This document summarizes a presentation about the Wireguard VPN protocol given to the Central Iowa Linux Users Group. It begins with introductions and background about the presenter and organization. The bulk of the document discusses and compares existing VPN protocols like PPTP, OpenVPN, and IPSec and their security issues. It focuses on introducing Wireguard as a newer, more lightweight VPN protocol that uses standardized encryption and has no known vulnerabilities. It concludes with demos of installing Wireguard on Ubuntu, MacOS, and Android.
2. Welcome to Lug
We meet the Third Wednesday of every month (right now
in the cloud)
Our website is at http://cialug.org
We have a mailinglist
And slack / IRC
2
8. What are my options
โข PPTP
โข OpenVPN
โข IPSec
โข Wireguard
8
9. PPTP
โข Stands for โPoint-to-Point Tunneling Protocolโ
โข Introduced in 1995 and was improvement on PPP
โข Initially Windows implementation
โข Basic TCP based tunnel on port 1723
โข Most compatible and simple but not very secure
โข NSA likely cracked PPTP traffic
โข MS-CHAP V1 & 2 are cracked (authentication)
โข MPPE uses RC4 Stream Cipher
9
10. IPSec IKEv2
โข Part of IPSec Protocol RFC7296
โข Uses fixed ports so easier to block
โข Can use large Suite of crypto algorithms (3DES, AES,
Blowfish, Camellia et.al.)
โข No known major vulnerabilities but rumors of NSA
exploit
โข in theory faster than OpenVpn
โข implementation OpenSwan
10
11. OpenVPN
โข Developed by OpenVPN technologies but not RFC
Standard
โข Uses OpenSSL library for encryption & supports 3DES
AES RC5 blowfish et.al. Using SSL/TLS for Key exchange
โข No known major vulnerabilities
โข Easy to use and configurable can run any port and
UDP TCP
โข Not included in any OS but easy to install
11
12. Wireguard
โข Very fast with low overhead using Standardized sauce
โข Standardized Encryption
โข ChaCha20 for symmetric encryption (RFC7539)
โข Curve25519 for ECDH
โข Blake2 hashing (RFC 7693)
โข SipHash24 hashtable keys
โข HKDF key derivation (RFC5869)
โข UDP based handshake & key exchange with
perfect forward secrecy protects against
impersonation and replay attacks
12
13. Wireguard (cont.)
โข No known major vulnerabilities but is new has been
3rd party audited
โข Uses UDP and configurable to any port but may suffer
from traffic shaping more easily
โข In tree support in Kernel 5.6 but other OS require
installation of Client App.
13