WireGuard

“WireGuard is an extremely simple yet fast and modernVPN that utilizes state-of-the-art cryptography. It aimsto be faster, simpler, leaner, and more useful than IPsec,while avoiding the massive headache. It intends to beconsiderably more performant than OpenVPN.”

— wireguard.com

WireGuard is:

I small,~4000 LoC means a smaller attack surface and easilyauditable,

I fast,it’s lightweight and implemented in the kernel,

I opinionated,makes conservative choices for you,

I simple,authentication works like SSH and most of the networkingis just using ip.

Small

I ~4000 LoC (not including cryptographic primitives) is verysmall.

WireGuard OpenVPN IPsec0

100

200

300

400kLoC

Small

I Easily auditable:hasn’t happened formally yet;

more secure than OpenVPN, etc.?

Fast

I Layer 3 (only).

I It is small⇒ lightweight and fast.

I It lives in the kernel, so no need to copy packets in andout of userspace.

I Multicore.

I Fast for both transferring and connecting.

FastFrom https://www.wireguard.com/performance/ (i7)

FastVia iperf3/TCP (running on WireGuard server):

I ~74 Mb/s, both natively and through the tunnel.

Via iperf3/UDP (running on WireGuard server):

Native WireGuard0

50

100

150

200

250

PacketlossatyMb/s

Via speedtest (AWS California→ San Jose):

Native WireGuard OpenVPN (SF)0

50

100

150

200

250Mb/s

Fast

WireGuard is fast on non-x86 devices.

On our routers (Vadim) we get ~100 Mb/s (to California) withCPU at ~20 %.

Compare this to ~60 Mb/s for OpenVPN, CPU at 100%.

Roughly 2× what they got via OpenVPN.www.skadligkod.se/vpn/wireguard-speed-tests-on-asus-rt-ac86u/

Opinionated

I WireGuard doesn’t o�er cypher agility.

I Uses modern, conservative cryptography based on NOISE.I ECDH: Curve25519.

Fast, ephemeral, perfect forward secrecy.

No TLS, CA, PKI, etc.

I Key derivation: HKDF.I Symmetric cypher: ChaCha20Poly1305.

Fast on all processors, AEAD.

I Hash: BLAKE2s.

I Optional pre-shared key for post-quantum security.

Simple

demo

Server’s con�guration �le

[Interface]PrivateKey = [server 's private key]Address = 10.10.0.1/24 , fd80 ::1/64ListenPort = 2307SaveConfig = truePostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables

-t nat -A POSTROUTING -o eth0 -j MASQUERADEPostDown = iptables -D FORWARD -i wg0 -j ACCEPT;

iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]PublicKey = [client 's public key]PresharedKey = [preshared.key]AllowedIPs = 10.10.0.2/32 , fd80 ::2/128

Client’s con�guration �le

[Interface]PrivateKey = [client 's private key]Address = 10.10.0.2/24 , fd80 ::2/64ListenPort = 2307DNS = 10.10.0.1PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark

$(wg show %i fwmark) -m addrtype ! --dst -type LOCAL-j REJECT

PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark$(wg show %i fwmark) -m addrtype ! --dst -type LOCAL-j REJECT

[Peer]PublicKey = [server 's public key]PresharedKey = [preshared.key]AllowedIPs = 0.0.0.0/0 , ::/0Endpoint = [wireguard server ]:2307

Protocol

Silent and stealthy

I WireGuard does not alter state or respond if a packet isunauthenticated.

I WireGuard isn’t chatty.This is great for mobile devices

1-RTT

I No cypher negotiation, etc.

I This makes WireGuard appear stateless.I It also makes for very fast connection time.

ProtocolDoS Protection

I Handshake responses are smaller than initiationmessages.

I If a peer is under load, it uses a cookie scheme similar toIKEv2 but manages to:

stay stealthy;

prevent cookie from being MitM’d;

not allow this scheme to DoS another peer.

Key Rotation

I Keys are rotated every 120 seconds or every 264 − 216 − 1messages.

But it doesn’t matter if we miss a rekey, since thehandshake is 1-RTT anyway.

Protocol

Roaming

I Cryptokey routing.I Designed for roaming:

outages don’t a�ect the tunnel,

switching networks (e.g. WiFi→ 4G) is seamless,

not much scope for leaks.

Protocol

Reviews

I Formal veri�cation.Proven symbolically by Tamarin, a protocol veri�cationtool.

Analogous protocols have been formally veri�ed too.

https://www.wireguard.com/formal-verification/

I Audited by humans too.https://eprint.iacr.org/2018/080

Landscape

VPN providers o�ering WireGuard

I Mullvad (also o�ering SOCKS5 multihop)

I Azire (for free)

VPN providers allegedly considering it

I ProtonVPN

I PIA

VPN providers that have donated

I Mullvad

I PIA

Support

I Any kernel ≥ 3.10.

I Packaged by pretty much all main Linux distributions,including OpenWrt/LEDE.

I In-tree for a bunch of custom Android ROMs.

I Will become part of the kernel in future.

I wg will become part of ip.

I systemd integration exists.

Userspace

Userspace implementations in:

I Go;

I Rust.

Userspace Android app (in beta) already exists usingwireguard-go.

Userspace

Links

I WireGuardI https://www.wireguard.com/I Thread on obfuscation:

https://lists.zx2c4.com/pipermail/wireguard/2016-July/000184.html

I MullvadI https://mullvad.net/en/blog/2017/9/27/wireguard-future/I https://www.mullvad.net/en/blog/2017/12/8/

introducing-post-quantum-vpn-mullvads-strategy-future-problem/I https://www.mullvad.net/en/guides/running-wireguard-router/I https://www.mullvad.net/en/guides/wireguard-and-mullvad-vpn/I https://mullvad.net/en/guides/socks5-proxy/#wireguard-socks5

I AzireI https://www.azirevpn.com/wireguard

I XDAI https://forum.xda-developers.com/android/development/

wireguard-rom-integration-t3711635