Hoffman Lab Tech Talk

1. Wireguard
A Virtual Private Network Tunnel
Eric Roberts
Hoffman Lab

2. Why Bother?
● A personal VPN Tunnel
○ The alternatives to Wireguard are very unfriendly
○ Runs everywhere including your phone
● Access to your own network and not a single machine
○ Network attached storage
○ More than one computer behind a firewall
● Single encrypted point of network access to a container
● Need to access to internet resources available from your own network

3. Maybe not for me?
● Only need access to a single machine
○ Probably should just use ssh, remote desktop, etc.
● No personal network

4. Virtual Private Network
● A private network that can be connected to from
another device through a public network (e.g. the
internet)
● When you connect to the VPN, you are effectively
part of the private network

5. Wireguard
● Likely the simplest VPN tunnel to setup
compared to all existing competitors
● Open source
● Cryptographically secure
● Works on all major OSes
○ Linux adopted kernel support in 2020

6. How it works
● Create a virtual network interface
● Create a private and public cryptographic key
○ Give your public key away to all networks you
want to connect to using wireguard
● Place public keys of networks you wish to connect
to in your own configuration

7. wg0 - The virtual interface
● Manage the device like any other network device
on the system
○ Use existing tools to assign it an IP address
and for routing management (if necessary)
■ e.g. ip-address(8), ifconfig(8), etc.
○ OS specific

9. Subnet selection
● RFC 1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
The subnet you connect from should *not* match the
one you are connecting to in order to avoid IP
routing conflicts.

10. IP4/6 Forwarding
● This is by default enabled on router software
○ No need to touch if running Wireguard on a
router
● Otherwise look up specific to your OS where your
running your host interface

11. Wireguard specifics
● Permitted peers are managed by a given pair:
○ Public key
○ Virtual interface IP address (wg0)
[Peer]
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
AllowedIPs = 10.10.10.230/32

12. Endpoints
● The endpoint is the IP address and port of the
machine you wish to connect to
● Allowed IPs refers to the address assigned to the
wireguard virtual interface (wg0)
[Peer]
PublicKey = HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=
Endpoint = 24.42.42.42:51820
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0

13. Wireguard key generation
$ wg genkey > privatekey # Create private key in file `privatekey`
$ wg pubkey < privatekey > publickey # Create public key
$ wg set wg0 private-key privatekey # Sets wg0 device’s private key

14. Adding peers in Wireguard
$ wg set wg0 peer longhexpublickeygoesrighthere allowed-ips
192.168.8.2/32 # Allow peer with key longhexpublickeygoesrighthere to
connect with IP 192.168.8.2

15. Summary
● If you need a VPN - use Wireguard
● Create a wireguard network interface
○ Forward IP4/IP6 traffic if necessary
○ Assign it an IP
● Create key pair, give your public key to the
network you wish to connect to and assign the
private key to your own interface
● Add public keys of the networks you want to
connect to

16. Questions?