WireGuard – Explained

What is WireGuard?

WireGuard is a simple VPN protocol that can be used to tunnel network traffic encrypted over the internet to a remote destination for further processing. It sais to be simpler, more performant and even more reliable in some situations.

But do these statements hold true?

Simplicity has its price

I said that it is simpler to set up a WireGuard tunnel. This holds true for most cases where the server and the client are somewhat under your control. In larger corporate networks this is not necessarily true.

WireGuard uses Simple Public/Private Keys to establish a secure and identified connection between two parties (server-client, server-server). But there is no integration for existing public key management systems right now so each key needs to be generated and transferred by a second medium (file transfer, detachable drives, …).

Terms

Interface

An interface defines a local virtual network interface (If you know Linux you can think of it as a simple network interface). This interface has a local address and netmask which describes the network of the virtual network that we create.

Peer

A peer is a remote interface that we can connect to. In a road warrior scenario we don’t expect to know the clients IP address beforehand we simply don’t define an endpoint. When we are the client or in a server to server scenario, we define the endpoint to which we connect to establish a connection.

Sample Configuration

Server

[Interface]
Address = 10.200.1.1/24 # Address and netmask for our virtual interface
ListenPort = 51820 # Listen Port to listen for incoming peer connections (all interfaces)
PrivateKey = <Server Private Key>
MTU = 1350 # MTU for our virtual interface (values less than 1380 recommended)

[Peer]
PublicKey = <Client Public Key>
AllowedIPs = 10.200.1.5/32 # Through that peer we can contact this ip or ip range

Client

[Interface]
PrivateKey = <Client Private Key>
Address = 10.200.1.2/24
DNS = 10.200.0.2
MTU = 1350

[Peer]
PublicKey = <Server public Key>
AllowedIPs = 0.0.0.0/0 # Network that gets routed through that peer (0.0.0.0/0 for all traffic, 10.200.1.0/24 for vpn only traffic)
Endpoint = <Server IP>:51820  # Server IP and Port

Overview

Principle of WireGuard

Because WireGuard is working on actual network interfaces and modifies real routes, the behavior of the VPN is completely transparent to the applications. This also means that things like IP Forwarding works out of the box. Even NATing works.

Related Posts

Sorry, no similar posts found.