WireGuard VPN

WireGuard is a free software for setting up a virtual private network (VPN). Using a VPN, you can open a virtual tunnel between two machines on the internet. The network con­nec­tion is created via the tunnel as if the computers were directly connected by a network cable. VPNs are often used by large or­gan­isa­tions like research in­sti­tutes, gov­ern­ment de­part­ments, and companies. They make it possible to regulate access to certain resources in the network and seal off the users’ data stream from the outside world.

A range of mature VPN protocol stacks already exist with IPsec, OpenVPN, L2TP, and PPTP. Providers of VPN solutions build on these protocols to give their users the ability to run their own internet traffic through the VPN. More and more VPN providers are in­teg­rat­ing WireGuard due to the ad­vant­ages of the protocol in their ap­plic­a­tions.

WireGuard is an ap­plic­a­tion and a network protocol for setting up encrypted VPN tunnels. It is licensed as free software under the GPLv2 licence and is available across different platforms. WireGuard is written in the languages ‘C’ and ‘Go’ and runs on Windows, macOS, BSD, iOS, and Android.

WireGuard allows you to establish an encrypted tunnel. Data streams are directed through the tunnel and are thereby protected against un­au­thor­ised access. Besides the focus on strong en­cryp­tion, WireGuard offers op­tim­isa­tions for mobile systems and Internet of Things (IoT) devices.

WireGuard has been directly in­teg­rated into the Linux kernel since the spring of 2020. Since Linux runs as the standard operating system on billions of networked devices worldwide, WireGuard can be used prac­tic­ally every­where. Its wide adoption is also supported by the fact that the software is re­l­at­ively lean and only poses modest re­quire­ments on the hardware.

The central feature of the WireGuard protocol is cryptokey routing. Here, the IP address ranges permitted within a tunnel are assigned to the public key of a con­nec­tion partner. The public key is used to decrypt the incoming packages of the con­nec­tion partner. An incoming package is only assigned after de­cryp­tion if it comes from an IP address that cor­res­ponds with the key. Otherwise, the package is discarded.

Unlike the es­tab­lished VPN protocol stacks IPsec and OpenVPN, WireGuard is not an agile protocol. Rather than in­di­vidu­ally ne­go­ti­at­ing the re­spect­ive cryp­to­graph­ic bases during the handshake phase when es­tab­lish­ing the con­nec­tion, WireGuard is limited to a few options. The cryp­to­graph­ic functions used are versioned in am­al­gam­ated form. Should one of the cryp­to­graph­ic found­a­tions become com­prom­ised in the future, a new, secure version of the WireGuard protocol will be released. If both com­mu­nic­a­tion partners use the new version, the data stream will be protected.

At the time of writing, the following protocols and en­cryp­tion tech­no­lo­gies are used:

• Noise protocol framework
• Curve25519
• ChaCha20
• Poly1305
• BLAKE2
• SipHash24
• HKDF

The neat code base is one of the major ad­vant­ages of WireGuard. The extent of the entire kernel code amounts to just around 4,000 lines of code. In com­par­is­on, the code size of an im­ple­ment­a­tion of OpenVPN or IPsec is around 100,000 to 600,000 lines. A smaller code base is in­her­ently more secure, as bugs can be found by the de­velopers more easily and the attack surface minimised.

Even the Linux inventor Linus Torvalds, known for his snappy writing style and oc­ca­sion­al outbursts, responded with strong praise after in­spect­ing the WireGuard code base:

Besides the increased security, the lower com­plex­ity of the software also provides better per­form­ance. In benchmark com­par­is­ons, WireGuard delivers higher trans­mis­sion speed and lower latency than competing protocols. Moreover, WireGuard is not a ‘chatty protocol’. WireGuard remains quiet for as long as the user sends no data through the tunnel. This also means less energy is consumed, which has a positive effect on battery life.

Energy ef­fi­ciency is par­tic­u­larly important for mobile devices and WireGuard is well-po­si­tioned in many respects for such ap­plic­a­tions. For instance, the protocol supports roaming – i.e. the automatic switchover from WLAN to the mobile network and vice versa. Non­ethe­less, if the con­nec­tion is lost, it is usually quicker to reconnect with WireGuard than with rival protocols.

In principle, WireGuard is a de­cent­ral­ised, peer-to-peer VPN protocol. Rather than requiring a server, WireGuard can open a tunnel directly between two computers. A WireGuard ‘server’ is simply a machine that contains the con­nec­tion con­fig­ur­a­tions for multiple peers.

Es­tab­lish­ing a con­nec­tion with WireGuard works in much the same way as Secure Shell (SSH): The users (‘peers’) generate public keys with WireGuard and exchange them with one another. Using the keys, the peers mutually au­then­tic­ate each other and encrypt the data packages for their intended recipient.

In addition to gen­er­at­ing the cryp­to­graph­ic keys, different network settings need to be im­ple­men­ted on each peer. For more on this, see our guide on setting up WireGuard below. To exchange data, permitted IP address ranges are linked with the cryp­to­graph­ic key on the peers. Packages that do not come from the permitted address ranges are discarded. With WireGuard, data is trans­mit­ted via the User Datagram Protocol (UDP).

On a peer’s machine, the WireGuard command line tool and other resources available on Linux as standard are used for con­fig­ur­a­tion. Although con­fig­ur­ing the software is con­sidered re­l­at­ively easy, WireGuard only serves as a found­a­tion. An app on top of the protocol can help the users through the in­di­vidu­al steps of con­fig­ur­a­tion and setting up a con­nec­tion. Users of com­mer­cial VPN services can therefore enjoy the modern VPN protocol without dealing with the command line.

Es­sen­tially, WireGuard can be installed and con­figured on a Linux system with little effort. For instance, you can set up your own VPN server with Raspberry Pi. However, the exact process varies depending on the ap­plic­a­tion, operating system used, and the existing network en­vir­on­ment. Below we have outlined a general approach which is suitable for testing.

Run the following commands in the command line to install WireGuard on your Linux system:

As with SSH and PGP, cryp­to­graph­ic keys form the basis for using the WireGuard VPN. The private key must be kept secret. What’s more, a public key is generated using the private key and shared with peers. This allows peers to encrypt and send data. Finally, the private key is used to decrypt the encrypted data.

Run the following commands in the command line to generate a private and public WireGuard key:

The in­stall­a­tion of WireGuard and gen­er­a­tion of keys are general pre­par­a­tions that are more or less the same on any system. By contrast, the con­fig­ur­a­tion of WireGuard depends on the existing local network settings. For this reason, a general approach is shown below. We recommend that you look at the quick start guide provided by the WireGuard project for more details.

The general steps for con­fig­ur­ing a network con­nec­tion with WireGuard are as follows: