SlideShare une entreprise Scribd logo

Wireguard VPN

Télécharger en tant que ODP, PDF
All Things Open
All Things Open

Presented at All Things Open 2018 Presented by Jim Salter with Openoid LLC 10/22/18 - 4:15 PM - Linux track

Technologie
1  sur  25
WireGuard VPN yes, it turns out the world does need a new kind of VPN This presentation is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. (C) 2018 jim@openoid.net Jim Salter Technomancer, Mercenary Sysadmin, Small Business Owner Today's slides can be found at: http://openoid.net/presentations/
Who am I? Well, Jim’s just this guy, you know? * 20+ yr *nix admin * 15 yr OpenVPN exp. * (reluctant) developer * giant OSS hippie
What is WireGuard? Kernel-mode VPN Secure by default UDP protocol
Why kernel mode? Ubiquity Performance Battery Life
What can I do with it? Point-to-point VPN Star topology VPN VPN mesh
What CAN’T I do with it? no broadcast IP == no DHCP!
Sell me on this thing! “Can I just once again state my love for [WG] and hope it gets merged soon?” – Linus Torvalds
Sell me on this thing! OpenVPN: ~600K LoC IPSEC VPN: ~400K LoC WireGuard VPN: ~4K LoC
Sell me on this thing! YES, LoC is a relevant metric damn it! * less code duplication * sane, modular flow * easier code audits
Sell me on this thing! establish connection: 127 ms vs > 8,000 ms
Sell me on this thing! I figured out OpenVPN configs in a week or so of dedicated hacking I figured out WG configs in six hours (while taking care of 3 kids under 10!)
Sell me on this thing! OpenVPN/IPSEC: Agile Crypto WireGuard: Versioned Crypto smaller attack surface mandatory secure configuration greater peace of mind
You sure it’s secure…? Uncompromised algorithms == shorter keys, simplified entropy cf: brute force attack vs dictionary attack
You sure it’s secure…? Optional added symmetric encryption layer (PSK) can keep the quantum computing boogeyman at bay
Let’s get dirty Any questions before we tackle a real-world WireGuard configuration from scratch?
Create your keys root@svr:/etc/wireguard# touch svr.wg0.key root@svr:/etc/wireguard# chmod 600 svr.wg0.key root@svr:/etc/wireguard# wg genkey > svr.wg0.key root@svr:/etc/wireguard# wg pubkey < svr.wg0.key > svr.wg0.pub root@cli:/etc/wireguard# touch cli.wg0.key root@cli:/etc/wireguard# chmod 600 cli.wg0.key root@cli:/etc/wireguard# wg genkey > cli.wg0.key root@cli:/etc/wireguard# wg pubkey < cli.wg0.key > cli.wg0.pub private key is private; public key is public =)
Configure your server # svr.wg0.conf [Interface] # Server can address all of 10.0.0.0/24 Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = SERVER_PRIVATE_KEY_WE_CREATED [Peer] # client1 PublicKey = CLIENT_PUBLIC_KEY_WE_CREATED # This specific client can only occupy 10.0.0.2 AllowedIPs = 10.0.0.2/32
Configure your client # /etc/wireguard/wg0.conf on CLI # connecting to wg0 on SVR [Interface] Address = 10.0.0.2/24 PrivateKey = PRIVATE_KEY_FROM_CLI [Peer] PublicKey = PUBLIC_KEY_FROM_SVR AllowedIPs = 10.0.0.1/24 Endpoint = svr.yourdomain.tld:51820
Start your engines! root@svr:/etc/wireguard# systemctl enable wg-quick@wg0 root@svr:/etc/wireguard# systemctl start wg-quick@wg0 root@cli:/etc/wireguard# systemctl enable wg-quick@wg0 root@cli:/etc/wireguard# systemctl start wg-quick@wg0 root@cli:/etc/wireguard# wg interface: wg0 public key: GRdmHtSSbSlsIbznaWibGOcbm1/Wni/PSZ4je07iLB0= private key: (hidden) listening port: SOME_RANDOM_HIGH_PORT peer: GRdmHtSSbSlsIbznaWibGOcbm1/Wni/PSZ4je07iLB0= endpoint: SVR_public_IP_address:51820 allowed ips: 10.0.0.0/24 latest handshake: 1 second ago transfer: 220 B received, 276 B sent yes, it’s that easy. yes, really.
Add a second client # svr.wg0.conf [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = SERVER_PRIVATE_KEY_WE_CREATED [Peer] # client1 PublicKey = CLIENT_PUBKEY_WE_CREATED AllowedIPs = 10.0.0.2/32 [Peer] # client2 PublicKey = CLIENT_PUBKEY_WE_CREATED_ON_SECOND_CLIENT AllowedIPs = 10.0.0.3/32
Terminology Gotcha What “AllowedIPs” really means is Routed subnet(s) ! #svr.wg0.conf [Peer] PublicKey = PUBKEY_FROM_CLI AllowedIPs = 10.0.0.2/32 #cli.wg0.conf [Peer] PublicKey = PUBKEY_FROM_SVR AllowedIPs = 10.0.0.1/24, 192.168.0.0/24 Endpoint = svr.domain.tld:51820
Configurable hooks arbitrary configurable actions: log stuff, set DNS records, route traffic, whatever #cli.wg0.conf [Peer] PublicKey = PUBKEY_FROM_SVR AllowedIPs = 10.0.0.1/24 Endpoint = svr.domain.tld:51820 PostUp = ping -c1 10.0.0.1 PostDown = echo wg0 disconnected
Internet gateway: SVR # svr.wg0.conf [Interface] # Server can address all of 10.0.0.0/24 Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = SERVER_PRIVATE_KEY_WE_CREATED # Internet Gateway: nat wg0 out to internet on eth0 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] # client1 PublicKey = CLIENT_PUBLIC_KEY_WE_CREATED # This specific client can only occupy 10.0.0.2 AllowedIPs = 10.0.0.2/32
Internet gateway: CLI # /etc/wireguard/wg0.conf on CLI # connecting to wg0 on SVR # internet gateway through SVR [Interface] Address = 10.0.0.2/24 PrivateKey = PRIVATE_KEY_FROM_CLI [Peer] PublicKey = PUBLIC_KEY_FROM_SVR Endpoint = svr.domain.tld:51820 # gateway rule – route all traffic out over wg0! AllowedIPs = 0.0.0.0/0
Questions? Comments? Angry denunciations? https://openoid.net/presentations/

Recommandé

Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep DiveDocker, Inc.
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into ContainerdAkihiro Suda
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesLinuxCon ContainerCon CloudOpen China
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaArvind Kumar G.S
 
Kubernetes Helm (Boulder Kubernetes Meetup, June 2016)
Kubernetes Helm (Boulder Kubernetes Meetup, June 2016)Kubernetes Helm (Boulder Kubernetes Meetup, June 2016)
Kubernetes Helm (Boulder Kubernetes Meetup, June 2016)Matt Butcher
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)Vladimir Melnic
 
Prometheus and Grafana
Prometheus and GrafanaPrometheus and Grafana
Prometheus and GrafanaLhouceine OUHAMZA
 

Recommandé

Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep DiveDocker, Inc.
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into ContainerdAkihiro Suda
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesLinuxCon ContainerCon CloudOpen China
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaArvind Kumar G.S
 
Kubernetes Helm (Boulder Kubernetes Meetup, June 2016)
Kubernetes Helm (Boulder Kubernetes Meetup, June 2016)Kubernetes Helm (Boulder Kubernetes Meetup, June 2016)
Kubernetes Helm (Boulder Kubernetes Meetup, June 2016)Matt Butcher
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)Vladimir Melnic
 
Prometheus and Grafana
Prometheus and GrafanaPrometheus and Grafana
Prometheus and GrafanaLhouceine OUHAMZA
 
Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusMarco Pas
 
How Netflix Tunes EC2 Instances for Performance
How Netflix Tunes EC2 Instances for PerformanceHow Netflix Tunes EC2 Instances for Performance
How Netflix Tunes EC2 Instances for PerformanceBrendan Gregg
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helmJeeva Chelladhurai
 
Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Chartbeat
 
Deep dive in container service discovery
Deep dive in container service discoveryDeep dive in container service discovery
Deep dive in container service discoveryDocker, Inc.
 
Introduction to Prometheus
Introduction to PrometheusIntroduction to Prometheus
Introduction to PrometheusJulien Pivotto
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewMaría Angélica Bracho
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch YongKi Kim
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXNGINX, Inc.
 
HAProxy
HAProxy HAProxy
HAProxy Arindam Nayak
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with PrometheusShiao-An Yuan
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX, Inc.
 
Edge Zones In CloudStack
Edge Zones In CloudStackEdge Zones In CloudStack
Edge Zones In CloudStackShapeBlue
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsBrendan Gregg
 
Helm - Application deployment management for Kubernetes
Helm - Application deployment management for KubernetesHelm - Application deployment management for Kubernetes
Helm - Application deployment management for KubernetesAlexei Ledenev
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and TuningNGINX, Inc.
 
OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksCohesive Networks
 

Contenu connexe

Tendances

Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusMarco Pas
 
How Netflix Tunes EC2 Instances for Performance
How Netflix Tunes EC2 Instances for PerformanceHow Netflix Tunes EC2 Instances for Performance
How Netflix Tunes EC2 Instances for PerformanceBrendan Gregg
 
Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Chartbeat
 
Deep dive in container service discovery
Deep dive in container service discoveryDeep dive in container service discovery
Deep dive in container service discoveryDocker, Inc.
 
Introduction to Prometheus
Introduction to PrometheusIntroduction to Prometheus
Introduction to PrometheusJulien Pivotto
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewMaría Angélica Bracho
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch YongKi Kim
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXNGINX, Inc.
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with PrometheusShiao-An Yuan
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX, Inc.
 
Edge Zones In CloudStack
Edge Zones In CloudStackEdge Zones In CloudStack
Edge Zones In CloudStackShapeBlue
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsBrendan Gregg
 
Helm - Application deployment management for Kubernetes
Helm - Application deployment management for KubernetesHelm - Application deployment management for Kubernetes
Helm - Application deployment management for KubernetesAlexei Ledenev
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and TuningNGINX, Inc.
 

Tendances (20)

Infrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using PrometheusInfrastructure & System Monitoring using Prometheus
Infrastructure & System Monitoring using Prometheus
 
How Netflix Tunes EC2 Instances for Performance
How Netflix Tunes EC2 Instances for PerformanceHow Netflix Tunes EC2 Instances for Performance
How Netflix Tunes EC2 Instances for Performance
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
 
Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2
 
Deep dive in container service discovery
Deep dive in container service discoveryDeep dive in container service discovery
Deep dive in container service discovery
 
Introduction to Prometheus
Introduction to PrometheusIntroduction to Prometheus
Introduction to Prometheus
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 
HAProxy
HAProxy HAProxy
HAProxy
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with Prometheus
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
 
Edge Zones In CloudStack
Edge Zones In CloudStackEdge Zones In CloudStack
Edge Zones In CloudStack
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
 
Helm - Application deployment management for Kubernetes
Helm - Application deployment management for KubernetesHelm - Application deployment management for Kubernetes
Helm - Application deployment management for Kubernetes
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
 

Similaire à Wireguard VPN

OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on MikrotikGLC Networks
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksCohesive Networks
 
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLBMuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLBJitendra Bafna
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestChanaka Lasantha
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverTomaz Muraus
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureAlexandra N. Martinez
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features雄也 日下部
 
How OpenShift SDN helps to automate
How OpenShift SDN helps to automateHow OpenShift SDN helps to automate
How OpenShift SDN helps to automateIlkka Tengvall
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...Ritta Narita
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingShannon McFarland
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu theviper0308
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 
Clustering Docker with Docker Swarm on openSUSE
Clustering Docker with Docker Swarm on openSUSEClustering Docker with Docker Swarm on openSUSE
Clustering Docker with Docker Swarm on openSUSESaputro Aryulianto
 
Chapter 8 overview
Chapter 8 overviewChapter 8 overview
Chapter 8 overviewali raza
 
VXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneVXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneYoshikazu Nojima
 
MySQL | My SQL docker containerization | Docker Network
MySQL | My SQL docker containerization | Docker NetworkMySQL | My SQL docker containerization | Docker Network
MySQL | My SQL docker containerization | Docker Networkshrenikp
 

Similaire à Wireguard VPN (20)

OpeVPN on Mikrotik
OpeVPN on MikrotikOpeVPN on Mikrotik
OpeVPN on Mikrotik
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container Networks
 
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLBMuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latest
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 server
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
3-sdn-lab.pdf
3-sdn-lab.pdf3-sdn-lab.pdf
3-sdn-lab.pdf
 
How OpenShift SDN helps to automate
How OpenShift SDN helps to automateHow OpenShift SDN helps to automate
How OpenShift SDN helps to automate
 
Unidade3 roteiro proxy
Unidade3 roteiro proxyUnidade3 roteiro proxy
Unidade3 roteiro proxy
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
Clustering Docker with Docker Swarm on openSUSE
Clustering Docker with Docker Swarm on openSUSEClustering Docker with Docker Swarm on openSUSE
Clustering Docker with Docker Swarm on openSUSE
 
Chapter 8 overview
Chapter 8 overviewChapter 8 overview
Chapter 8 overview
 
VXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneVXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced Zone
 
MySQL | My SQL docker containerization | Docker Network
MySQL | My SQL docker containerization | Docker NetworkMySQL | My SQL docker containerization | Docker Network
MySQL | My SQL docker containerization | Docker Network
 

Plus de All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public PolicyAll Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashAll Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractAll Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and SuccessAll Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with BackgroundAll Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblyAll Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksAll Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptAll Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramAll Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceAll Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamAll Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in controlAll Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...All Things Open
 

Plus de All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
 

Dernier

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Wireguard VPN

  • 1. WireGuard VPN yes, it turns out the world does need a new kind of VPN This presentation is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. (C) 2018 jim@openoid.net Jim Salter Technomancer, Mercenary Sysadmin, Small Business Owner Today's slides can be found at: http://openoid.net/presentations/
  • 2. Who am I? Well, Jim’s just this guy, you know? * 20+ yr *nix admin * 15 yr OpenVPN exp. * (reluctant) developer * giant OSS hippie
  • 3. What is WireGuard? Kernel-mode VPN Secure by default UDP protocol
  • 5. What can I do with it? Point-to-point VPN Star topology VPN VPN mesh
  • 6. What CAN’T I do with it? no broadcast IP == no DHCP!
  • 7. Sell me on this thing! “Can I just once again state my love for [WG] and hope it gets merged soon?” – Linus Torvalds
  • 8. Sell me on this thing! OpenVPN: ~600K LoC IPSEC VPN: ~400K LoC WireGuard VPN: ~4K LoC
  • 9. Sell me on this thing! YES, LoC is a relevant metric damn it! * less code duplication * sane, modular flow * easier code audits
  • 10. Sell me on this thing! establish connection: 127 ms vs > 8,000 ms
  • 11. Sell me on this thing! I figured out OpenVPN configs in a week or so of dedicated hacking I figured out WG configs in six hours (while taking care of 3 kids under 10!)
  • 12. Sell me on this thing! OpenVPN/IPSEC: Agile Crypto WireGuard: Versioned Crypto smaller attack surface mandatory secure configuration greater peace of mind
  • 13. You sure it’s secure…? Uncompromised algorithms == shorter keys, simplified entropy cf: brute force attack vs dictionary attack
  • 14. You sure it’s secure…? Optional added symmetric encryption layer (PSK) can keep the quantum computing boogeyman at bay
  • 15. Let’s get dirty Any questions before we tackle a real-world WireGuard configuration from scratch?
  • 16. Create your keys root@svr:/etc/wireguard# touch svr.wg0.key root@svr:/etc/wireguard# chmod 600 svr.wg0.key root@svr:/etc/wireguard# wg genkey > svr.wg0.key root@svr:/etc/wireguard# wg pubkey < svr.wg0.key > svr.wg0.pub root@cli:/etc/wireguard# touch cli.wg0.key root@cli:/etc/wireguard# chmod 600 cli.wg0.key root@cli:/etc/wireguard# wg genkey > cli.wg0.key root@cli:/etc/wireguard# wg pubkey < cli.wg0.key > cli.wg0.pub private key is private; public key is public =)
  • 17. Configure your server # svr.wg0.conf [Interface] # Server can address all of 10.0.0.0/24 Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = SERVER_PRIVATE_KEY_WE_CREATED [Peer] # client1 PublicKey = CLIENT_PUBLIC_KEY_WE_CREATED # This specific client can only occupy 10.0.0.2 AllowedIPs = 10.0.0.2/32
  • 18. Configure your client # /etc/wireguard/wg0.conf on CLI # connecting to wg0 on SVR [Interface] Address = 10.0.0.2/24 PrivateKey = PRIVATE_KEY_FROM_CLI [Peer] PublicKey = PUBLIC_KEY_FROM_SVR AllowedIPs = 10.0.0.1/24 Endpoint = svr.yourdomain.tld:51820
  • 19. Start your engines! root@svr:/etc/wireguard# systemctl enable wg-quick@wg0 root@svr:/etc/wireguard# systemctl start wg-quick@wg0 root@cli:/etc/wireguard# systemctl enable wg-quick@wg0 root@cli:/etc/wireguard# systemctl start wg-quick@wg0 root@cli:/etc/wireguard# wg interface: wg0 public key: GRdmHtSSbSlsIbznaWibGOcbm1/Wni/PSZ4je07iLB0= private key: (hidden) listening port: SOME_RANDOM_HIGH_PORT peer: GRdmHtSSbSlsIbznaWibGOcbm1/Wni/PSZ4je07iLB0= endpoint: SVR_public_IP_address:51820 allowed ips: 10.0.0.0/24 latest handshake: 1 second ago transfer: 220 B received, 276 B sent yes, it’s that easy. yes, really.
  • 20. Add a second client # svr.wg0.conf [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = SERVER_PRIVATE_KEY_WE_CREATED [Peer] # client1 PublicKey = CLIENT_PUBKEY_WE_CREATED AllowedIPs = 10.0.0.2/32 [Peer] # client2 PublicKey = CLIENT_PUBKEY_WE_CREATED_ON_SECOND_CLIENT AllowedIPs = 10.0.0.3/32
  • 21. Terminology Gotcha What “AllowedIPs” really means is Routed subnet(s) ! #svr.wg0.conf [Peer] PublicKey = PUBKEY_FROM_CLI AllowedIPs = 10.0.0.2/32 #cli.wg0.conf [Peer] PublicKey = PUBKEY_FROM_SVR AllowedIPs = 10.0.0.1/24, 192.168.0.0/24 Endpoint = svr.domain.tld:51820
  • 22. Configurable hooks arbitrary configurable actions: log stuff, set DNS records, route traffic, whatever #cli.wg0.conf [Peer] PublicKey = PUBKEY_FROM_SVR AllowedIPs = 10.0.0.1/24 Endpoint = svr.domain.tld:51820 PostUp = ping -c1 10.0.0.1 PostDown = echo wg0 disconnected
  • 23. Internet gateway: SVR # svr.wg0.conf [Interface] # Server can address all of 10.0.0.0/24 Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = SERVER_PRIVATE_KEY_WE_CREATED # Internet Gateway: nat wg0 out to internet on eth0 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] # client1 PublicKey = CLIENT_PUBLIC_KEY_WE_CREATED # This specific client can only occupy 10.0.0.2 AllowedIPs = 10.0.0.2/32
  • 24. Internet gateway: CLI # /etc/wireguard/wg0.conf on CLI # connecting to wg0 on SVR # internet gateway through SVR [Interface] Address = 10.0.0.2/24 PrivateKey = PRIVATE_KEY_FROM_CLI [Peer] PublicKey = PUBLIC_KEY_FROM_SVR Endpoint = svr.domain.tld:51820 # gateway rule – route all traffic out over wg0! AllowedIPs = 0.0.0.0/0