Wireguard Overview

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be fastersimpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. [Wireguard Official Site]](https://www.wireguard.com/)

Key Features

  • Simplicity: WireGuard’s codebase is much smaller than those of traditional VPN protocols, making it easier to audit and less prone to bugs and security vulnerabilities. It consists of only a few thousand lines of code compared to hundreds of thousands in other VPN software.

  • Performance: WireGuard is designed to be highly efficient and performant. It uses modern cryptographic algorithms and runs within the Linux kernel, which significantly reduces latency and increases throughput compared to other VPN solutions that run in user space.

  • Security: WireGuard uses state-of-the-art cryptographic primitives such as Curve25519 for key exchange, ChaCha20 for encryption, Poly1305 for message authentication, SipHash for hashtable keys, and BLAKE2s for hashing. This ensures a high level of security and protection against known vulnerabilities.

  • Ease of Configuration: Configuring WireGuard is straightforward and can often be done in a few minutes. The configuration is simple and does not require the complex setup often associated with other VPNs.

  • Cross-Platform Support: WireGuard is available on various platforms, including Linux, Windows, macOS, iOS, and Android. This makes it versatile and usable across different devices and operating systems.

  • Peer-to-Peer Connectivity: WireGuard operates on a peer-to-peer basis. Each device connected to a WireGuard network has its own public and private keys and connects directly to other peers using these keys for authentication.

  • Minimal Overhead: WireGuard aims to have minimal overhead, making it suitable for both high-performance applications and low-powered devices.

How it Works

WireGuard works by establishing encrypted, peer-to-peer connections between devices, using a combination of modern cryptographic techniques and a simple, efficient design. Here’s a step-by-step overview of how WireGuard operates:

  1. Key Exchange:

    • Each device (peer) generates a public and private key pair using Curve25519.
    • Peers exchange public keys out-of-band (e.g., via a secure channel or manually).

  2. Configuration:

    • Each peer is configured with the public keys of the other peers it needs to connect to, along with the allowed IP addresses for each peer.
    • Configuration files are typically very simple, specifying interfaces, keys, and peers.

  3. Encryption and Authentication:

    • WireGuard uses the ChaCha20 encryption algorithm for securing data, combined with the Poly1305 message authentication code for ensuring data integrity and authenticity.
    • Each packet sent between peers is authenticated and encrypted using the keys derived during the key exchange.

  4. Peer-to-Peer Communication:

    • Once configured, peers communicate directly with each other using UDP packets.
    • WireGuard maintains a simple state machine that tracks the current status of each peer connection, allowing for efficient management of connections and re-establishment if needed.

  5. Data Transmission:

    • Data is encapsulated in WireGuard packets, which are then transmitted over UDP.
    • Each packet contains a small header with minimal metadata, reducing overhead and increasing efficiency.

  6. Rekeying and Session Management:

    • WireGuard automatically handles key rotation and rekeying to ensure continued security.
    • Peers periodically exchange new keys in a secure manner without disrupting the existing connection.

  7. Network Adaptability:

    • WireGuard is designed to quickly adapt to network changes. If a peer’s IP address changes (e.g., moving between Wi-Fi and mobile data), WireGuard will seamlessly handle the transition and continue the encrypted session without interruption. Minimal Configuration:
  • The configuration simplicity is a key feature. A basic WireGuard configuration file might look like this for a peer:
[Interface]
PrivateKey = <private-key>
Address = 10.0.0.1/24

[Peer]
PublicKey = <peer-public-key>
AllowedIPs = 10.0.0.2/32
Endpoint = <peer-endpoint>:51820

Performance Optimization:

  • Running within the Linux kernel space, WireGuard minimizes context switches and leverages kernel optimizations, resulting in low latency and high throughput.
  • Implementations are available for other operating systems, often running in user space but still maintaining high performance.

OPNsense Configuration

Wireguard Server Instance

First, we need to create an wireguard Server, specifying the listen port (by default is 51820) and the tunnel address. Example:

Wireguard Interface Assignment

To use the tunnel, we need to assign it to an interface. To to that we go to Interfaces » Assigments » Assign a new interface

Firewall rules

To allow vpn traffic on the wireguard interface we need to create a rule to allow the traffic.

Create Peers

To create new peers we can use the Peer Generator option and store it automatically on the instance.

Client Configuration

After that we just need to past the configuration on the client and test it. Like this:

PS: If we use the firewall beyond a router, for example the ISP router, we need to port forward the port to the ip of the firewall.