WireGuard VPN: the basics

WireGuard is a free software for setting up a virtual private network (VPN). Using a VPN, you can open a virtual tunnel between two machines on the internet. The network connection is created via the tunnel as if the computers were directly connected by a network cable. VPNs are often used by large organizations like research institutes, government departments, and companies. They make it possible to regulate access to certain resources in the network and seal off the users’ data stream from the outside world.

A range of mature VPN protocol stacks already exist with IPsec, OpenVPN, L2TP, and PPTP. Providers of VPN solutions build on these protocols to give their users the ability to run their own internet traffic through the VPN. More and more VPN providers are integrating WireGuard due to the advantages of the protocol in their applications.

WireGuard is an application and a network protocol for setting up encrypted VPN tunnels. It is licensed as free software under the GPLv2 license and is available across different platforms. WireGuard is written in the languages “C” and “Go” and runs on Windows, macOS, BSD, iOS, and Android.

WireGuard allows you to establish an encrypted tunnel. Data streams are directed through the tunnel and are thereby protected against unauthorized access. Besides the focus on strong encryption, WireGuard offers optimizations for mobile systems and Internet of Things (IoT) devices.

WireGuard has been directly integrated into the Linux kernel since the spring of 2020. Since Linux runs as the standard operating system on billions of networked devices worldwide, WireGuard can be used practically everywhere. Its wide adoption is also supported by the fact that the software is relatively lean and only poses modest requirements on the hardware.

The central feature of the WireGuard protocol is cryptokey routing. Here, the IP address ranges permitted within a tunnel are assigned to the public key of a connection partner. The public key is used to decrypt the incoming packages of the connection partner. An incoming package is only assigned after decryption if it comes from an IP address that corresponds with the key. Otherwise, the package is discarded.

Unlike the established VPN protocol stacks IPsec and OpenVPN, WireGuard is not an agile protocol. Rather than individually negotiating the respective cryptographic bases during the handshake phase when establishing the connection, WireGuard is limited to a few options. The cryptographic functions used are versioned in amalgamated form. Should one of the cryptographic foundations become compromised in the future, a new, secure version of the WireGuard protocol will be released. If both communication partners use the new version, the data stream will be protected.

At the time of writing, the following protocols and encryption technologies are used:

• Noise protocol framework
• Curve25519
• ChaCha20
• Poly1305
• BLAKE2
• SipHash24
• HKDF

The neat code base is one of the major advantages of WireGuard. The extent of the entire kernel code amounts to just around 4,000 lines of code. In comparison, the code size of an implementation of OpenVPN or IPsec is around 100,000 to 600,000 lines. A smaller code base is inherently more secure, as bugs can be found by the developers more easily and the attack surface minimized.

Even the Linux inventor Linus Torvalds, known for his snappy writing style and occasional outbursts, responded with strong praise after inspecting the WireGuard code base:

Besides the increased security, the lower complexity of the software also provides better performance. In benchmark comparisons, WireGuard delivers higher transmission speed and lower latency than competing protocols. Moreover, WireGuard is not a “chatty protocol”. WireGuard remains quiet for as long as the user sends no data through the tunnel. This also means less energy is consumed, which has a positive effect on battery life.

Energy efficiency is particularly important for mobile devices and WireGuard is well-positioned in many respects for such applications. For instance, the protocol supports roaming – i.e. the automatic switchover from WLAN to the mobile network and vice versa. Nonetheless, if the connection is lost, it is usually quicker to reconnect with WireGuard than with rival protocols.

In principle, WireGuard is a decentralized, peer-to-peer VPN protocol. Rather than requiring a server, WireGuard can open a tunnel directly between two computers. A WireGuard “server” is simply a machine that contains the connection configurations for multiple peers.

Establishing a connection with WireGuard works in much the same way as Secure Shell (SSH): The users (“peers”) generate public keys with WireGuard and exchange them with one another. Using the keys, the peers mutually authenticate each other and encrypt the data packages for their intended recipient.

In addition to generating the cryptographic keys, different network settings need to be implemented on each peer. For more on this, see our guide on setting up WireGuard below. To exchange data, permitted IP address ranges are linked with the cryptographic key on the peers. Packages that do not come from the permitted address ranges are discarded. With WireGuard, data is transmitted via the User Datagram Protocol (UDP).

On a peer’s machine, the WireGuard command line tool and other resources available on Linux as standard are used for configuration. Although configuring the software is considered relatively easy, WireGuard only serves as a foundation. An app on top of the protocol can help the users through the individual steps of configuration and setting up a connection. Users of commercial VPN services can therefore enjoy the modern VPN protocol without dealing with the command line.

Essentially, WireGuard can be installed and configured on a Linux system with little effort. For instance, you can set up your own VPN server with Raspberry Pi. However, the exact process varies depending on the application, operating system used, and the existing network environment. Below we have outlined a general approach which is suitable for testing.

Run the following commands in the command line to install WireGuard on your Linux system:

As with SSH and PGP, cryptographic keys form the basis for using the WireGuard VPN. The private key must be kept secret. What’s more, a public key is generated using the private key and shared with peers. This allows peers to encrypt and send data. Finally, the private key is used to decrypt the encrypted data.

Run the following commands in the command line to generate a private and public WireGuard key:

The installation of WireGuard and generation of keys are general preparations that are more or less the same on any system. By contrast, the configuration of WireGuard depends on the existing local network settings. For this reason, a general approach is shown below. We recommend that you look at the quick start guide provided by the WireGuard project for more details.

The general steps for configuring a network connection with WireGuard are as follows: