Apr 27, 2019

Wireguard: An easy way to build VPNs

Last week i came across the following tool:

If you want to build up a VPN you can choose one of the following strategies:
  • based on IPSec
  • using TLS
(These two are the options to choose - of course there are some others...)

The nice thing with wireguard (from the linux point of view) is, that the wireguard interfaces are handled like all other  network interfaces on your device.

If you are really interested in this way, you should read the whitepaper. Here some excerpts:

... IPSec ... updating these data structures based on the results of a key exchange, generally done with IKEv2 [13], itself a complicated protocol with much choice and malleability. The complexity, as well as the sheer amount of code, of this solution is considerable. Administrators have a completely separate set of firewalling semantics and secure labeling for IPsec packets.
... based solution that uses TLS. By virtue of it being in user space, it has very poor performance—since packets must be copied multiple times between kernel space and user space—and a long-lived daemon is required; OpenVPN appears far from stateless to an administrator.
A WireGuard interface,wg0, can be added and configured to have a tunnelIP address of10.192.122.3in a/24subnet with the standard ip(8)utilities...
One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated,WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided bynot allowing unauthenticated packets to influence any state. And more generally, it is possible to implement WireGuard in a way that requires no dynamic memory allocation at all, even for authenticated packets, as explained in section 7.
So next step is to install this VPN solution and see, if the administration is really so easy as promised...

No comments:

Post a Comment