2. Why Bother?
● A personal VPN Tunnel
○ The alternatives to Wireguard are very unfriendly
○ Runs everywhere including your phone
● Access to your own network and not a single machine
○ Network attached storage
○ More than one computer behind a firewall
● Single encrypted point of network access to a container
● Need to access to internet resources available from your own network
3. Maybe not for me?
● Only need access to a single machine
○ Probably should just use ssh, remote desktop, etc.
● No personal network
4. Virtual Private Network
● A private network that can be connected to from
another device through a public network (e.g. the
internet)
● When you connect to the VPN, you are effectively
part of the private network
5. Wireguard
● Likely the simplest VPN tunnel to setup
compared to all existing competitors
● Open source
● Cryptographically secure
● Works on all major OSes
○ Linux adopted kernel support in 2020
6. How it works
● Create a virtual network interface
● Create a private and public cryptographic key
○ Give your public key away to all networks you
want to connect to using wireguard
● Place public keys of networks you wish to connect
to in your own configuration
7. wg0 - The virtual interface
● Manage the device like any other network device
on the system
○ Use existing tools to assign it an IP address
and for routing management (if necessary)
■ e.g. ip-address(8), ifconfig(8), etc.
○ OS specific
8.
9. Subnet selection
● RFC 1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
The subnet you connect from should *not* match the
one you are connecting to in order to avoid IP
routing conflicts.
10. IP4/6 Forwarding
● This is by default enabled on router software
○ No need to touch if running Wireguard on a
router
● Otherwise look up specific to your OS where your
running your host interface
11. Wireguard specifics
● Permitted peers are managed by a given pair:
○ Public key
○ Virtual interface IP address (wg0)
[Peer]
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
AllowedIPs = 10.10.10.230/32
12. Endpoints
● The endpoint is the IP address and port of the
machine you wish to connect to
● Allowed IPs refers to the address assigned to the
wireguard virtual interface (wg0)
[Peer]
PublicKey = HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=
Endpoint = 24.42.42.42:51820
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0
13. Wireguard key generation
$ wg genkey > privatekey # Create private key in file `privatekey`
$ wg pubkey < privatekey > publickey # Create public key
$ wg set wg0 private-key privatekey # Sets wg0 device’s private key
14. Adding peers in Wireguard
$ wg set wg0 peer longhexpublickeygoesrighthere allowed-ips
192.168.8.2/32 # Allow peer with key longhexpublickeygoesrighthere to
connect with IP 192.168.8.2
15. Summary
● If you need a VPN - use Wireguard
● Create a wireguard network interface
○ Forward IP4/IP6 traffic if necessary
○ Assign it an IP
● Create key pair, give your public key to the
network you wish to connect to and assign the
private key to your own interface
● Add public keys of the networks you want to
connect to
If you’re thinking about trying something like OpenVPN - don’t
There’s userspace options Wireguard as well so even if there’s no native kernel support, I can still work on your operating system.
All passing of public keys to other computers and peers on your network are out of scope for wireguard, you must arrange this somehow on your own. Not a big deal since they are public keys so there’s no security risk involved.
The idea of virtual network interface is that it’s a network interface that is abstracted away from the underlying hardware. You can multiple virtual interfaces referring to the same underlying hardware and the operating system takes care of it.
The most important part about setting up a virtual interface with wireguard is giving it an IP address
And since you have the interface you have full control of how and what it can access.
The endpoint only needs to be initially reachable. If either peer changes IP, by say roaming for example, wireguard will remember the last used endpoint to reach and update accordingly.
The PersistentKeepalive option is necessary if you’re connecting to a peer behind NAT/firewall to keep to address translation valid.
It’s worth noting that on both the server and the client you can multiple peers.
This has the nice implication that when sending packets from this interface, the allowed IPs acts as a sort of routing table to choose which peer to direct traffic to. And when receiving packets from a peer, the allowed IPs acts as a sort of access control list.