I'm very happy to hear that [Wireguard has made it into the Linux
kernel](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=e7096c131e5161fa3b8e52a650d7719d2857adfd)
and [will be part of Linux
5.6](https://lists.zx2c4.com/pipermail/wireguard/2019-December/004704.html)!

Wireguard was quite a relief for me after wrestling with OpenVPN
before, for multiple reasons. I'm a happy user for about a year now,
and I can wholeheartedly recommend it.

Wireguard is really pushing the state of the art forward for VPNs:

* **high performance** (it's part of the kernel)
* very **simple setup**
  * no wrestling with OpenSSL or X.509 certificates
  * key management[^keymgmt] comparable to OpenSSH, **keys fit one line**
* **excellent apps** for
  [Android](https://play.google.com/store/apps/details?id=com.wireguard.android)
  and [iOS](https://apps.apple.com/de/app/wireguard/id1441195209)
  * full config files can be provided as QR codes
  * it **does not drain** your battery (a mostly stateless protocol)
* [support for many platforms](https://www.wireguard.com/install/)
  apart from Linux through a user space implementation

## An example configuration

To get an idea, this is a `/etc/wireguard/wg0.conf` configuration file
very similar[^example] to the one I use on my Laptop right now:

```ini
[Interface]
PrivateKey = WG8r5DNvD2KlZORhJ2XgzW3lWO8i5GJqZBePt98EgUY=
Address = 192.168.23.10/32
DNS = 192.168.23.1

[Peer]
PublicKey = 6qzH9hJbyPFp+GJJoxsBaPhUEl4mVKTGNP433xLWhBc=
PresharedKey = LiWmdHZN/Jizhv1h0qTGeslci2yZIyrkEDjrx3bUomE=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.gnoack.org:9999
```

This contains our own device's private key and configured IP in the
VPN, as well as a list of peer hosts with their public keys and the IP
addresses they are making available.

Note the symmetry: A server-side configuration looks the
same, but with more peer entries.

The command `wg-quick up wg0` brings the configuration up as a new device and sets
appropriate routes.

For further reference, [Wireguard's own quickstart
page](https://www.wireguard.com/quickstart/) has a better introduction
than this one here (with a video).

**Disclaimer**: I'm not affiliated with Wireguard, but I received a
big stack of stickers[^stickers] from Jason Donenfeld after a talk
once. Congratulations on the big step forward, and thanks for the
great software!

[^example]: These are example values, of course.
[^keymgmt]: Key management can hardly be simpler than that:

    ```sh
    $ wg genkey > beuys.gnoack.org
    $ wg pubkey < beuys.gnoack.org
    tw6MlpAFMoQInDC402FndO8Z49/H4cT11BYOHDRkcys=
    $ wg genpsk > psk
    ```

    This is a breeze compared to the OpenSSL dance required to get OpenVPN running.

[^stickers]: That was really nice. As everyone knows, stickers beat
    Bitcoin and Ethereum hands down as an underground hacker
    currency. :) They were quite popular in the sticker exchange where
    I placed them. 🐉