Justinaquino: Created page with "NOTOC
'''Training Module: WireGuard (Section 7)''' — pfSense Plus Fundamentals and Practical Application
== Introduction == WireGuard is a very new VPN technology that is entirely stateless. * Tends to be very performant * Lives in the kernel space * Uses “Crypto-Key Routing” * Ensures routing traffic to correct destination * Very little status info — it work..."

2026-04-23T07:09:24Z

Created page with "__NOTOC__ <div style="background:#e7f3ff;border:1px solid #a3c6ff;padding:10px;margin-bottom:15px;"> '''Training Module: WireGuard (Section 7)''' — pfSense Plus Fundamentals and Practical Application </div> == Introduction == WireGuard is a very new VPN technology that is entirely stateless. * Tends to be very performant * Lives in the kernel space * Uses “Crypto-Key Routing” * Ensures routing traffic to correct destination * Very little status info — it work..."

New page

__NOTOC__

<div style="background:#e7f3ff;border:1px solid #a3c6ff;padding:10px;margin-bottom:15px;">
'''Training Module: WireGuard (Section 7)''' — pfSense Plus Fundamentals and Practical Application
</div>

== Introduction ==

WireGuard is a very new VPN technology that is entirely stateless.

* Tends to be very performant
* Lives in the kernel space
* Uses “Crypto-Key Routing”
* Ensures routing traffic to correct destination
* Very little status info — it works or it doesn’t
* Easy roaming between networks
* Endpoint IP always updated
* Configuration may be more time-consuming

== Simplified Codebase ==

WireGuard has a dramatically smaller codebase compared to traditional VPN solutions:

{| class="wikitable"
|-
! Protocol !! Lines of Code
|-
| IPsec || ~ 400,000
|-
| OpenVPN || ~ 600,000
|-
| '''WireGuard''' || '''~ 4,000'''
|}

Less Code = Greater Efficiency

== Rigid Crypto Protocols ==

WireGuard uses modern, rigidly defined cryptographic protocols:

* '''ChaCha20''' for symmetric encryption, authenticated with '''Poly1305'''
* '''Curve25519''' for ECDH
* '''BLAKE2s''' for hashing and keyed hashing
* '''SipHash24''' for hashtable keys
* '''HKDF''' for key derivation

== Site-to-Site ==

WireGuard creates a local wg0 interface. Peers have their own public & private keys.

* Exchange public key with peers
* Crypto-key routing — looks up peer wg0 address and public key
* Forwards traffic out local wg0 interface to peer

== Local Setup ==

Some assembly required:

# Activate the service
# Give wg0 a local IP/mask
# Generate Public/Private keys
# Assign wg0 to an OPT interface
# Create a gateway
# Open WG port on firewall
# Create firewall rules to allow traffic

== Peer Setup ==

Required information for peer configuration:

* Peer’s initial end-point IP
* Peer’s public key
* Peer’s wg0 IP (typically same as allowed IPs)

Assuming peer’s firewall is setup, try ping!

== Summary ==

* WireGuard is completely stateless
* Updated crypto protocols
* Uses crypto-key routing — routing table not a factor
* Requires its own OPT interface and gateway
* Very limited status information
* '''It works, or it doesn’t'''

== Next Module ==
* [[Training Lab 7: WireGuard|Lab 7: WireGuard — Site-to-Site VPN Configuration]]

----
<small>'''Source:''' Netgate pfSense Training — FUND001-LIVE-SLIDE-SEG7-WG.pdf (© 2017 Rubicon Communications dba Netgate)</small>

Training: WireGuard - Revision history