The time has come when VPN is no longer some exotic tool of bearded sysadmins. Users have different tasks, but the fact is that VPN has become necessary for everyone.
The problem with current VPN solutions is that they are difficult to properly configure, expensive to maintain, and full of dubious quality legacy code.
A few years ago, Canadian information security specialist Jason A. Donenfeld decided that enough was enough and began work on . Now WireGuard is getting ready to be included in the Linux kernel and has even received accolades from and .
Claimed advantages of WireGuard over other VPN solutions:
- Easy to use.
- Uses modern cryptography: Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, etc.
- Compact readable code, easier to investigate for vulnerabilities.
- High performance.
- Clear and crafted .
Has the silver bullet been found? Is it time to bury OpenVPN and IPSec? I decided to deal with this, but at the same time I did .
Work principles
The principles of operation can be described as follows:
- A WireGuard interface is created, it is assigned a private key and an IP address. The settings of other peers are loaded: their public keys, IP addresses, etc.
- All IP packets arriving at the WireGuard interface are encapsulated in UDP and other pirates.
- Clients set the public IP address of the server in the settings. The server automatically learns the external addresses of clients when correctly authenticated data comes from them.
- The server can change the public IP address without interrupting work. At the same time, it will send a notification to connected clients and they will update their configuration on the fly.
- The concept of routing is used . WireGuard receives and sends packets based on the peer's public key. When the server decrypts a correctly authenticated packet, its src field is checked. If it matches with the configuration
allowed-ipsauthenticated peer, then the packet is received by the WireGuard interface. When sending an outgoing packet, the corresponding procedure occurs: the dst field of the packet is taken and, based on it, the corresponding peer is selected, the packet is signed with its own key, encrypted with the peer's key and sent to the remote endpoint.
The entire core logic of WireGuard takes less than 4 thousand lines of code, while OpenVPN and IPSec have hundreds of thousands of lines. To support modern cryptographic algorithms, it is proposed to include a new cryptographic API in the Linux kernel. . At the moment, there is a discussion about how good this idea is.
Performance
The maximum performance advantage (compared to OpenVPN and IPSec) will be noticeable on Linux systems, since WireGuard is implemented as a kernel module there. In addition, macOS, Android, iOS, FreeBSD and OpenBSD are supported, but they run WireGuard in userspace with all the ensuing performance implications. Windows support is expected to be added in the near future.
Benchmark results with :
My use experience
I am not a VPN setup expert. Once I set up OpenVPN with handles and it was very dreary, and IPSec did not even try. Too many decisions to make, it's very easy to shoot yourself in the foot. Therefore, I have always used ready-made scripts to configure the server.
So, WireGuard, from my point of view, is generally ideal for the user. All low-level decisions are made in the specification, so the process of preparing a typical VPN infrastructure takes only a few minutes. Nafakapit in the configuration is almost impossible.
The installation process on the official website, I would like to separately note the excellent .
Encryption keys are generated by the utility wg:
SERVER_PRIVKEY=$( wg genkey )
SERVER_PUBKEY=$( echo $SERVER_PRIVKEY | wg pubkey )
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )Next, you need to create a server config /etc/wireguard/wg0.conf with the following content:
[Interface]
Address = 10.9.0.1/24
PrivateKey = $SERVER_PRIVKEY
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = 10.9.0.2/32and raise the tunnel with a script wg-quick:
sudo wg-quick up /etc/wireguard/wg0.confOn systems with systemd, you can use this instead sudo systemctl start [email protected].
On the client machine, create a config /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = 10.9.0.2/24
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4:51820 # ΠΠ½Π΅ΡΠ½ΠΈΠΉ IP ΡΠ΅ΡΠ²Π΅ΡΠ°
PersistentKeepalive = 25 And in the same way raise the tunnel:
sudo wg-quick up /etc/wireguard/wg0.confIt remains to configure NAT on the server so that clients can access the Internet, and you're done!
Such ease of use and compactness of the code base was achieved by eliminating the key distribution functionality. There is no complicated system of certificates and all this corporate horror, short encryption keys are distributed approximately like SSH keys. But this raises a problem: WireGuard will not be easy to implement in some existing networks.
Among the shortcomings, it is worth noting that WireGuard will not work through an HTTP proxy, since there is only UDP protocol as a transport. The question arises, will it be possible to obfuscate the protocol? Of course, this is not a direct task of VPN, but for OpenVPN, for example, there are ways to disguise themselves as HTTPS, which helps residents of totalitarian countries to fully use the Internet.
Conclusions
Summing up, this is a very interesting and promising project, you can already use it on personal servers. What is the profit? High performance on Linux systems, ease of setup and maintenance, compact and readable code base. However, it is too early to rush to transfer the complex infrastructure to WireGuard, it is worth waiting for inclusion in the Linux kernel.
To save my (and your) time, I developed . With it, you can set up a personal VPN for yourself and your friends without even understanding anything about it.
Source: habr.com