wireguard - trinity college dublinfionn/misc/wg/wireguard.pdf · “wireguard is an extremely...
TRANSCRIPT
WireGuard
“WireGuard is an extremely simple yet fast and modernVPN that utilizes state-of-the-art cryptography. It aimsto be faster, simpler, leaner, and more useful than IPsec,while avoiding the massive headache. It intends to beconsiderably more performant than OpenVPN.”
— wireguard.com
WireGuard is:
I small,~4000 LoC means a smaller attack surface and easilyauditable,
I fast,it’s lightweight and implemented in the kernel,
I opinionated,makes conservative choices for you,
I simple,authentication works like SSH and most of the networkingis just using ip.
Small
I ~4000 LoC (not including cryptographic primitives) is verysmall.
WireGuard OpenVPN IPsec0
100
200
300
400kLoC
Small
I Easily auditable:hasn’t happened formally yet;
more secure than OpenVPN, etc.?
Fast
I Layer 3 (only).
I It is small⇒ lightweight and fast.
I It lives in the kernel, so no need to copy packets in andout of userspace.
I Multicore.
I Fast for both transferring and connecting.
FastFrom https://www.wireguard.com/performance/ (i7)
FastVia iperf3/TCP (running on WireGuard server):
I ~74 Mb/s, both natively and through the tunnel.
Via iperf3/UDP (running on WireGuard server):
Native WireGuard0
50
100
150
200
250
PacketlossatyMb/s
Via speedtest (AWS California→ San Jose):
Native WireGuard OpenVPN (SF)0
50
100
150
200
250Mb/s
Fast
WireGuard is fast on non-x86 devices.
On our routers (Vadim) we get ~100 Mb/s (to California) withCPU at ~20 %.
Compare this to ~60 Mb/s for OpenVPN, CPU at 100%.
Roughly 2× what they got via OpenVPN.www.skadligkod.se/vpn/wireguard-speed-tests-on-asus-rt-ac86u/
Opinionated
I WireGuard doesn’t o�er cypher agility.
I Uses modern, conservative cryptography based on NOISE.I ECDH: Curve25519.
Fast, ephemeral, perfect forward secrecy.
No TLS, CA, PKI, etc.
I Key derivation: HKDF.I Symmetric cypher: ChaCha20Poly1305.
Fast on all processors, AEAD.
I Hash: BLAKE2s.
I Optional pre-shared key for post-quantum security.
Simple
demo
Server’s con�guration �le
[Interface]PrivateKey = [server 's private key]Address = 10.10.0.1/24 , fd80 ::1/64ListenPort = 2307SaveConfig = truePostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables
-t nat -A POSTROUTING -o eth0 -j MASQUERADEPostDown = iptables -D FORWARD -i wg0 -j ACCEPT;
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]PublicKey = [client 's public key]PresharedKey = [preshared.key]AllowedIPs = 10.10.0.2/32 , fd80 ::2/128
Client’s con�guration �le
[Interface]PrivateKey = [client 's private key]Address = 10.10.0.2/24 , fd80 ::2/64ListenPort = 2307DNS = 10.10.0.1PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark
$(wg show %i fwmark) -m addrtype ! --dst -type LOCAL-j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark$(wg show %i fwmark) -m addrtype ! --dst -type LOCAL-j REJECT
[Peer]PublicKey = [server 's public key]PresharedKey = [preshared.key]AllowedIPs = 0.0.0.0/0 , ::/0Endpoint = [wireguard server ]:2307
Protocol
Silent and stealthy
I WireGuard does not alter state or respond if a packet isunauthenticated.
I WireGuard isn’t chatty.This is great for mobile devices
1-RTT
I No cypher negotiation, etc.
I This makes WireGuard appear stateless.I It also makes for very fast connection time.
ProtocolDoS Protection
I Handshake responses are smaller than initiationmessages.
I If a peer is under load, it uses a cookie scheme similar toIKEv2 but manages to:
stay stealthy;
prevent cookie from being MitM’d;
not allow this scheme to DoS another peer.
Key Rotation
I Keys are rotated every 120 seconds or every 264 − 216 − 1messages.
But it doesn’t matter if we miss a rekey, since thehandshake is 1-RTT anyway.
Protocol
Roaming
I Cryptokey routing.I Designed for roaming:
outages don’t a�ect the tunnel,
switching networks (e.g. WiFi→ 4G) is seamless,
not much scope for leaks.
Protocol
Reviews
I Formal veri�cation.Proven symbolically by Tamarin, a protocol veri�cationtool.
Analogous protocols have been formally veri�ed too.
https://www.wireguard.com/formal-verification/
I Audited by humans too.https://eprint.iacr.org/2018/080
Landscape
VPN providers o�ering WireGuard
I Mullvad (also o�ering SOCKS5 multihop)
I Azire (for free)
VPN providers allegedly considering it
I ProtonVPN
I PIA
VPN providers that have donated
I Mullvad
I PIA
Support
I Any kernel ≥ 3.10.
I Packaged by pretty much all main Linux distributions,including OpenWrt/LEDE.
I In-tree for a bunch of custom Android ROMs.
I Will become part of the kernel in future.
I wg will become part of ip.
I systemd integration exists.
Userspace
Userspace implementations in:
I Go;
I Rust.
Userspace Android app (in beta) already exists usingwireguard-go.
Userspace
Links
I WireGuardI https://www.wireguard.com/I Thread on obfuscation:
https://lists.zx2c4.com/pipermail/wireguard/2016-July/000184.html
I MullvadI https://mullvad.net/en/blog/2017/9/27/wireguard-future/I https://www.mullvad.net/en/blog/2017/12/8/
introducing-post-quantum-vpn-mullvads-strategy-future-problem/I https://www.mullvad.net/en/guides/running-wireguard-router/I https://www.mullvad.net/en/guides/wireguard-and-mullvad-vpn/I https://mullvad.net/en/guides/socks5-proxy/#wireguard-socks5
I AzireI https://www.azirevpn.com/wireguard
I XDAI https://forum.xda-developers.com/android/development/
wireguard-rom-integration-t3711635