Training: WireGuard

WireGuard is a very new VPN technology that is entirely stateless.

• Tends to be very performant
• Lives in the kernel space
• Uses “Crypto-Key Routing”
• Ensures routing traffic to correct destination
• Very little status info — it works or it doesn’t
• Easy roaming between networks
• Endpoint IP always updated
• Configuration may be more time-consuming

WireGuard has a dramatically smaller codebase compared to traditional VPN solutions:

Less Code = Greater Efficiency

WireGuard uses modern, rigidly defined cryptographic protocols:

• ChaCha20 for symmetric encryption, authenticated with Poly1305
• Curve25519 for ECDH
• BLAKE2s for hashing and keyed hashing
• SipHash24 for hashtable keys
• HKDF for key derivation

WireGuard creates a local wg0 interface. Peers have their own public & private keys.

• Exchange public key with peers
• Crypto-key routing — looks up peer wg0 address and public key
• Forwards traffic out local wg0 interface to peer

Some assembly required:

1. Activate the service
2. Give wg0 a local IP/mask
3. Generate Public/Private keys
4. Assign wg0 to an OPT interface
5. Create a gateway
6. Open WG port on firewall
7. Create firewall rules to allow traffic

Required information for peer configuration:

• Peer’s initial end-point IP
• Peer’s public key
• Peer’s wg0 IP (typically same as allowed IPs)

Assuming peer’s firewall is setup, try ping!

• WireGuard is completely stateless
• Updated crypto protocols
• Uses crypto-key routing — routing table not a factor
• Requires its own OPT interface and gateway
• Very limited status information
• It works, or it doesn’t

• Lab 7: WireGuard — Site-to-Site VPN Configuration

Source: Netgate pfSense Training — FUND001-LIVE-SLIDE-SEG7-WG.pdf (© 2017 Rubicon Communications dba Netgate)