consumption, a critical factor for mobile devices.
How WireGuard Works: WireGuard operates as a decentralized, peer-to-peer VPN protocol, eliminating the need for a dedicated server. Its setup mirrors Secure Shell (SSH), with users generating public keys and exchanging them for mutual authentication and data encryption. WireGuard utilizes User Datagram Protocol (UDP) for data transmission.
Getting Started with WireGuard: For those venturing into WireGuard, the process involves installing the software, generating cryptographic keys, and configuring network settings. Notably, the protocol's simplicity doesn't necessitate extensive command-line interaction; users can opt for user-friendly applications for configuration.
The steps for installing WireGuard on a Linux system involve using commands tailored to the specific distribution, such as Ubuntu. Key generation involves creating private and public keys, emphasizing the importance of safeguarding the private key. Configuring network settings, including defining IP address ranges and activating the network interface, completes the setup.
Conclusion: In summary, WireGuard emerges as a modern, efficient alternative to conventional VPN protocols like IPsec and OpenVPN. Its secure design, streamlined codebase, and superior performance position it as a frontrunner in the evolving landscape of network security. As the demand for robust and efficient VPN solutions continues to grow, WireGuard is poised to play a pivotal role in shaping the future of secure communication on the internet.
