
Wireguard VPN: Typical Setup (2017) - tosh
https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
======
xpaulbettsx
"It's just as easy as SSH!" and "Ok, set up your iptables rules...." do not go
together. Wireguard might be easier than OpenVPN, but it's still prohibitively
difficult to set up, and especially to use in a client computing scenario
(i.e. I'm on a desktop machine, and want to connect/disconnect this VPN
frequently)

------
mbesto
I tried streisand / wireguard setup awhile back (MacOS to DO server). It
worked great until I tried to disconnect (it would save the old WG settings in
my connection tables and then just keep me completely disconnected from the
internet). Anyone know if this is improved? Is there any easy way to get
wireguard setup on macos and connect to a DO server?

~~~
mbreese
I used the WireGuard package from homebrew to setup a vpn back to a Raspberry
Pi at home and it worked pretty well.

~~~
mbilker
The WireGuard client for macOS behaves differently than the Linux client when
setting DNS settings.

~~~
zx2c4
We do need to port wg-quick to use scutil instead of networksetup.

------
mirceal
having played with wireguard I can definitely say that it takes something that
used to be complicated and makes it trivial (ie setting up a vpn server).

it almost feels too easy compared to the openvpn monstrosity.

now that they have an iphone app (in beta) I switched to using it everywhere
and not looking back.

~~~
chrisswanda
I picked up WireGuard yesterday, and within an hour, I had my server and 4
clients setup. Freaking gravy.

And this morning, I connected to the bus WiFi, I turned on WireGuard, and kept
a constant connection throughout my commute to work. It just works so well.

I could never do that with my OpenVPN connections.

~~~
octosphere
Just curious; but what kind of device are you using here? I can't imagine
using a laptop on the bus.

~~~
chrisswanda
Today was my iPad. But I've ran my laptop before many times. This is an
express bus, with only a couple of stops and runs mostly on the interstate for
25 miles.

~~~
octosphere
Yes but how do you put Wireguard on an iPad?

~~~
zx2c4
[https://lists.zx2c4.com/pipermail/wireguard/2018-November/00...](https://lists.zx2c4.com/pipermail/wireguard/2018-November/003526.html)

------
edoo
It says you get about a Gbit of throughput. That isn't bad but I wonder if
that is simply because the processing isn't or can't be efficiently
paralleled.

You might be able to make several of these connections between 2 machines and
trunk/bond them on each side into a combined interface for even more
throughput. 10Gbe and 40Gb fiber cards are getting pretty cheap.

~~~
cyphar
> It says you get about a Gbit of throughput. That isn't bad but I wonder if
> that is simply because the processing isn't or can't be efficiently
> paralleled.

The encryption is parallelised, Jason Donenfield talks about how the
parallelism is designed in most of his talks about WireGuard.

Effectively the problem is that network processing is done using "flows" and
generally you want to pin a single flow to a single CPU -- but that would
result in bad performance (especially if related packets were encrypted on
separate CPUs). So instead, WireGuard pretends to support hardware packet
offloading -- so the rest of the net infrastructure figures out what packets
are related and gives WireGuard a coalesced packet which can then be split and
encrypted in one go.

~~~
edoo
Cool, I just realized they also used a 1GbE card in the perf test so they
maxed it out. That would be pretty neat if it scaled right on up.

------
romeisendcoming
I guess 20 years as a sysadmin and systems programmer make me a little jaded
but you wouldn't convince me to pick up a new VPN based on it being OpenSSH-
alike. I'd prefer a pure TLS/SSL or IPSEC solution that fits either paradigm.

If I want ssh-alike I'll harden my ssh and PAM configuration and use ssh (+
tunneling/forwarding and socks5).

------
aerodog
This article is a year old. Certainly Wireguard setup / config has improved
this past year, yes?

~~~
esotericn
Could you clarify "improved"?

It's already absolutely fantastic compared to any other solution I can think
of (_especially_ OpenVPN, which requires generating a bunch of x.509 certs).

This article has a ton of steps which aren't even WireGuard specific like
server firewall rules.

The actual configuration of WG is basically 'generate a private and public key
on server and client, stick it in a config file, run wg-quick up, done'.

~~~
atonse
I don't know, I really like the idea of wireguard but I had a pretty tough
time setting it up (and had to give up after an hour)... more like I didn't
have the time.

I think I wasn't doing something right, though, since I was getting very weird
errors that I wasn't able to google. Also I think my issue was like more with
the macOS client rather than the server.

I think Wireguard is still at the same level that git was about 10 years ago:
powerful, elegant, but absolutely not user-friendly. But nobody is claiming
that it is (same with git).

I suspect in the next couple of years, you'll see an explosion of really nice
tools to make this setup even easier than it is now.

Until then, I'll keep fiddling and try to get wireguard running on my macOS
client/ubuntu server setup.

~~~
mbrock
Try putting something like this on your Mac in
/usr/local/etc/wireguard/foo.conf:

    
    
        [Interface]
        PrivateKey = redacted
        Address = 10.100.0.3/24
    
        [Peer]
        PublicKey = redacted
        AllowedIPs = 10.100.0.0/24
        Endpoint = 18.xxx.xxx.xxx:51820
        PersistentKeepalive = 25
    

and then doing

    
    
        sudo wg-quick up foo
    

You should see something like

    
    
        INFO: (utun2) 2018/12/16 18:43:24 Starting wireguard-go version 0.0.20181018
        [+] Interface for foo is utun2
        [#] wg setconf utun2 /dev/fd/63
        [#] ifconfig utun2 inet 10.100.0.3/24 10.100.0.3 alias
        [#] ifconfig utun2 up
        [#] route -q -n add -inet 10.100.0.0/24 -interface utun2
        [+] Backgrounding route monitor
    

That's assuming you have a matching server config set up on your Ubuntu...

------
chrisper
Hmm. There still doesn't seem to be a Windows client.

~~~
zx2c4
It's actually under fairly consistent and active development right now.
Hopefully we'll have something to share soon.

~~~
Blueliner
Hello Jason could you please give an estimated availability date for the
Windows client and a valid link to the section of your repo/website where
someone can follow the progress? I have searched extensively for any info on
the schedule. road map, estimated availability for this and have had no luck
finding any info about this very important client for Wireguard. I have been
patiently waiting for this and holding off on other Windows VPNs but need
something very soon. Thanks for your help.

------
the_common_man
Does wireguard work with docker?

~~~
Snawoot
[https://www.wireguard.com/#ready-for-
containers](https://www.wireguard.com/#ready-for-containers)

------
jwr
I've been trying out Wireguard with IVPN
([https://ivpn.net/](https://ivpn.net/)) and so far I'm impressed. Very quick
tunnel setup (especially important on mobile iOS devices) and great
performance afterwards.

~~~
Youden
For anyone looking at retail VPN services, Mullvad and AzireVPN also offer it.

~~~
huxflux
So does Astrill, they just updated there client.

------
orliesaurus
What exactly does IP forwarding do on the server?

~~~
drbawb
The author is setting up NAT w/ the iptables rule in the POSTROUTING chain
that does `-j MASQUERADE`. With that rule in place, combined with `allowed-ips
0.0.0.0/0` on the wireguard client, the client can tunnel all their IP traffic
through the server as opposed to just having a private subnet setup between
the two endpoints.

------
ronnier
Any recommend iOS client?

~~~
tosh
WireGuard for iOS (beta via Testflight App):
[https://lists.zx2c4.com/pipermail/wireguard/2018-November/00...](https://lists.zx2c4.com/pipermail/wireguard/2018-November/003526.html)

~~~
Youden
I've been using it for a while and I've found it quite usable and reliable.
Blows OpenVPN's iOS client out of the water actually.

------
bmurray7jhu
Wireguard is UDP only. The reliance on UDP means wireguard is unusable in many
networking environments.

~~~
Youden
For those in this unfortunately position, you can run a TCP <-> UDP conversion
without much difficulty:
[https://lists.zx2c4.com/pipermail/wireguard/2018-March/00250...](https://lists.zx2c4.com/pipermail/wireguard/2018-March/002508.html)

WireGuard works just fine like this.

