Wireguard is in the Linux kernel

I’m very happy to hear that Wireguard has made it into the Linux kernel and will be part of Linux 5.6!

Wireguard was quite a relief for me after wrestling with OpenVPN before, for multiple reasons. I’m a happy user for about a year now, and I can wholeheartedly recommend it.

Wireguard is really pushing the state of the art forward for VPNs:

• high performance (it’s part of the kernel)
• very simple setup
  • no wrestling with OpenSSL or X.509 certificates
  • key management¹ comparable to OpenSSH, keys fit one line
• excellent apps for Android and iOS
  • full config files can be provided as QR codes
  • it does not drain your battery (a mostly stateless protocol)
• support for many platforms apart from Linux through a user space implementation

An example configuration

To get an idea, this is a /etc/wireguard/wg0.conf configuration file very similar² to the one I use on my Laptop right now:

[Interface]
PrivateKey = WG8r5DNvD2KlZORhJ2XgzW3lWO8i5GJqZBePt98EgUY=
Address = 192.168.23.10/32
DNS = 192.168.23.1

[Peer]
PublicKey = 6qzH9hJbyPFp+GJJoxsBaPhUEl4mVKTGNP433xLWhBc=
PresharedKey = LiWmdHZN/Jizhv1h0qTGeslci2yZIyrkEDjrx3bUomE=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.gnoack.org:9999

This contains our own device’s private key and configured IP in the VPN, as well as a list of peer hosts with their public keys and the IP addresses they are making available.

Note the symmetry: A server-side configuration looks the same, but with more peer entries.

The command wg-quick up wg0 brings the configuration up as a new device and sets appropriate routes.

For further reference, Wireguard’s own quickstart page has a better introduction than this one here (with a video).

Disclaimer: I’m not affiliated with Wireguard, but I received a big stack of stickers³ from Jason Donenfeld after a talk once. Congratulations on the big step forward, and thanks for the great software!

---

1. Key management can hardly be simpler than that:

   $ wg genkey > beuys.gnoack.org
   $ wg pubkey < beuys.gnoack.org
   tw6MlpAFMoQInDC402FndO8Z49/H4cT11BYOHDRkcys=
   $ wg genpsk > psk
   

   This is a breeze compared to the OpenSSL dance required to get OpenVPN running. ↩︎

2. These are example values, of course. ↩︎

3. That was really nice. As everyone knows, stickers beat Bitcoin and Ethereum hands down as an underground hacker currency. :) They were quite popular in the sticker exchange where I placed them. 🐉 ↩︎

Comments