WireGuard

wireguard

Official website https://www.wireguard.com

Uses advanced cryptographic technologies such as the Noise protocol framework, Curve25519, chacha20, Poly1305, blake2, siphash24, hkdf, and a secure trust model. This enables conservative, sensible choices and well-audited cryptography.

 Minimal attack surface

WireGuard is designed to be easy to implement and simple. This means it can be implemented with very little code and audited for security vulnerabilities with ease. Compared with behemoths like Swan
/ IPsec or OpenVPN /
OpenSSL, where auditing huge codebases is an overwhelming task even for large teams of security experts, WireGuard can be fully reviewed by a single individual.

 High performance

The extremely fast cryptographic primitives and the fact that WireGuard exists in the Linux kernel mean that secure networking can be achieved at very high speeds. It is suitable for small embedded devices such as smartphones as well as heavily loaded backbone routers.

 Well-defined and thoroughly considered

WireGuard is the result of a long and thorough academic process, which produced atechnical white paper, an academic research paper that clearly defines the protocol and the strong rationale behind each decision.

Conceptual overview

If you would like to understand a general conceptual overview of WireGuard, click here to read it. You can then proceed toinstallationand read thequick start instructionson how to use it.

If you are interested in how it works internally, you may be interested in a brief overview of theprotocol, or a more in-depth introduction by reading thetechnical white paper, which details the protocol, cryptography, and fundamentals. If you plan to implement WireGuard on a new platform, please read thecross-platform notes.

WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peer’s public key, and then send packets through it. All issues of key distribution and pushing configuration are explicitly out of scope for WireGuard; those problems are much better handled at other layers, so as not to cause the kind of bloat seen in IKE or OpenVPN. Instead, it more closely follows the model of SSH and Mosh; both sides have each other’s public keys, and then they can simply begin exchanging packets through the interface.

Simple Network Interface

WireGuard works by adding a network interface (or multiple interfaces), for exampleeth0orwlan0, calledwg0(orwg1,wg2,wg3, and so on). This network interface can then be configured normally using all the usual networking utilities, such as adding addresses withifconfig(8)orip-address(8), and adding and removing routes withroute(8)orip-route(8). The interface’s WireGuard-specific aspects are configured using thewg(8)tool. The interface acts as a tunnel interface.

WireGuard associates tunnel IP addresses with public keys and remote endpoints. When the interface sends a packet to a peer, it does the following:

  1. This packet is destined for 192.168.30.8. Which peer is that? Let me see… okay, that’s peerABCDEFGH. (Or if it is not destined for any configured peer, drop the packet.)
  2. Encrypt the entire IP packet using peerABCDEFGH’s public key.
  3. What is peerABCDEFGH’s remote endpoint? Let me see… okay, the endpoint is UDP port 53133 on host 216.58.211.110.
  4. Using UDP, send the encrypted bytes from step 2 over the Internet to 216.58.211.110:53133.

When the interface receives a packet, the following happens:

  1. I just received a packet from UDP port 7361 on host 98.139.183.24. Let’s decrypt it!
  2. It decrypts and authenticates correctly for peerLMNOPQRS. Okay, let’s remember that peerLMNOPQRS’s latest Internet endpoint is 98.139.183.24:7361 using UDP.
  3. After decryption, the plaintext packet comes from 192.168.43.89. Is peerLMNOPQRS allowed to send us packets as 192.168.43.89?
  4. If so, accept the packet on the interface. If not, drop it.

Behind the scenes, state-of-the-art cryptography is used to provide appropriate privacy, authenticity, and perfect forward secrecy

Leave a Comment

Your email address will not be published. Required fields are marked *

中文 EN
🚀

RedGate VPN

免费节点太挤太慢?
升级高速稳定专线

立即体验 →

告别卡顿

RedGate VPN
全球高速节点

免费下载 →
Scroll to Top