
Getting Started with WireGuard - miguelmota
https://miguelmota.com/blog/getting-started-with-wireguard/
======
greatjack613
> It’s kernel-based which reduces attack surface and can be ran in virtually
> any device.

Excuse my ignorance, but can someone explain why a kernel based networking
stack has less of an attack surface then a user-space based stack?

I mean logically user-space should be more secure no?

~~~
tpolzer
Indeed, the author is confusing things here:

\- It has a vastly smaller attack surface than e.g. OpenVPN, because it is
much less complex.

\- Its performance is improved by being kernel based.

\- Compatibility is helped by it being in the mainline kernel, i.e. every
device shipping a recent enough kernel will be able to have it (no need to
deploy/version libraries etc).

These don't have anything to do with each other.

~~~
kapilvt
re smaller surface area, adding some numbers, "WireGuard weighs in at around
4,000 lines of code; this compares to 600,000 total lines of code for OpenVPN
+ OpenSSL or 400,000 total lines of code for XFRM+StrongSwan for an IPSEC VPN.
Two orders of magnitude fewer lines of code mean a lot less attack surface to
find flaws in." [https://arstechnica.com/gadgets/2018/08/wireguard-vpn-
review...](https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-
connections-amaze-but-windows-support-needs-to-happen/)

note openvpn sans openssl is 70k (supports multiple crypto libs), but given
Wireguard's code size is including crypto, it seems apt to compare totals.

linus on a comparison, "Can I just once again state my love for it and hope it
gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and
compared to the horrors that are OpenVPN and IPSec, it's a work of art."
[https://lwn.net/Articles/761939/](https://lwn.net/Articles/761939/)

~~~
api
ZeroTier's core is only about 30k lines of code including quite a lot of
verbose multi-line comments, crypto, C++ cruft, and boilerplate. Core
functional code implementing ZT is probably roughly 2X the size of Wireguard.
How in the hell is IPSec that big?

It's bigger if you include all the service and virtual net device and UI
stuff, but IPSec doesn't include any of that so comparing to the ZT core is
apples to apples.

~~~
tptacek
How is ZeroTier on dynamic allocation? Small code size is one WireGuard
software security goal; minimizing dynamic allocation is the other.

~~~
api
It does dynamically allocate, though it always checks for success. It _could_
be refactored not to but so far we haven't targeted devices small enough to
worry about a megabyte or two of RAM. There are also checks in place to guard
against memory exhaustion attacks where applicable.

We just did phase I of a professional audit for V2. It was a design audit, but
we're doing a code audit too. V2's code base will be a bit cleaner.

~~~
tptacek
Cool! Just a thing to think about! Code size is a useful metric, especially as
it improves auditability. But not having to think about object lifecycle bugs
("can this timer fire into a freed connection state block", etc) is a huge
intrinsic _structural_ win. Having an unusually clear, audited documentation
of the lifecycles of all the objects in your design would also go a long way.

------
e12e
Hm. I guess no-one has bothered with nftables yet, even when dealing with
network code that's becoming part of the new upstream kernel (not just this
blog, AFAIK wireguard upstream doesn't have any examples on using nftables
either, just iptables).

I guess we need a new networking how-to?

Anyone aware of some resources I might have missed?

OK, I guess the nftables wiki is the "how-to":
[https://wiki.nftables.org/wiki-
nftables/index.php/Main_Page](https://wiki.nftables.org/wiki-
nftables/index.php/Main_Page)

~~~
dharmab
The community kind of skipped right over nftables to BPF. Simple use cases use
iptables, complicated ones use BPF, nftables isn't flexible enough for the
complicated use cases so everyone keeps using iptables.

~~~
WGH_
What is BPF (in the context of iptables/nftables replacement) exactly? I tried
searching for it, but only found some articles about early stage kernel
support. Nothing about userspace or how to use it at all. It looks like
there's still no BPF firewall at this time.

~~~
dharmab
We're using BPF for packet filtering in production on my team today, but it's
not directly an iptables/nftables replacement- it's an entire kernel subsystem
used in several parts of the kernel and also useful for diverse use cases such
as performance profiling, syscall tracing and packet filtering. It's also seen
rapid development in recent kernels and most internet articles about it are
out of date.

Something I wrote for the ArchWiki [1]:

> BPF is a system used to load and execute bytecode within the kernel
> dynamically during runtime. It is used in a number of Linux kernel
> subsystems such as networking (e.g. XDP, tc), tracing (e.g. kprobes,
> uprobes, tracepoints) and security (e.g. seccomp). It is also useful for
> advanced network security, performance profiling and dynamic tracing.

> BPF was originally an acronym of "Berkeley Packet Filter" since the original
> classic BPF was used for packet capture tools for BSD. This eventually
> evolved into Extended BPF (eBPF), which was shortly afterwards renamed to
> just BPF (not an acronym). BPF should not be confused with packet filtering
> tools like iptables or netfilter, although BPF can be used to implement
> packet filtering tools.

lwn.net has a decent (although 3 years old) intro article [2]. Cilium has a
good document on how they use BPF to implement a packet filter [3].

[1]
[https://wiki.archlinux.org/index.php/Security#BPF_hardening](https://wiki.archlinux.org/index.php/Security#BPF_hardening)

[2] [https://lwn.net/Articles/740157/](https://lwn.net/Articles/740157/)

[3]
[http://docs.cilium.io/en/latest/bpf/](http://docs.cilium.io/en/latest/bpf/)

------
squarefoot
Does wireguard have a noticeable overhead wrt data size compared to a
unencrypted connection? I was thinking of setting up it on a small RPi-Like
board at home, then on the laptop I carry around (when the lockdown is over).
The purpose would be connecting to the Internet through the home broadband
public IP which could be handy. However the laptop connects through a metered
4G connection which, although the data cap is more than reasonable, raises
some concerns should the encryption require a lot more data than normal.

~~~
nightfly
I just sent 200MiB of zeros over my wireguard connection to my VPS and my
transmit counter on my wifi card went up by 238MB. Vs sending 1024MiB over
just wifi to my Pi where the transmit counter went up by 1.04GiB.

~~~
afiori
Is this one of those cases where is Wireguard implemented traffic compression
as a "feature" it would become a huge security flaw?

I remember hearing that this is the case for naive HTTPS compression, but I
never properly had insight in the how.

~~~
nightfly
[https://community.openvpn.net/openvpn/wiki/VORACLE](https://community.openvpn.net/openvpn/wiki/VORACLE)

------
mathieubordere
I would suggest using Algo VPN to set up WireGuard
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

------
jimmcslim
I know its orthogonal to WireGuard itself, but I'd like to see these guides
sometime provide some guidance around DNS, so that I can access services
without having to remember the VPN client IP addresses.

------
parshimers
If you're using NetworkManager and wireguard, try out the integration between
the two as well. It lets you treat the tunnel as any other VPN in nm, and also
easily avoids some issues with routing loops if you roam back on to your home
network. Before, I always had to manually use wg-quick when I came back home
or left.

[http://blogs.gnome.org/thaller/2019/03/15/wireguard-in-
netwo...](http://blogs.gnome.org/thaller/2019/03/15/wireguard-in-
networkmanager/)

~~~
mqus
In my experience, this does work somewhat, but doesn't set up the routes
properly[1] and doesn't provide an interface to the networkmanager applet, so
you are still left with configuring the profiles in the terminal. There is
much left to be desired. Sadly the third-party plugin isn't much better and
seems to be discontinued[2].

[1] [https://forum.manjaro.org/t/wireguard-with-
networkmanager-1-...](https://forum.manjaro.org/t/wireguard-with-
networkmanager-1-16-how-to/81544/13) [2] [https://github.com/max-
moser/network-manager-wireguard/](https://github.com/max-moser/network-
manager-wireguard/)

~~~
franga2000
I seem to recall configuring it entirely (sans key generation) in KDE Plasma
network settings. I'm guessing you're referring to another applet?

~~~
mqus
I'm not an expert in KDE but I mean this applet:
[https://gitlab.gnome.org/GNOME/network-manager-
applet.git](https://gitlab.gnome.org/GNOME/network-manager-applet.git)

I assume that I can't really install the KDE applet without installing the
entire KDE suite, so this was my goto solution.

Edit: I see that wireguard support is in the works but is not merged yet:
[https://gitlab.gnome.org/GNOME/network-manager-
applet/-/merg...](https://gitlab.gnome.org/GNOME/network-manager-
applet/-/merge_requests/78)

------
rubatuga
I also made a guide for connecting with the official iOS and macOS WireGuard
clients, as I originally found it a bit difficult with the current UI.

[https://www.naut.ca/blog/2020/02/17/setting-up-a-
wireguard-v...](https://www.naut.ca/blog/2020/02/17/setting-up-a-wireguard-
vpn/)

------
tazeg95
I made an Ansible script for the server : [https://github.com/Tazeg/ansible-
wireguard](https://github.com/Tazeg/ansible-wireguard). If it helps.

------
pkulak
Just FYI, WireGuard is baked right into the Linux 6.x kernel. Unless you're on
a rolling distro you won't see it yet, but very cool indeed.

~~~
sandov
5.6

~~~
pkulak
haha, yes, apologies. Whatever the new one is.

------
ur-whale
One thing that is imo downplayed about WireGuard as opposed to other VPNs is
ease of use, specifically: \- setup is easy \- automated config of large
setups is easy \- it is extremely resilient under network temporary failure

------
borplk
Does anyone have a guide for setting up server-to-server wireshark connection?

Everything I have found so far is about consumer VPN stuff.

I'm interested in possibly using wireshark for server-to-server as a less
painful alternative to TLS.

~~~
franga2000
Assuming you meant Wireguard both times, I have a small guide I wrote for my
team that I can throw up on my site. If I don't post a link here in a couple
hours, reply here so I get a notification.

~~~
borplk
Yes somehow I had wireshark in mind! :)

------
platz
Do you have to use the wireguard client or could say the VPN stack in Windows
be used to connect to a wireguard server?

~~~
tjohns
You have to use the Wireguard client. In that regard it's similar to OpenVPN.

Wireguard uses a custom protocol that isn't supported by Windows' built-in VPN
client. Most OSes only natively support IPsec/L2TP or PPTP.

------
boromi
Is there like a simpler configuration esp. for clients using windows / mac?

~~~
leotaku
If you are just interested in configuring clients, Wireguard for Windows comes
with a GUI that you can use. For Mac I'd suggest just using wg-quick[^1].

[^1]: [https://manpages.debian.org/unstable/wireguard-tools/wg-
quic...](https://manpages.debian.org/unstable/wireguard-tools/wg-
quick.8.en.html)

