WireGuard: a new generation of kernel-level virtual network artifact

what isWireGuard

 is an easy-to-configure, fast, and secure open source VPN that leverages the latest encryption technology. The goal is to provide a faster, simpler, and more streamlined general-purpose VPN that can easily be used on low-end devices such as the Raspberry Pi to high-end devices.Deploy on.

Most other solutions such as IPsec and OpenVPN were developed decades ago. Security researcher and kernel developer Jason Donenfeld realized they were slow and difficult to configure and manage properly.

This led him to create a new open source VPN protocol and solution that was faster, more secure, and easier to deploy and manage.

WireGuard was originally developed for Developed, but now available for ,,BSD, and . It is still under active development.

Why is WireGuard so popular?

In addition to being cross-platform, one of the biggest advantages of WireGuard is its ease of deployment. Configuring and deploying WireGuard is as easy as configuring and using SSH.

Check out the WireGuard setup guide. Install WireGuard, generate public and private keys (like SSH), set up firewall rules and start the service. Now compare that to the OpenVPN setup guide – there’s so much to do.

Another benefit of WireGuard is that it has a streamlined code base of only 4000 lines of code. Compare that to the 100,000 lines of code of OpenVPN, another popular open source VPN. Obviously, debugging WireGuard is easier.

Don't underestimate it because of its simplicity. WireGuard supports all the latest encryption technologies such as Noise Protocol Framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF and Secure Trusted Structure.

Because WireGuard runs in kernel space, it can provide secure networking at high speeds.

Mainstream virtual network characteristics

Currently, the mainstream virtual networks in the market include IPSEC virtual network, SSL virtual network, PPTP virtual network, L2TP virtual network, etc. They all have obvious shortcomings in terms of security and performance, as shown in Table 1 below.

WireGuard:新一代内核级虚拟网络神器

Introduction to WireGuard

WireGuard virtual network is the latest developed kernel-level virtual network. It was highly recommended by Linux founder Linus Torvalds and was officially merged into the Linux 5.6 kernel in March 2020. After that, GG also added WireGuard virtual network to the Linux kernel of Android 12. Among them, its advantages are high security, high performance and low complexity, as shown in Table 2 below.

WireGuard:新一代内核级虚拟网络神器

Compared to the hundreds of thousands of lines of code for OpenVPN and IPSec, WireGuard has only four thousand lines of code.

Founder of LinuxLinus Torvaldsin mailcall itA work of art:work of art, original email: https://lists.openwall.net/netdev/2018/08/02/124

Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.

WireGuard Security

  • Curve25519 is currently the highest level secret key exchange algorithm.
  • ChaCha20 symmetric encryption and decryption algorithm is faster and more efficient than AES.
  • Poly1305 is a (Message Authentication Code) standard for verifying data integrity and message authenticity.
  • BLAKE2 is a more secure HASH algorithm (similar to SHA1, SHA256, )
  • SipHash24 Another HASH algorithm.
  • HKDF a secret key derivation algorithm

WireGuard virtual network features

Since the WireGuard virtual network is processed by the 100% kernel, it eliminates the overhead of interaction between the user process and the kernel, so it has superior performance, specifically manifested in high throughput, which is 2 to 4 times that of the SSL virtual network/Open virtual network, as shown in Figure 1 , at the same time, the latency is low, it is 30%~40% of SSL virtual network/Open virtual network, as shown in Figure 2.

WireGuard:新一代内核级虚拟网络神器
WireGuard:新一代内核级虚拟网络神器

Large throughput and smaller latency mean that in a network environment with the same bandwidth, the number of concurrent virtual network users is large, the system load is small, and long-term operation is stable. This is the choice for virtual network, zero trust, and SD-WAN with 100 to 10,000 users. one of the key factors to consider.

To determine whether the virtual network service is processed by the 100% kernel, you can run the netstat –nap command under SHELL to view the program corresponding to the virtual network server listening port. If the last column has a program name, it means that it is a user-mode program monitoring. If the last column If it is "-" without a program name, it means that the kernel is monitoring in person. The statistics of various virtual network servers in Dadi Cloud Control System are as follows. The details are shown in Table 3 below.

WireGuard:新一代内核级虚拟网络神器

Introduction to WireGuard virtual network module

WireGuard virtual network is a public key/private key encryption system. The encryption parameters consist of one's own private key and the other party's public key. That is, the communicating parties need to exchange public keys in advance. When the number of clients is large, the generation, modification, and destruction of keys And exchange, as well as the acquisition of client configuration files have become a management burden. Correspondingly, the IKEv2 virtual network is a CA encryption system. If you use the CA certificate of the real domain name, you can avoid the step of exchanging public keys in advance.

WireGuard installation

  • Official installation manual: https://www.wireguard.com/install/
  • docker installation: https://hub.docker.com/r/linuxserver/wireguard

centos7 install wireguard source

 curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7 .repo 

centos7 install wireguard

 yum install -y wireguard-dkms wireguard-tools 

If you feel the speed is slow, you can first go to the wireguard source to download the rpm package:

 wget https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/epel-7-x86_64/02151984-wireguard-dkms/wireguard-dkms-1.0.20210424-1.el7.noarch.rpm 

centos8 install wireguard

 
yum install epel-release yum config-manager --set-enabled powerTools yum copr enable jdoss/wireguard yum install wireguard-dkms wireguard-tools
 

WireGuard configuration

wireguard configuration instructions

  • [Interface] in the server configuration file saves its own server private key, while [Interface] in the client configuration file also saves its own client private key.
  • [Peer] in the server configuration file is to save the public key of the client, and [Peer] in the client configuration file is to save the public key of the server.
  • The server and the client both save each other's private keys in [Interface], and each other's public keys in [Peer].

wireguard server configuration

[Interface] The # address only needs to be written and allocated to the local virtual address. The server and client addresses are unique and non-conflict. Address = 178.10.10.1/24 SaveConfig = true. The # server firewall only needs to enable the camouflage of one udp port. , and mapped to the external network PostUp = firewall-cmd --zone=public --add-port 50107/udp &&firewall-cmd --zone=public --add-masquerade PostDown = firewall-cmd --zone=public --remove -port 50107/udp && firewall-cmd --zone=public --remove-masquerade # listens to the port opened by the firewall above ListenPort = 50107 #PrivateKey is the private key of the server PrivateKey = kADzYhPw3F1XCAolbpHQKyPjZE1VQQeyncL60wbFQlM= [Peer] #Pub licKey is the client’s public key PublicKey = xUh7M1dhWZijlQfZv1bqPAvI8dwCfsdm8RD7NfumqXY= # server allowip cannot write the server's external network IP segment and the local machine's internal network IP segment. You only need to write which network segment the machine wants to access through VPN networking. Here, the server side only writes the virtual address segment. Because I don’t have the need for the server to directly access the client’s intranet IP range. AllowedIPs = 178.10.10.2/32 EOF

To start the service for the first time, use restart.

 systemctl restart wg-quick@wg0.service 

Use reload to restart after subsequent configuration changes.

 systemctl reload wg-quick@wg0.service 

Only when both ends can communicate normally can the service be set to start automatically at boot.

 systemctl enable wg-quick@wg0.service 

wireguard client configuration

[Interface] #PrivateKey is the client's private key. PrivateKey = CERouQpIqthDNhcSKqS2I/lexMH9z/pImXajg7QLs3E= # address only needs to be written and prepared to be assigned to the local virtual address. The server and client addresses are the only non-conflict Address = 178.10.10.6/32 # Please determine which network interface is used for wireguard communication, here is eth0 PostUp = iptables -I INPUT -i %i -j ACCEPT; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables - t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D INPUT -i %i -j ACCEPT;iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] #PublicKey is the server's public key PublicKey = yVco0xaLnYtcR1eMjBfRnZ6mmUvmpOSeasS250nLkE4= #endpoint is the server's external network ip+port Endpoint = xxx.xx.x.xx:50107 #allowip cannot be written Server external network IP segment and the intranet IP segment of the machine. You only need to write which network segment the machine wants to access through VPN networking. I only wrote the virtual address segment and the intranet IP segment of the server because I have a client to access the server. Network IP segment requirements AllowedIPs = 178.10.10.0/24,192.168.0.100/24 PersistentKeepalive = 10 EOF
 

To start the service for the first time, use restart.

 systemctl restart wg-quick@wg0.service 

Use reload to restart after subsequent configuration changes.

 systemctl reload wg-quick@wg0.service 

Only when both ends can communicate normally can the service be set to start automatically at boot.

 systemctl enable wg-quick@wg0.service 

wireguard mac side configuration

# install brew /bin/zsh -c "$(curl -fsSL https://gitee.com/cunkai/HomebrewCN/raw/master/Homebrew.sh)" # install homebrew-bottle source echo 'export HOMEBREW_BOTTLE_DOMAIN=https:/ /mirrors.ustc.edu.cn/homebrew-bottles' >> ~/.zshrc source ~/.zshrc # install wireguard brew install wiregraurd-tools

WireGuard daily use

usage:

Usage: wg-quick [ up | down | save | strip ] [ CONFIG_FILE | INTERFACE ] # Save the configuration. This command line method is more controllable. It is best not to directly edit the configuration file touch in /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf wg-quick save wg0 # or: wg showconf wg0 > /etc/wireguard/wg0.conf # If the peer is behind nat, you may need to delete the relevant Endpoint information, because it cannot be actively accessed # Start/stop wg-quick up wg0 # Automatically select the configuration file '/etc/wireguard/wg0.conf' wg-quick up /path/to/wg0.conf # Specify the path wg-quick down wg0 # Delete peer wg set wg0 peer $(cat cpublickey1) remove

WireGuard usage scenarios

The previous one is just a basic point-to-point scenario, which is the simplest usage scenario. Let’s explore other usage scenarios below.

Scenario 1: PC-to-LAN

 
# allows the client to access all LANs on the server side (i.e. PC-to-LAN, this mode is generally used) # Based on the basic scenario, the following settings need to be performed: ## on server: # Add vpn network segment routing to the server-side enterprise router # 172.30 .0.0/24 via [local area network ip] ## on client: # adds the server network segment to the local routing table ip route add 10.1.0.0/16 via 172.30.0.1 ... # allows the server network to access the client (No need for ip link down + up; here 0.0.0.0/0 represents all networks) wg set wg0 peer dLssxxxxxxxxxxxxxxxxxq98NQKOivi3MN/VM= persistent-keepalive 25 allowed-ips 172.30.0.1/32,0.0.0.0/0 endpoint 192.168.11.29:51820

Scenario 2: LAN-to-LAN

# connects the LANs on both sides into an overall LAN (i.e. LAN-to-LAN) # Based on the basic scenario, the following settings need to be performed: ## on server: # Add vpn network segment routing to the server-side enterprise router # 172.30.0.0/24 via [Local Area Network IP of this machine] # Add client network segment routing to the server-side enterprise router # 192.168.2.0/24 via [Local Area Network IP of this machine] #... # Add client network segment routing to the routing table of this machine ip route add 192.168.0.0/16 via 172.30.0.2 ... # allows the client to access the server network (no need for ip link down + up) wg set wg0 peer VbR3Kxgxxxxxxxxxxxxxxxxxxxxzq3H4ebdgTng= allowed-ips 172.30.0.2/32,192.168.0.0/241TP5 T# on client: # Add the VPN network segment route to the client enterprise router # 172.30.0.0/24 via [the local area network ip of the machine] # Add the server network segment route to the client enterprise router # 10.1.0.0/16 via [the machine’s LAN IP] LAN IP] #... # Add server network segment route to the local routing table ip route add 10.1.0.0/16 via 172.30.0.1... # allows the server to access the client network (no need for ip link down + up; 0.0.0.0/0 represents all networks) wg set wg0 peer dLssxxxxxxxxxxxxxxxxx98NQKOivi3MN/VM= persistent-keepalive 25 allowed-ips 172.30.0.1/32,0
 

WireGuard is popular for good reason. Some popular privacy-focused VPNs like Mullvad VPN already use WireGuard, and adoption is likely to grow in the near future. For more related introduction, configuration and usage, and scenario applications, those interested can refer to the official usage documentation.

score

Leave a Reply

Your email address will not be published. Required fields are marked *