I’ve been using WireGuard since late 2019. Several months ago I installed the Android client on my phone and tablet, and the Windows client in a Windows 10 VM.
A few months ago I was able to disable external SSH access to my home network and public servers, and a few weeks ago disabled external IMAPS access too.
What’s so great about WireGuard?
- Extremely fast.
- Scan-resistant and DoS-resistant. Exposes a single UDP port which does not reply to unauthenticated messages.
- Noise-based protocol provides perfect forward secrecy and immunity to downgrade attacks.
- Appears as a regular networx interface which can be managed with
standard Linux networking tools (
ip,nft, etc). - Clients for all major operating systems (Android, Linux, Windows, etc). Packages for Debian and derivatives (Ubuntu, Raspberry Pi OS).
- Static list of safe, modern crypto algorithms: ChaCha20-Poly1305 (AEAD), Curve25519 (ECDHE), Blake2 (cryptographic hash), etc. No ciphersuites, symmetric cipher modes, or padding algorithms to misconfigure.
- Did I mention that it’s fast?
- Peers are identified by short, Base64-encoded elliptic curve public keys.
- Easy to configure (see below).
Here’s a complete WireGuard client configuration file from my laptop with the keys, hosts, and subnets changed:
[Interface]
PrivateKey = sEJqK6KqBVkYdMi/66ORZXyD5NFzVcPcq/m0/Sd29m0=
Address = 192.168.43.1/32
[Peer]
PublicKey = WMoOWb0FMF516mGgKMyQefjMvD7xTO8NNCrQJJQnpUE=
PresharedKey = jhhJ1oFjHKEZ8pMK+hmar9SaQEQtJrd2lW6710kQ/d8=
EndPoint = vpn.example.com:53141
AllowedIPs = 192.168.42.0/24
That’s it.
If you’ve ever struggled with the mountain of configuration needed for IPsec or a TLS VPN like OpenVPN, then the example above should be a breathe of fresh air.
By the way, if you’re trying to route traffic from a client on a common
reserved subnet (ex: 192.168.1.0/24) to network behind a VPN with
the same subnet, take a look at the DNATs and Maps section of my
NFtables Examples article.