What’s so great about WireGuard?
- Extremely fast.
- Scan-resistant and DoS-resistant. Exposes a single UDP port which does not reply to unauthenticated messages.
- Noise-based protocol provides perfect forward secrecy and immunity to downgrade attacks.
- Appears as a regular networx interface which can be managed with
standard Linux networking tools (
- Clients for all major operating systems (Android, Linux, Windows, etc). Packages for Debian and derivatives (Ubuntu, Raspberry Pi OS).
- Static list of safe, modern crypto algorithms: ChaCha20-Poly1305 (AEAD), Curve25519 (ECDHE), Blake2 (cryptographic hash), etc. No ciphersuites, symmetric cipher modes, or padding algorithms to misconfigure.
- Did I mention that it’s fast?
- Peers are identified by short, Base64-encoded elliptic curve public keys.
- Easy to configure (see below).
Here’s a complete WireGuard client configuration file from my laptop with the keys, hosts, and subnets changed:
[Interface] PrivateKey = sEJqK6KqBVkYdMi/66ORZXyD5NFzVcPcq/m0/Sd29m0= Address = 192.168.43.1/32 [Peer] PublicKey = WMoOWb0FMF516mGgKMyQefjMvD7xTO8NNCrQJJQnpUE= PresharedKey = jhhJ1oFjHKEZ8pMK+hmar9SaQEQtJrd2lW6710kQ/d8= EndPoint = vpn.example.com:53141 AllowedIPs = 192.168.42.0/24
By the way, if you’re trying to route traffic from a client on a common
reserved subnet (ex:
192.168.1.0/24) to network behind a VPN with
the same subnet, take a look at the DNATs and Maps section of my
NFtables Examples article.