+3 votes
200 views
in Tools by (242k points)
reopened
WireGuard VPN: the basics

1 Answer

+4 votes
by (1.6m points)
edited
 
Best answer

What is WireGuard?
How does WireGuard VPN work?
Get started with WireGuard
What features does WireGuard have?
What are the advantages of WireGuard?
Install WireGuard on your own system
Generate WireGuard Keys
Set network settings for WireGuard

image

WireGuard VPN: the basics

WireGuard is free software that allows you to establish a virtual private network (VPN). With the help of a VPN, a virtual tunnel is opened between two computers on the Internet through which the network connection passes, as if it were a network cable between the devices. VPNs are often used by large organizations such as research institutes, public bodies, and companies. Thanks to them, access to certain network resources can be regulated and user data transfers can be protected from the outside..

There is already a whole range of established protocols, such as IPsec, OpenVPN, L2TP and PPTP. VPN solution providers rely on these protocols to give their users the ability to direct their own Internet traffic through the VPN. WireGuard offers several advantages and more and more VPN providers are integrating this protocol into their services.

Index
  1. What is WireGuard?
    1. What features does WireGuard have?
    2. What are the advantages of WireGuard?
  2. How does WireGuard VPN work?
  3. Get started with WireGuard
    1. Install WireGuard on your own system
    2. Generate WireGuard Keys
    3. Set network settings for WireGuard

What is WireGuard?

WireGuard is an application as well as a network protocol for creating encrypted VPN tunnels . The program is licensed under the GPLv2 as free software and is cross-platform. WireGuard is written in the C and Go languages ​​and is compatible with Windows, macOS, BSD, iOS, and Android..

With WireGuard an encrypted tunnel is created through which data streams are transmitted, thus protecting them against unauthorized access. In addition to the high level of encryption that characterizes it, WireGuard also offers optimizations for mobile systems and for devices of the so-called Internet of Things (IoT, for its acronym in English).

Since early 2020, WireGuard is already integrated directly into the Linux kernel . Since it is a standard operating system used by billions of devices worldwide, WireGuard can be used almost anywhere. This widespread use is also due to the fact that the software is relatively lightweight and does not require highly specialized hardware ..

What features does WireGuard have?

The main feature of the WireGuard protocol is the so-called cryptokey routing , that is, a cryptographic key routing, which consists of a process that assigns the IP address ranges allowed in the tunnel to the public key of the interlocutor in the connection. Incoming packets from the other connected device are decrypted using the public key. After decryption, an incoming packet will only be delivered if it comes from an IP address that corresponds to the key. Otherwise it will be discarded.

Unlike popular protocol stacks VPN IPsec and OpenVPN, WireGuard is not an agile protocol rather than negotiate the cryptographic basis that one will be used to during the phase of the handshake or handshake , WireGuard limited to a few options. The cryptographic functions used are versioned in summary form . In the event that one of the cryptographic bases is compromised in the future, a new and more secure version of the WireGuard protocol is then released. If both communication partners implement this new version, the data stream will be protected.

As of this writing, the following encryption protocols and methods are used :

  • Noise Protocol Framework
  • Curve25519
  • ChaCha20
  • Poly1305
  • BLAKE2
  • SipHash24
  • HKDF

What are the advantages of WireGuard?

One of the biggest advantages of WireGuard is its short codebase: the entire kernel code is no more than 4000 lines long . As a comparison, the code size for an OpenVPN or IPsec implementation is typically between 100,000 and 600,000 lines. By definition, a shorter codebase is also more secure, since bugs are more easily detected and the field of attack is reduced.

Even Linus Torvalds , creator of the Linux kernel and known for his scathing words and occasional outbursts of anger, couldn't help but praise WireGuard's codebase upon inspection:

Appointment

? Maybe the code isn? T perfect, but I? Ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it? Sa work of art.? ? Source: netdev - Re: [GIT] Networking

Translation:? The code may not be perfect, but I have taken a look at it and compared to the horrors of OpenVPN and IPSec, it is a work of art.?

In addition to the increased security it offers, the simplicity of the software also favors higher performance. In benchmarks, WireGuard is shown to achieve higher transmission speed and lower latency than its competitors. Also, WireGuard is not a very noisy and few nuts protocol (? It is not a chatty protocol?): When the user is not sending data through the tunnel, WireGuard goes on standby . This saves energy and extends the battery life.

Energy efficiency is especially important for mobile devices. In this regard, WireGuard offers several advantages. One of them is that it allows roaming , that is, the automatic change from a WLAN to a mobile network and vice versa. Should the connection be interrupted despite this, re-establishing it with WireGuard is usually faster than with its rival protocols.

How does WireGuard VPN work?

By structure, WireGuard is a decentralized peer-to-peer (peer) VPN protocol . Instead of requiring a server, WireGuard can directly tunnel between two computers. What we could consider a WireGuard server is simply a device in which connection configurations have been made for various peers .

Establishing the connection with WireGuard works in a similar way to that of Secure Shell (SSH): users ( peers ) generate public keys with WireGuard and exchange them with each other. Thanks to them they can identify each other and encrypt the data packets for their corresponding recipient.

In addition to the generation of cryptographic keys, different network elements must be configured on each peer side (below, our manual for configuring WireGuard gives more details about this). In order to exchange data, in the peers the ranges of allowed IP addresses are linked with the public keys . Packets that do not come from the allowed address ranges are discarded. Sending data with WireGuard is done through the User Datagram Protocol (UDP).

Configuration is performed on a peer's computer using the WireGuard command line tool and other applications available by default on Linux. Arguably software setup is relatively easy, but WireGuard only works as a foundation: to continue through the setup and connection establishment steps, the user can turn to a protocol-based app for help. Thus, users of commercial VPN services can also enjoy the modern VPN protocol without the need for a command line interface.

Get started with WireGuard

In principle, WireGuard does not require much effort to install and configure on Linux systems. As a user you can, for example, create your own VPN server with Raspberry Pi. However, the actual process will vary depending on the purpose, the operating system used, and the available network environment. Therefore, we can only indicate the approximate steps that you will have to follow. Please use them only for testing.

advice

Install WireGuard on the IONOS vServer to create your own VPN.

Install WireGuard on your own system

Run the following commands from the command line interface to install WireGuard on your Linux system:

  # para Ubuntu a partir de la versión 19.10 sudo apt install wireguard # para versiones de Ubuntu anteriores a 19.10 sudo add-apt-repository ppa:wireguard/wireguard sudo apt-get update sudo apt-get install wireguard  
Note

Here we show the installation for Ubuntu-Linux. Other systems may require certain code modifications.

Generate WireGuard Keys

Similar to the role they play in SSH and PGP, cryptographic keys are the foundation of WireGuard's operation . As usual, there is a private key that must always be kept confidential and, on the other hand, also a public key generated from the private one and that is shared with peers . With it, the peers can encrypt and send data, while with the private key they can decrypt the encrypted data.

Run the following commands from the command line to generate a private and a public WireGuard key :

  # Crear directorio de claves # ATENCIÓN: ¡Solo para realizar test, ya que no se aplican medidas de seguridad! mkdir ~/.wireguard/ && cd ~/.wireguard/ # Configurar derechos de archivos umask 077 # Generar clave privada wg genkey > privatekey # Generar clave pública a partir de la clave privada wg pubkey < privatekey > publickey  

Set network settings for WireGuard

Both WireGuard installation and key generation are basic preparations that are performed more or less identically on all systems. The WireGuard configuration, on the other hand, depends on the existing local network configuration . Therefore, in this article we can only offer a general outline and recommend the WireGuard Project Quick Start guide for more advanced details.

The general process for establishing a network connection with WireGuard has the following structure:

  # Añadir interfaz de red WireGuard ip link add dev wg0 type wireguard # Configurar direcciones IP ip address add dev wg0 192.168.2.1 peer 192.168.2.2 # Configurar interfaz de red usando el archivo de configuración wg setconf wg0 myconfig.conf # Activar interfaz de red ip link set up dev wg0  
In summary

WireGuard is a modern and sophisticated candidate for the position occupied by now outdated protocol stacks such as IPsec and OpenVPN, which it could replace in the not too distant future.


...