Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Wireguard VPN
1. WireGuard VPN
yes, it turns out the world does need a new kind of VPN
This presentation is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
(C) 2018 jim@openoid.net
Jim Salter
Technomancer,
Mercenary Sysadmin,
Small Business Owner
Today's slides can be found at:
http://openoid.net/presentations/
2. Who am I?
Well, Jim’s just this guy, you know?
* 20+ yr *nix admin
* 15 yr OpenVPN exp.
* (reluctant) developer
* giant OSS hippie
5. What can I do with it?
Point-to-point VPN
Star topology VPN
VPN mesh
6. What CAN’T I do with it?
no broadcast IP
==
no DHCP!
7. Sell me on this thing!
“Can I just once
again state my love
for [WG] and hope it
gets merged soon?”
– Linus Torvalds
8. Sell me on this thing!
OpenVPN:
~600K LoC
IPSEC VPN:
~400K LoC
WireGuard VPN:
~4K LoC
9. Sell me on this thing!
YES, LoC is a relevant
metric damn it!
* less code duplication
* sane, modular flow
* easier code audits
10. Sell me on this thing!
establish connection:
127 ms vs > 8,000 ms
11. Sell me on this thing!
I figured out OpenVPN
configs in a week or so
of dedicated hacking
I figured out WG
configs in six hours
(while taking care of 3 kids under 10!)
12. Sell me on this thing!
OpenVPN/IPSEC:
Agile Crypto
WireGuard:
Versioned Crypto
smaller attack surface
mandatory secure configuration
greater peace of mind
13. You sure it’s secure…?
Uncompromised algorithms == shorter keys, simplified entropy
cf: brute force attack vs dictionary attack
14. You sure it’s secure…?
Optional added symmetric encryption layer (PSK) can keep
the quantum computing boogeyman at bay
15. Let’s get dirty
Any questions before we tackle a
real-world WireGuard configuration
from scratch?
16. Create your keys
root@svr:/etc/wireguard# touch svr.wg0.key
root@svr:/etc/wireguard# chmod 600 svr.wg0.key
root@svr:/etc/wireguard# wg genkey > svr.wg0.key
root@svr:/etc/wireguard# wg pubkey < svr.wg0.key >
svr.wg0.pub
root@cli:/etc/wireguard# touch cli.wg0.key
root@cli:/etc/wireguard# chmod 600 cli.wg0.key
root@cli:/etc/wireguard# wg genkey > cli.wg0.key
root@cli:/etc/wireguard# wg pubkey < cli.wg0.key >
cli.wg0.pub
private key is private; public key is public =)
17. Configure your server
# svr.wg0.conf
[Interface]
# Server can address all of 10.0.0.0/24
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY_WE_CREATED
[Peer]
# client1
PublicKey = CLIENT_PUBLIC_KEY_WE_CREATED
# This specific client can only occupy 10.0.0.2
AllowedIPs = 10.0.0.2/32
18. Configure your client
# /etc/wireguard/wg0.conf on CLI
# connecting to wg0 on SVR
[Interface]
Address = 10.0.0.2/24
PrivateKey = PRIVATE_KEY_FROM_CLI
[Peer]
PublicKey = PUBLIC_KEY_FROM_SVR
AllowedIPs = 10.0.0.1/24
Endpoint = svr.yourdomain.tld:51820
19. Start your engines!
root@svr:/etc/wireguard# systemctl enable wg-quick@wg0
root@svr:/etc/wireguard# systemctl start wg-quick@wg0
root@cli:/etc/wireguard# systemctl enable wg-quick@wg0
root@cli:/etc/wireguard# systemctl start wg-quick@wg0
root@cli:/etc/wireguard# wg
interface: wg0
public key: GRdmHtSSbSlsIbznaWibGOcbm1/Wni/PSZ4je07iLB0=
private key: (hidden)
listening port: SOME_RANDOM_HIGH_PORT
peer: GRdmHtSSbSlsIbznaWibGOcbm1/Wni/PSZ4je07iLB0=
endpoint: SVR_public_IP_address:51820
allowed ips: 10.0.0.0/24
latest handshake: 1 second ago
transfer: 220 B received, 276 B sent
yes, it’s that easy. yes, really.