VPN - Wireguard's the new BOSS!

· by Raghu Rajagopalan · Read in about 4 min · (780 words) ·
Wireguard vpn utilities

Wireguard

When Linus endorses something like this

Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.
— Linus Torvalds
lkml - 02 Aug 2018

You’ve got to take notice…​ Can it be true? Is it really possible that he’s giving high praise to somebody’s code? 99.99% of the times whenever something from Linus hits HN/Reddit, it’s because he’s chewing off somebody’s head(and usually, with good reason). Take, for instance, this from a couple of months ago:

The fact is, using a union to do type punning is the traditional AND STANDARD way to do type punning in gcc. In fact, it is the documented way to do it for gcc, when you are a f*cking moron and use "-fstrict-aliasing" and need to undo the braindamage that that piece of garbage C standard imposes.
— Linus Torvalds
lkml - 05 Jun 2018

In fact, there’s a whole /r/linusrants subreddit dedicated to Linus’s rants

In any case, that sort of praise is enough to pique my curiosity and look a little more into Wireguard. I run a few OpenVPN servers in the cloud - mostly to bypass restrictive proxies at work. Since these are typically on the smallest VM SKUs available on the cloud provider, anything that promises more efficiency and/or lower latency is welcome.

Wireguard vs others

Wireguard vs others
Figure 1. Wireguard vs others

And if that isn’t convincing enough:

  1. Just 4k LoC, modern crypto that’s easy to audit [compared to 100s of Klocs for OpenVPN ]

  2. In kernel module - so a lot more efficient

  3. Set up is very easy - like setting up password less SSH (in fact, easier than that)

Server

Setting up Wireguard is quite easy - there are numerous guides on the internet - the one that I used is here. What’s nice about this particular guide is that it also walks you through setting up a DNS server so that you can prevent against DNS leaks.

Clients

Linux

The Linux CLI client worked pretty flawlessly from my home desktop which is on KDE neon. Wireguard plugins to network manager are still being written - so you’d have to wait for it if you want something pointy/clicky. IMO though, the cli is very very easy.

Android

There’s also an Android app that you can get from the play store after signing up to the beta. Again, worked flawlessly. Do note that this is still user mode - however there are custom ROMs that integrate Wireguard into the kernel [so it’s more efficient and a lot less battery hungry] If LineageOS integrates Wireguard into their default kernel, I’d basically have a good reason to put a custom ROM on the PixelXL.

Issues

I wanted to exclude private network traffic (so everything except 192.168.x.y, 172.16.x.y and 10.x.y.z gets routed through VPN). I changed the wireguard client configuration on my desktop to this:

[Interface]
Address = 10.200.200.2/32
PrivateKey = <snip>
DNS = 10.200.200.1

[Peer]
PublicKey = <snip>
Endpoint = <snip>:2194
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4
# AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21

That should have done the trick (it’s a list of all networks other than private networks) - but once I enabled the config, it would’nt route traffic - and I’m not exactly sure why. I’ve currently reverted AllowedIPs = 0.0.0.0/0

What’s next

Other than that, Wireguard seems very cool - especially if it gets merged soon and becomes a part of the linux kernel.

Does this mean that we can get rid of OpenVPN? Alas, doesn’t look like it - primarily due to two reasons:

  1. There’s no open source Windows client to Wireguard yet. If Windows is part of your mix, then you should probably stick to OpenVPN. There’s a closed source windows client [TunSafe] but then that goes against the spirit (and even if you don’t give a damn about the spirit, you should choose open source products/solution for anything that’s security sensitive)

  2. Wireguard is UDP only. If outgoing ports are blocked, you can try common ports like 80/443 that are left open - but if UDP is blocked, you’re out of luck

However, Wireguard’s clearly the future - so I’ve setup wg on all my cloud servers. I also plan to set it up on my home router which is basically a way to justify a router upgrade :) since Wireguard client and server are also built into LEDE/OpenWrt

Raghu Rajagopalan's ramblings
     

Latest Posts

Popular Tags

Tips Linux Programming Tools Utilities Howto Vim Rant Troubleshooting Android Java Very cool Python Asp.net Firefox Javascript Kubernetes Web .net Blogging Homelab Shell Unit testing Webservices Xml Cloud General Git Ubuntu Blogger Code Easyblogger Mobile Windows Xbmc .netcore Cygwin Datastructures Devops Ide Kde Logging Microservices Perl Photography Random rambling Raspberrypi Security Sysadmin Virtualbox Vpn Agile Architecture Asciidoc Azure Development Docker Fun Gnome Hardware Hugo Lego mindstorms ev3 Markdown Neovim Networking News Sharepoint Visualbasic Wireguard Wordpress.com