WireGuard

Overview of WireGuard (Modern cross-platform VPN)

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

WireGuard: Modern cross-platform VPN

Features of WireGuard:

Simple & Easy-to-use

• WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard.

Cryptographically Sound

• WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions.

Minimal Attack Surface

• WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities. Compared to behemoths like *Swan/IPsec or OpenVPN/OpenSSL, in which auditing the gigantic codebases is an overwhelming task even for large teams of security experts, WireGuard is meant to be comprehensively reviewable by single individuals.

High Performance

• A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed.

Well Defined & Thoroughly Considered

• WireGuard is the result of a lengthy and thoroughly considered academic process, resulting in the technical whitepaper, an academic research paper which clearly defines the protocol and the intense considerations that went into each decision.

Command Line Interface:

# ip link add dev wg0 type wireguard

(Non-Linux users will instead write wireguard-go wg0.)

An IP address and peer can be assigned via ifconfig(8) or ip-address(8)

# ip address add dev wg0 192.168.2.1/24

Or, if there are only two peers total, something like this might be more desirable:

# ip address add dev wg0 192.168.2.1 peer 192.168.2.2

The interface can be configured with keys and peer endpoints with the included wg(8) utility:

# wg setconf wg0 myconfig.conf

or

# wg set wg0 listen-port 51820 private-key /path/to/private-key peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint 209.202.254.14:8172

Finally, the interface can then be activated with ifconfig(8) or ip-link(8):

# ip link set up dev wg0