Valid Generic HTML

VPN Audit 2021: WireGuard

James F. Carter <jimc@jfcarter.net>, 2021-00-00

WireGuard

Here are a few quick facts about WireGuard, from the project website:

I have just gone through yet another audit of my VPNs, making sure that they work for all relevant clients and that the vpn-tester program can competently report if they are or aren't working. Currently my two servers run StrongS/WAN IPSec (strongswan-ipsec-5.9.3 on SuSE Tumbleweed) and OpenVPN (openvpn-2.5.3 on SuSE Tumbleweed). The clients have Linux (same versions) and Android: strongSwan VPN Client (version 2.3.3, org.strongswan.android) and OpenVPN for Android (version 0.7.25, de.blinkt.openvpn). Both VPNs work well when properly configured, but they have a number of less than wonderful features:

Responding to shortcomings in existing VPN software, Jason A. Donenfeld in 2015 began to develop WireGuard, a new VPN. It has these features; whether they're scored as good or bad depends on the user's goals.

What are my goals for the VPNs, and how much hassle will it be to make WireGuard deliver what I need, so it can become one of them?

For the symmetric cipher on the main channel, WireGuard uses only ChaCha20Poly1305, for which hardware acceleration is very rare. On the Intel Core® i5-10210U, jimc's tests score it as half as fast as hardware accelerated AES-256 (Rijndael), and twice as fast as software AES-256. This difference would only be significant for a server with thousands of clients.

https://www.wireguard.com/quickstart/

ip link add dev wg0 type wireguard  #Pick a name for the tunnel device
ip address add dev wg0 192.168.2.1/24 [ peer 192.168.2.2 ] if only 1 peer
wg setconf wg0 myconfig.conf   (wg utility is provided) --or--
wg set wg0 listen-port 51820 private-key /path/to/private-key peer $itsname \
    allowed-ips 192.168.88.0/24 endpoint 209.202.254.14:8172
ip link set up dev wg0

wg (with no args) is equiv to wg show (for all interfaces e.g. wg0) wg-quick [up|down|etc] ctlfile

Wireguard wants base64 encoded private and public keys in its own format, It does not use X.509 certificates to authenticate/authorize the peers. use "wg genkey } tee privatekey | wg pubkey > publickey"

You may test with their demo server.

So let's try to set something up. for timing purposes, I'm starting this at 2021-10-07 18:00. I'm going to use these basic steps:

Android Client

Make sure there's a client for Android. Install it first but don't try to use it yet. Yes there is one, called WireGuard, with the serpent logo (®). Inception 2019-10-13, most recent update 11 days go, 5e5 downloads, offered by WireGuard Development Team. You could import a configuration from a file, or a QR code (!), or create it by hand. I looked but didn't create my connection. 7 mins including reading the product info.

Install on Surya and Petra

The required kernel module is called wireguard.ko and it is in the standard kernel. To pass configuration information to it (plus displaying connection info and generating keys) you need wireguard-tools-1.0.20210914 from the OpenSuSE Tumbleweed main distro. Older versions are available for Leap 15.3 and 15.2. 72Kb to download, 145Kb installed. No dependent packages; it only requires systemd and libc. The package only contains the wg and wg-quick commands, and documentation.

wg-quick is a wrapper around wg for simple configurations. When either command is given just an interface name such as wg0, the corresponding configuration file is sought in /etc/wireguard/wg0.conf, whereas if an absolute pathname is given the interface is inferred from the basename of the conf file. The interface name may be up to 15 bytes of [a-zA-Z0-9_=+.-] . (You don't specify the interface name inside the conf file.)

About 20min to install the packages and read the man pages.

Configuration Files and Key Pairs

See the wg man page for the format and configurable options in the conf file. Here is the client's configuration file for testing. See the genkey subcommand for producing your own keys. The conf file contains your private key (not encrypted), so it should have appropriately restrictive permissions.

[Interface]
PrivateKey = qwerty...=		# 42 base64 bytes, about 256 bits.  Keep the =.
ListenPort = 4886		# Android wakeup port, which my firewall 
				# allows, but I'll have to change this later.

[Peer]
PublicKey = asdfgh...=		# 42 base64 bytes, about 256 bits.
Endpoint = [2600:3c01:e000:306::8:1]:4886	# IPv6 in [], colon its port
AllowedIPs = 
# There can be multiple peers.  

About 25min + to write the conf files.

Connect to Test Server

Connect Petra to Surya

Fix bugs. This will require assigning a new address range for client addresses. Fix bugs.

Vpn-Tester to Test WireGuard

Install on Jacinth

Xena to Jacinth VPN

Using the newly installed NetworkManager plugin for WireGuard. Get Xena back on the net.

Configure Android Client

Segment Tunnel

(Jacinth to Surya) from OpenVPN to WireGuard. Fix bugs.