wireguard
Official website https://www.wireguard.com
Uses advanced cryptographic technologies such as the Noise protocol framework, Curve25519, chacha20, Poly1305, blake2, siphash24, hkdf, and a secure trust model. This enables conservative, sensible choices and well-audited cryptography.
Minimal attack surface
/ IPsec or OpenVPN /
OpenSSL, where auditing huge codebases is an overwhelming task even for large teams of security experts, WireGuard can be fully reviewed by a single individual.
High performance
Well-defined and thoroughly considered
Conceptual overview
If you would like to understand a general conceptual overview of WireGuard, click here to read it. You can then proceed toinstallationand read thequick start instructionson how to use it.
If you are interested in how it works internally, you may be interested in a brief overview of theprotocol, or a more in-depth introduction by reading thetechnical white paper, which details the protocol, cryptography, and fundamentals. If you plan to implement WireGuard on a new platform, please read thecross-platform notes.
WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peer’s public key, and then send packets through it. All issues of key distribution and pushing configuration are explicitly out of scope for WireGuard; those problems are much better handled at other layers, so as not to cause the kind of bloat seen in IKE or OpenVPN. Instead, it more closely follows the model of SSH and Mosh; both sides have each other’s public keys, and then they can simply begin exchanging packets through the interface.
Simple Network Interface
WireGuard works by adding a network interface (or multiple interfaces), for exampleeth0orwlan0, calledwg0(orwg1,wg2,wg3, and so on). This network interface can then be configured normally using all the usual networking utilities, such as adding addresses withifconfig(8)orip-address(8), and adding and removing routes withroute(8)orip-route(8). The interface’s WireGuard-specific aspects are configured using thewg(8)tool. The interface acts as a tunnel interface.
WireGuard associates tunnel IP addresses with public keys and remote endpoints. When the interface sends a packet to a peer, it does the following:
-
This packet is destined for 192.168.30.8. Which peer is that? Let me see… okay, that’s peer
ABCDEFGH. (Or if it is not destined for any configured peer, drop the packet.) -
Encrypt the entire IP packet using peer
ABCDEFGH’s public key. -
What is peer
ABCDEFGH’s remote endpoint? Let me see… okay, the endpoint is UDP port 53133 on host 216.58.211.110. - Using UDP, send the encrypted bytes from step 2 over the Internet to 216.58.211.110:53133.
When the interface receives a packet, the following happens:
- I just received a packet from UDP port 7361 on host 98.139.183.24. Let’s decrypt it!
-
It decrypts and authenticates correctly for peer
LMNOPQRS. Okay, let’s remember that peerLMNOPQRS’s latest Internet endpoint is 98.139.183.24:7361 using UDP. -
After decryption, the plaintext packet comes from 192.168.43.89. Is peer
LMNOPQRSallowed to send us packets as 192.168.43.89? - If so, accept the packet on the interface. If not, drop it.
Behind the scenes, state-of-the-art cryptography is used to provide appropriate privacy, authenticity, and perfect forward secrecy