Wireguard is in the Linux kernel
I’m very happy to hear that Wireguard has made it into the Linux kernel and will be part of Linux 5.6!
Wireguard was quite a relief for me after wrestling with OpenVPN before, for multiple reasons. I’m a happy user for about a year now, and I can wholeheartedly recommend it.
Wireguard is really pushing the state of the art forward for VPNs:
- high performance (it’s part of the kernel)
- very simple setup
- no wrestling with OpenSSL or X.509 certificates
- key management1 comparable to OpenSSH, keys fit one line
- excellent apps for
- full config files can be provided as QR codes
- it does not drain your battery (a mostly stateless protocol)
- support for many platforms apart from Linux through a user space implementation
An example configuration
To get an idea, this is a
/etc/wireguard/wg0.conf configuration file
very similar2 to the one I use on my Laptop right now:
[Interface] PrivateKey = WG8r5DNvD2KlZORhJ2XgzW3lWO8i5GJqZBePt98EgUY= Address = 192.168.23.10/32 DNS = 192.168.23.1 [Peer] PublicKey = 6qzH9hJbyPFp+GJJoxsBaPhUEl4mVKTGNP433xLWhBc= PresharedKey = LiWmdHZN/Jizhv1h0qTGeslci2yZIyrkEDjrx3bUomE= AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = vpn.gnoack.org:9999
This contains our own device’s private key and configured IP in the VPN, as well as a list of peer hosts with their public keys and the IP addresses they are making available.
Note the symmetry: A server-side configuration looks the same, but with more peer entries.
wg-quick up wg0 brings the configuration up as a new device and sets
For further reference, Wireguard’s own quickstart page has a better introduction than this one here (with a video).
Disclaimer: I’m not affiliated with Wireguard, but I received a big stack of stickers3 from Jason Donenfeld after a talk once. Congratulations on the big step forward, and thanks for the great software!
Key management can hardly be simpler than that:
$ wg genkey > beuys.gnoack.org $ wg pubkey < beuys.gnoack.org tw6MlpAFMoQInDC402FndO8Z49/H4cT11BYOHDRkcys= $ wg genpsk > psk
This is a breeze compared to the OpenSSL dance required to get OpenVPN running. ↩︎
These are example values, of course. ↩︎
That was really nice. As everyone knows, stickers beat Bitcoin and Ethereum hands down as an underground hacker currency. :) They were quite popular in the sticker exchange where I placed them. 🐉 ↩︎