WireGuard – Explained

WireGuard is a simple VPN protocol that can be used to tunnel network traffic encrypted over the internet to a remote destination for further processing. It says to be simpler, more performant, and even more reliable in some situations.

But do these statements hold?

Simplicity has its price

I said that it is simpler to set up a WireGuard tunnel. This holds for most cases where the server and the client are somewhat under your control. In larger corporate networks this is not necessarily true.

WireGuard uses Simple Public/Private Keys to establish a secure and identified connection between two parties (server-client, server-server). But there is no integration for existing public key management systems right now so each key needs to be generated and transferred by a second medium (file transfer, detachable drives, …).

Terms

Interface

An interface defines a local virtual network interface (If you know Linux you can think of it as a simple network interface). This interface has a local address and netmask which describes the network of the virtual network that we create.

Peer

A peer is a remote interface that we can connect to. In a road warrior scenario we don’t expect to know the client’s IP address beforehand we simply don’t define an endpoint. When we are the client or in a server to server scenario, we define the endpoint to which we connect to establish a connection.

Sample Configuration

Server

[Interface]
Address = 10.200.1.1/24 # Address and netmask for our virtual interface
ListenPort = 51820 # Listen Port to listen for incoming peer connections (all interfaces)
PrivateKey = 
MTU = 1350 # MTU for our virtual interface (values less than 1380 recommended)

[Peer]
PublicKey = 
AllowedIPs = 10.200.1.5/32 # Through that peer we can contact this ip or ip range

Client

[Interface]
PrivateKey = 
Address = 10.200.1.2/24
DNS = 10.200.0.2
MTU = 1350

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0 # Network that gets routed through that peer (0.0.0.0/0 for all traffic, 10.200.1.0/24 for vpn only traffic)
Endpoint = :51820  # Server IP and Port

Overview

Principle of WireGuard

Because WireGuard is working on actual network interfaces and modifies real routes, the behavior of the VPN is completely transparent to the applications. This also means that things like IP Forwarding work out of the box. Even NATing works.

 

Related Posts

Sorry, no similar posts found.