An introduction to WireGuard VPN
“WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.”
I switched to WireGuard at the beginning of 2020, and in my opinion it is the “king of kings” when it comes to VPN (virtual private networks). It’s completely open source, much faster, and simpler that any other solution I have used. It is also rock solid (stable), and supports Linux, Windows, Mac, Android & iOS.
I often need to access my network remotely and securely, and prior to WireGuard I relied heavily on OpenVPN. Unfortunately OpenVPN often gave me a lot of headaches, and always when I needed it most. The final straw for me was when I was 3 days away from the office and I simply could not get into my own network as OpenVPN stopped working for reasons I still can’t explain.
Getting started
This is not a step-by-step tutorial of how to set up WireGuard as there are literally hundreds of those already online. I just want to point out a few of the things I wish I had understood when I started using it.
The setup is getting a little simpler as mass adoption of WireGuard progresses, but just be careful which tutorial you follow. For instance I suggest you do not use the official quickstart as it describes literally every step of the setup process which is both confusing and not needed. Much of this setup / running process has been superseded with system scripts distributed with WireGuard (on modern Linux distributions). so best to use tutorials such as this, this or this to get you started and which are more targeted at distributions.
WireGuard is simple
The WireGuard configuration is simple, dead simple. It is so simple you’d think you were back in dial-up days (hardcoded configs on both the server and clients). There are however a few manual steps you have to take to get it to work. Each machine in the VPN (including the server) has a unique encryption key (private and public key). Every machine (including the server) has a hardcoded configuration, specifying the IP(s) and public keys they are allowed to connect to (or connected from). That’s about it. Depending on your firewall, you may need to set up (literally) a couple of initial rules. Yes it takes a little bit of work to set up, but once it is set up it just works!
Use vanity keys
Once you have your server and clients connected, you’ll note the lack of oversight of who is who from the server. This can be a little annoying, as all you’ll see is something like:
$ wg
interface: wg0
public key: rsSGp+c6Nb2sAPlmmjCSRnVso6DT2AwYnNBXkLhsDRY=
private key: (hidden)
listening port: 5120
peer: LaPToPNnMRcbDQSFQHqBpA+DseDIMPfMPDVAQwADeRY=
endpoint: 1.2.3.4:21841
allowed ips: 192.168.100.2/32
latest handshake: 1 minute, 19 seconds ago
transfer: 630.98 KiB received, 10.04 MiB sent
Whilst you can of course leave comments in the /etc/wireguard/wg0.conf configuration of who each key belongs to, the wg command (connection overview) only shows some basic information and public keys, and isn’t (yet?) very intuitive. One thing you can do however is use a tool I wrote (wireguard vanity keygen) to generate “vanity public keys” - something like the peer you see above which starts with LaPToP making it easy to identify in the overview.
Conclusion
The adoption of WireGuard is picking up huge momentum, and then the Linux 5.0 kernel now includes the WireGuard module. Large VPN providers are also starting to implement WireGuard alongside their other VPN services, which I think will also help future versions of WireGuard in terms of server utilities, potentially easier setup, and potential flexibility (such as DCHP support).
In the meantime however, WireGuard definitely gets my vote!