Posted on Sun 12 November 2017

wireguard setup

Wireguard is a new open source VPN system being initially developed on Linux. I have two major use cases for such a thing: site-to-site protection, and backhauling traffic from a laptop or phone to my house.

Wireguard’s differentiators:

  • Small codebase, because there are very few options. For example, there is only one key exchange method and only one encryption method.

  • It uses a virtual network interface, wg0, rather than the exciting and hard to debug policy routing that IPsec usually wants.

  • Very little configuration possible, so very little is needed.

  • Performance is already higher than OpenVPN and IPsec on the same hardware, and may be getting even faster.

  • Currently no built-in key distribution method. The administrator needs to set up a public key pair for each attached device, and find some other method of securely moving those around or verifying them.

  • Currently no integration with general network management systems, though it will be simple to do that.

  • Being considered for integration into the Linux kernel, in which case I expect all distributions to support it.

  • As of this writing (November 2017) it is still in active development, with new releases being made every week or two. If you don’t feel like keeping up, Wireguard isn’t for you (yet).

Actual setup on Debian systems is straightforward. There are two packages available in Unstable: wireguard-tools and wireguard-dkms. The first supplies the wg general-purpose tool and wg-quick for ifup/ifdown style scripts, and the -dkms package supplies the kernel module. So far I have not seen a required reboot after a new dkms install.

There is a temptation for most sysadmins (or maybe just me 1) to tweak all the possible knobs that software supplies. After all, we know that everything ships insecurely, right?

In the case of Wireguard, this is incorrect. For a given machine, there are only three bits of required configuration, and one later consideration.

  • You need a private key for your daemon to adopt.

  • You need a UDP port for the daemon to listen on.

  • You need to decide which internal IP addresses will be accepted through the interface.

  • Later on, apply appropriate firewall rules to the new wg0 interface.

Now, Wireguard only accepts properly encrypted UDP packets. UDP is trivially forgeable, so there is no point in trying to apply IP restrictions to where they can come from. If you want additional symmetric encryption – in the words of the man page, ‘for post-quantum resistance’ – a shared key can be added.

An Android port is in progress.


  1. “Everybody generalizes from one example. At least, I do.” – Steven Brust


© -dsr-. Send feedback or comments via email — by continuing to use this site you agree to certain terms and conditions.

Built using Pelican. Derived from the svbhack theme by Giulio Fidente on github.