WireGuard

WireGuard is a VPN solution, an alternative to IPSec. It’s Linux-only, but aims to eventually support multiple platforms.

• WireGuard encapulates IP packets over UDP.
• Each end creates a WireGuard interface (e.g. wg0).
• Configure each WireGuard interface with a private key and its peer’s public key.
• Because WireGuard doesn’t concern itself with key distribution and pushed configuration, it’s much slimmer than IKE or OpenVPN. It works more like SSH.

The WireGuard interfaces act just like normal network interfaces. Configure them with ip-address, set routes with ip-route, etc. The wg utility handles the WireGuard specific stuff.

WireGuard does “cryptokey routing” by associating each peer public key with a list of allowed IP addresses. Received traffic is decrypted and authenticated by the key, but only passed through the interface is the source IP matches one allowed in the list. When sending a packet, the list of allowed addresses acts like a routing table. When receiving a packet, the list of allowed addresses acts like an access control list.

Links

• https://www.wireguard.com/#conceptual-overview
• https://www.wireguard.com/quickstart/
• https://www.wireguard.com/install/

Fri Nov 17 14:44:28 EST 2017