Presentation is loading. Please wait.

Presentation is loading. Please wait.

WireGuard zswu.

Published byHaldor Holte Modified over 5 years ago

Similar presentations

Presentation on theme: "WireGuard zswu."— Presentation transcript:

1 WireGuard zswu

2 WireGuard Introduction
Simple and fast VPN solution Low overhead Deep integration with Linux kernel Over UDP Peer to Peer Secure Built-in Roaming Connections keep alive even if the underlay network change

3 TUN/TAP TAP TUN Layer 2 More overhead(L2) Transfer any protocol
Support L2+ services TUN Layer 3 Less Overhead(L3) Only IPv4 , IPv6 Support L3+ services

4 Installation https://www.wireguard.com/install/
Linux kernel >= 3.10 CentOS $ sudo curl -Lo /etc/yum.repos.d/wireguard.repo $ sudo yum install epel-release $ sudo yum install wireguard-dkms wireguard-tools FreeBSD # pkg install wireguard

5 Tools Provided by WireGuard System tools wg
Set and retrieve configuration of WireGuard interface wg-quick Set up a WireGuard interface simply System tools ip / ifconfig Setup wg interfaces Systemd Auto start after boot

6 Setup by hand (Linux) Add interface
# ip link add dev wg0 type wireguard Setup ip # ip address add dev wg /24 # ip address add dev wg peer Setup wg configurations # wg setconf wg0 myconfig.conf # wg set wg0 listen-port private-key /path/to/private-key peer ABCDEF... allowed-ips /24 endpoint :8172 Start interface # ip link set up dev wg0

7 Setup by configuration
Configuration file /etc/wireguard/wg0.conf Start interface # systemctl enable # wg-quick up wg0

8 Example Configurations – Client
[Interface] Address = /16 PrivateKey = [CLIENT PRIVATE KEY] [Peer] PublicKey = [SERVER PUBLICKEY] AllowedIPs = /16, /24, 1234:4567:89ab::/48 Endpoint = [SERVER ENDPOINT]:51820 PersistentKeepalive = 25

9 Example Configurations – Server
[Interface] Address = /16 ListenPort = 51820 PrivateKey = [SERVER PRIVATE KEY] # note - substitute eth0 in the following lines to match the Internet-facing interface PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] # client foo PublicKey = [FOO's PUBLIC KEY] PresharedKey = [PRE-SHARED KEY] AllowedIPs = /32, /24 # client bar PublicKey = [BAR's PUBLIC KEY] AllowedIPs = /32, /24

10 Configuration – Interface
Address (optional) IP address and netmask of the interface ListenPort Wg service listen port PrivateKey Private key of the interface PreUp / PreDown / PostUp / PostDown Run shell scripts before / after interface up / down E.g., Setup firewall rules

11 Configuration – Peer PublicKey AllowedIPs Endpoint (Optional)
Public key of the peer AllowedIPs IP addresses that are allowed to pass through this peer Endpoint (Optional) Location of the peer Wg will also use the previous connections to detect this configuration PersistentKeepalive (Optional) By default, Wg send packs only if there are data to be send Send packs to peer periodically to bypass NAT or Firewall PresharedKey (Optional) Pre-shared key for additional symmetric encryption

12 Generate Key Pair Key pair Pre-shared key $ wg genkey > privatekey
$ wg pubkey < privatekey > publickey Pre-shared key # wg genpsk > preshared

13 Cryptokey Routing WireGuard will add routing rules to system routing table according to the configurations Once packets go inside WireGuard, it is routed according to Cryptokey Routing When sending packets, the list of allowed IPs behaves as a sort of routing table When receiving packets, the list of allowed IPs behaves as a sort of access control list

14 Built-in Roaming When the client connects to server, server record the IP of client, and communicate with client by this IP When client (or even server) change its IP, it sends data to the peer and the peer will update the IP Both client and server send encrypted data to the most recent IP endpoint for which they authentically decrypted data. Thus, there is full IP roaming on both ends

15 Example – Build a Bridge VPN Server
Follow the setup guide and build a Wg peer as a VPN server Enable ip forwarding # sysctl net.ipv4.ip_forward=1 Setup NAT so clients can connect to internet through the VPN server Add these lines to wg0.conf PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

16 Connect from mobile For mobile app, user can use QR-Code to import configuration file, instead of copy-paste private key from other ways $ qrencode -t ansiutf8 < wgconfig.conf

17 User authentication Every peer has its own private key for identity authentication Integration with other authentication system (like LDAP) may need other software support For now, WireGuard only provide simple tunnel connections between peers

18 Reference https://www.wireguard.com/

Download ppt "WireGuard zswu."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Prof. Kristofer S.J. Pister’s team Berkeley Sensor and Actuator Center University of California, Berkeley.

Prof. Kristofer S.J. Pister’s team Berkeley Sensor and Actuator Center University of California, Berkeley.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
VPN Lab Zutao Zhu 03/26/2010. Outline VPN VPN Setup in VMWare VPN tasks OpenSSL How to Write Socket Programs using OpenSSL APIs.

VPN Lab Zutao Zhu 03/26/2010. Outline VPN VPN Setup in VMWare VPN tasks OpenSSL How to Write Socket Programs using OpenSSL APIs.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
PSeries Technical Conference L19 Brian Dolan-Goecke Atlanta, GeorgiaOctober 8-12, 2001 Linux VPN.

PSeries Technical Conference L19 Brian Dolan-Goecke Atlanta, GeorgiaOctober 8-12, 2001 Linux VPN.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Virtual Private Networking with OpenVPN Wim Kerkhoff Fraser Valley Linux Users Group April 15, 2004.

Virtual Private Networking with OpenVPN Wim Kerkhoff Fraser Valley Linux Users Group April 15, 2004.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
SCSC 455 Computer Security Network Security. Control access to system Access control mechanisms in specific network programs  e.g. 1, wu-FTP server support.

SCSC 455 Computer Security Network Security. Control access to system Access control mechanisms in specific network programs  e.g. 1, wu-FTP server support.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Similar presentations

Ads by Google