- how it works internally
- how the routing works in different topologies
- a few complex and simple example setups
- performance expectations
- security model, key & config distribution
- setting up wireguard for, or inside of docker
- GUI tools and other wireguard-related software
- links to other tutorials, references, guides
I feel old and obsolete.
PS Are you an actual pirate?
Congrats on getting in for 5.6 and thank you very much for your years of work on this project. It is extremely impressive.
Next up I'd like to see this be an easy config option in Unifi's network managment tools
I've been using Wireguard via https://github.com/trailofbits/algo for a while now. Of all of the VPN experiences over the last couple of decades, Wireguard has been light-years ahead of the rest.
First: it's fast. If the server is up and you don't have packet loss, you can't tell when it is turned on. For fun, I wrote some trivial automation to automatically and randomly switch between a few wireguard back ends, and I generally can't detect it.
Second: it's easy. For me, an experienced technical user. I don't know enough about the ecosystem to recommend it to less technical people, though given how basically sound it is, I'll be surprised if there aren't really easy and robust front-ends coming up.
I've been using now wireguard for the past two years, really happy with it!
To give you some perspective, it's so easy that my four year old knows how to turn it on when we're traveling and she wants to watch PBS Kids.
Psh, didn't think so. Amateur.
But either way, that seems like a good idea.
Edit: I'm talking about the iOS version, not sure what platform you're using.
However, there are other Android apps that implement Wireguard that do expose their intents. I use Viscerion with Tasker quite happily.
Personally I have the luxury of running the VPN server at home, so I can just always leave it on.
Anyone know if there has been any recent work on making wireguard cover this use case? I'm not really worried about security as I treat this overlay network as just as insecure as any other (running ssh over it) and mitigate exploits by running the tinc daemon as a normal user. But it would still be nice to get more performance and security from an in-kernel quality solution like wireguard.
It should be possible to set something up - but I believe you'd need some kind of managing daemon that helped nodes rendevouz and set up routes.
Compressing first and then encrypting the compressed data works fine though.
Hoping this will will have a pervasive effect like https in the networking world, esp for point to points that glue things together behind the scene. Encrypt all the things!
I can only hope that WireGuard is going to drive a solid piece of hardwood through every "commercial grade" VPN appliance out there, and then desintegrates their heads, too, just to be sure.
But given the inertia of big orgs, and the that public and governmental institutions for one reason or another seem to trust "BIG" names with "BIG" (i.e. bloated) products and marketing more, than small, easily auditable stuff, I don't see it happening… sadly.
Security is largely about checking boxes to reduce liability, and FIPS is a checkbox.
Corporate IT is unbelievably conservative. It's all still about Active Directory, Windows domains, and SSL VPNs with FIPS certification and AD support.
Sure you can use Samba / OpenLDAP / half a dozen of IMAP/SMTP servers for groupware but holy hell administering it is an utter hellhole of a mess compared to the MS offerings.
Corp IT cares about two things: retraining costs for employees and admins, and efficiency. And Apache Directory Studio just doesn't cut it compared with AD Editor.
It's actually rather stable, and can integrate with nearly everything.
AD can optionally replicate by sending email (SMTP) between sites.
i know this option has existed till atleast 2008.
The more productive approach is to work on convincing stodgy enterprises that FIPS is a bad thing (which it is).
Industry prefers FIPS 140-2 because cryptographic expertise is extremely scarce and, prior to AES, commercial products were choc-a-bloc with broken hand-rolled cryptography. It's a rational decision to delegate selection of primitives to NIST.
I think FIPS 140-2 is aging poorly, but I think that's in part because all cryptographic standards are aging poorly; like, the whole concept: top-down standardization efforts with whole cryptosystems designed by committee have a very poor track record, and probably aren't the right vehicle to improve cryptographic soundness in the industry.
NIST SP 800-186 (Draft) has the curve definitions. But says only for Ed25519, not for X25519. They have a Weierstrass curve W-25519 that is isomorphic to Curve25519 that might allow using X25519 code, but that's way above my ability to judge. 'tptacek or 'jedisct1 or others will know.
I use Linux since 1993 and love it. All my servers are on Linux. Managing them as a group is a nightmare. I would love to have an umbrella à la AD to have all servers and users unified inside.
The strengths of AD are more related to client software, where many of them uses the policy mechanisms therein for management. Maintaining servers isn't what it does best.
This is a large part of the reason why "the cloud" is pretty much Linux native.
It has limited to no use to manage users and their passwords or authorizations, their control over machines, remote access to a share and zillons other usages you need specialized software for. AD has it all natively.
- users management? NIS
- configuration management? ansible / salt
- machines management? none (we use a homebrew system based off salt)
- shared storage? NFS
- policies? salt or ansible if they are common to groups of machines, or NIS if for people
I would love to have a unified tool (similar to what Zen was trying to do 20 years ago) but I do not know any. What AD does for Windows is nice (though I do not use Windows servers but I see their management from the side), Linux was intended to be standalone and this is what there are so many specialized, but disconnected management systems.
Take NFS as an example. Let's say all your users with meets certain criteria needs an NFS share named after their user and with an ACL that gives some running software access to drop files there. Maybe this share should be mounted on every machine where this software is present, regardless of who own it or where it runs. You write this rule in Puppet code and then it is guaranteed to be true for everyone forever.
Note that we didn't even need to feed Puppet any new information to do this. All the data required to implement the change was already in the configuration database. (Which is not even a real database but only the result of existing rules.)
Compare with a product such as AD. It doesn't really do the management for you. You can store the data there, but then you need to write a script to implement this change across your server farm. This need to be maintained, and regularly checked re-run to check for changes. Someone has to schedule this. When conditions change, the software which got access changes id, or is installed in another way, the script needs to be maintained accordingly.
Having this version controlled adds another aspect to this. Since everything is text, if you find this rule you can follow the commits and see exactly who brought this into production and when.
It's interesting that you refer to Linux as a standalone system. Linux and other unices have their roots not in single instance "personal computers" but in multi user environments. This is why to this day Linux admins treat everything as text and work mostly by text commands. Others may find this archaic but without this and without version control we could never maintain large homogenous environments. You might say that automation is built into the very way we use these systems.
If security companies adopt WireGuard, expect things like PulseSecure to remain as a wrapper around WireGuard. They'll at least standardize on a performant and verifiable VPN solution.
Right now there exist the "default" tools, which require a manual exchange of key pairs and do only very rudimentary user mapping and authorization.
However: It is perfectly possible to implement much more complex authorization schemes, with all the two step auth, logging, etc. you desire. Somebody has to write the tools for that, still. But the nice thing is, that this is a pretty much independent task, which you could do over any transport/protocol you desire (HTTPS, SSH, custom made, etc.).
An idea I've had for a longer time, but don't have the time to actually invest developing it, is using wireguard for a pure IPv6 mesh VPN.
- The ULA network part would be the key-id (lower bits) of the mesh public key (i.e. with knowledge of the mesh private key you can join the mesh), used for the mesh setup.
- The Host part would be each individual host's key-id (again lower bits of the public key).
Since wireguard uses Cryptokey Routing (https://www.wireguard.com/#cryptokey-routing) this would directly map.
> IP addresses are derived from cryptographic keys, to reduce the need for public key infrastructure
WireGuard's open source. Also you should bring these points up on the mailing lists. Even if you're not the one who writes it, mentioning it should put it on peoples' radar.
But that does not mean that it will stay that way. There's already effort at wg-dynamic, for dynamic allocation of ip addresses (as opposed to static allocation, which is current status quo in wireguard).
Later, it might be worth of effort to try running 802.1x over wireguard for authentication and accounting.
I'm wondering if this would be a use case for eBPF
I'm not sure that will happen. I mean, we had multiple solutions very close to what wg provides already. They're not as trivial to configure, but it would definitely be easier than creating a custom java applet instead.
Whatever makes enterprise VPN so bad, it doesn't seem to be the availability of better tech.
I've used it privately for a while and it is much better than anything else.
This might quite literally be F5’s reasoning behind their BIG-IP Edge VPN client. :)
Whether you can actually trust an HTTPS site or an IMAP connection when you're in a hotel in China is another problem that a VPN can solve. The CA infrastructure is ridiculously fragile, especially now that HPKP is dead in the water.
Securely and reliably connecting all my devices with WireGuard was a big reminder to me that there's a much better internet hiding under the hub-and-spoke consumer services model. The internet can be so much more than our phones connecting to large data centers.
I'm hoping that the 1.0 release will prompt Netgate to consider inclusion in pfSense.
I'm happy they're being cautious. The inclusion in the Linux kernel is perhaps (to Netgate) a sign that things are headed in the right direction.
As far as FreeBSD, all that exists today is a userspace package (AFAIK). Again, I'm hoping someone sees this as a step forward and will start working on the FreeBSD port.
I'm glad to see progress and hoping for more of it!
Which will make your wireguard VPN unreachable.
Still, cool. cool, cool cool. I wonder how long until it's in debian.
Edit: Someone running wg in userspace and can share some experiences with either implementation?
I know you mean in stable, but it's been in unstable for 3+ years now!
They make a good point about two-factor auth.
I'm essentially worthless as a user: I'm a college student and would be unwilling to pay much; I might possibly convert to a serious customer but that would be years and years down the line when everything is different.
I'd also be massively underutilizing it to connect a handful of devices and max two or three users.
I put my email address in your system, and am crossing my fingers.
A network configuration is basically: a port, a name, a set of peers(public key, external ip, wireguard ip). If you want, you can distinguish between master and slave peers (=the slaves do not know/trust each other; master knows everyone)
My VPN provider has said they won't support WireGuard until it hits 1.0
Most of other solutions don't come close to that.
> WireGuard is currently working toward a stable 1.0 release. Current snapshots are generally versioned "0.0.YYYYMMDD" or "0.0.V", but these should not be considered real releases and they may contain security quirks (which would not be eligible for CVEs, since this is pre-release snapshot software). This text will be removed after a thorough audit.
AFAIK there are some major issues with wireguard that have to be resolved before it's practical for commercial VPNs.
There's a few fundamental issues with wireguard that make it relatively unsuitable for commercial VPNs with many customers.
For a start, if you want to offer customers multiple concurrent devices, each device needs it's own key, and all keys for all customers' devices need to be loaded into kernel memory and cross checked against every packet received, which as you might imagine gets incredibly unwieldy and could savagely impact the performance of PIA servers.
When wireguard has the ability to hook a userspace daemon when it receives a valid-looking packet with unrecognised encryption, it'll be a lot closer to usable in commercial contexts, as the daemon could poke a database or cache to load the required keys on demand
Does anyone know how this compares with OpenVPN? Is is worth setting up my own wiregaurd machine?
Granted I don’t generally watch a ton of streaming video and it’s mostly just me on my network, but no issues watching YouTube or doing anything else.
I really can’t state enough how much I love my wireguard/pi hole setup.
Not relevant for most home internet connections
> much simpler to set up than OpenVPN
> and it's much, much more secure than OpenVPN.
That’s uselessly vague. Do you mean the protocol, the implementation approach, the underlying crypto, or what?
> Not relevant for most home internet connections
Why it is not relevant?
Much nicer to use in pretty much every aspect.
What is your preferred method for getting a WireGuard server installed on your home network?
Have a Linux machine that listens for incoming WireGuard connections, then it only takes generating server keys (private, public) and then adding your client's keys to the WireGuard configuration file. Setting up an OpenVPN server on a Linux box is quite a bit more involved.
Depending on just how our of date it is, that could be an issue: https://openvpn.net/security-advisories/
Redsocks is a transparent proxy, though. That'll redirect system-wide. I think you're thinking of your basic socks proxy - `ssh -D`.
That news aside, this is an outstanding commit message. The kernel never disappoints on those.
To temper expectations, though, this is slated for 5.6, which won't be released for another ~120 days or so. After that point it will trickle down to distros. So there's some time yet before users start seeing the direct consequences of this exciting announcement, but it'll be coming.
very happy with the performance and stability, thanks a lot for your work!
EDIT: I mean, if I am on debian and I have kernel 5.6-build123, a patch to Wireguard would mean I will need to upgrade to 5.6-build124 ?
Network Namespaces and VRFs are the correct way to approach this I think: https://www.kernel.org/doc/Documentation/networking/vrf.txt
On the other hand: No built-in client in any of the mobile OSes, so a third-party client install is required.
What you essentially end up with is that a wireguard interface represents a point to multipoint non-broadcast network. Any one that has dealt with Frame Relay or ATM can tell you what a headache dealing with dynamic routing over such a network can be. Fun things like having to hand configure your OSPF neighbors. This can be overcome by configuring each Wireguard peer to a separate interface essentially making the interface a point to point network or using another tunneling protocol overtop of Wireguard such as GRE or L2TP. But you quickly lose any simplicity advantage.
Even for something like a static floating route for backup Wireguard can be more complex because a Wireguard interface once turned up will not show as down unless manually turned down. This means the connection has to be monitored and the backup route installed based upon the monitoring criteria. Again nothing that can't be overcome but doing so raises the complexity.
Unless you are assigning each peer to a different Wireguard interface and setting allowed-ips to all ips you also have to figure out how to update the allowed-ips for peers to be updated as the routing changes.
Personally I would have preferred if allowed-ips didn't exist and each peer was assigned to a sub-interface whose status could change based upon keepalives. Then the normal ip routing and filtering facilities of the kernel could have been used instead of the current situation where you have some amount of filtering and routing effectively being done by the Wireguard interface and then some being handled by the kernel.
I used to contribute quite a bit to the Wireguard package for Ubiquity routers but stopped when I switched to ipsec. It was apparent that Wireguard was more complex to setup and troubleshoot for even slightly advanced scenarios.
As for your statement that it is faster that greatly depends upon the platform being used. It is faster than OpenVPN almost everywhere but many network devices have SoCs that provide slow CPUs and acceleration for ipsec or at least the crypto underlaying it. On those platforms it often is not faster than ipsec.
Don't get me wrong despite my comments overall I think Wireguard is pretty darn nifty and am happy to see it included in the kernel. I just think it needs more tooling developed around it before it can be a less complex replacement for ipsec in even some fairly basic scenarios.
This doesn't even cover the enterprise road warrior VPN scenarios where Wireguard currently lacks many of the more advanced enterprise features of OpenVPN or proprietary offerings from the likes of Cisco, Pulse Secure or Citrix. Hopefully development of the additional protocols and tools needed to add support for more advanced scenarios is accelerated now that Wireguard will be in the kernel. Of course once these are added there is the risk that a Wireguard based feature comparative implementation ends up just as bloated and complex to audit as any of the current alternatives.
More people should be using VPN-like-tunnels as an access solution, but don't, because every VPN other than WireGuard builds in extra complexity to support use cases they don't have. What the industry desperately needed was a trustworthy VPN that was as simple to set up as SSH, and that's effectively what WireGuard is.
I agree preemptively: if your VPN is complex enough that you're running OSPF for it, for now, you should probably stick with IPsec, even though commercial IPsec implementations aren't trustworthy. But WireGuard will accommodate complex VPNs long before IPsec or OpenVPN get as simple for the straightforward "get access to staging Postgres" use case as WireGuard is.
The areas where Wireguard is clever versus simple is where the complexity for advanced scenarios has crept in. If the protocol had implemented a mapping of peers to interfaces or sub-interfaces, left ip filtering purely to the system firewall and depended upon system routing capabilities it would be less complex to use in more advance scenarios and need not be more complex in simple scenarios.
In simple scenarios wg-quick could have been responsible for the needed routing and firewall changes. It already makes some routing and DNS configuration changes.
SSH is even way more flexible there, and it’s really not great at that.
If you’ve managed to deploy WireGuard at scale with your clients, I’d like to be proven wrong!
In terms of speed, they are comparable. The great benefit of WireGuard is simplicity on Linux compared to the configuration nightmare that is StrongSWAN, but implementing IPsec/IKEv2 on OpenBSD using OpenIKEd is roughly comparable if you use Let's Encrypt certificates.
You can get really inexpensive GL.inet GL-MT300N-V2 "mango" boxes (about $20) that will provide transparent WireGuard or OpenVPN encryption for a device that doesn't support VPNs out of the box (ahem, a Smart TV or streaming box, to bypass geo restrictions). They don't support IPsec.
Can run. OpenVPN is UDP 1194 by default.
TCP-over-TCP is a well known tricky problem, so it's not something you want to run unless you have to.
...and more. Put some minimum effort in yourself, man!
It's reasonable to ask the community for opinions/analysis. I'm fine with telling people to do their own research for simple facts/processes, but "how do these things compare" is potentially subjective, depends on experience, and IMO is a suboptimal fit for websearching.