WireGuard “WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.”

.com WireGuard is: I small, ~4000 LoC means a smaller attack surface and easily auditable,

I fast, it’s lightweight and implemented in the kernel,

I opinionated, makes conservative choices for you,

I simple, works like SSH and most of the networking is just using ip. Small

I ~4000 LoC (not including cryptographic primitives) is very small.

400

300

kLoC 200

100

0 WireGuard OpenVPN IPsec Small

I Easily auditable: hasn’t happened formally yet; more secure than OpenVPN, etc.? Fast

I Layer 3 (only). I It is small ⇒ lightweight and fast. I It lives in the kernel, so no need to copy packets in and out of userspace. I Multicore. I Fast for both transferring and connecting. Fast From https://www.wireguard.com/performance/ (i7) Fast Via iperf3/TCP (running on WireGuard ): I ~74 Mb/s, both natively and through the tunnel. Via iperf3/UDP (running on WireGuard server):

250

200 Mb/s y 150

100

Packet loss at 50

0 Native WireGuard Via speedtest (AWS California → San Jose):

250

200

150 Mb/s 100

50

0 Native WireGuard OpenVPN (SF) Fast

WireGuard is fast on non-x86 devices. On our routers (Vadim) we get ~100 Mb/s (to California) with CPU at ~20 %. Compare this to ~60 Mb/s for OpenVPN, CPU at 100%.

Roughly 2× what they got via OpenVPN. www.skadligkod.se/vpn/wireguard-speed-tests-on-asus-rt-ac86u/ Opinionated

I WireGuard doesn’t oer cypher agility. I Uses modern, conservative cryptography based on NOISE. I ECDH: Curve25519. Fast, ephemeral, perfect forward secrecy. No TLS, CA, PKI, etc.

I Key derivation: HKDF. I Symmetric cypher: ChaCha20Poly1305. Fast on all processors, AEAD.

I Hash: BLAKE2s. I Optional pre-shared key for post-quantum security. Simple

demo Server’s conguration le

[Interface] PrivateKey = [server 's private key] Address = 10.10.0.1/24, fd80::1/64 ListenPort = 2307 SaveConfig = true PostUp = -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[ Peer ] PublicKey = [client 's public key] PresharedKey = [preshared.key] AllowedIPs = 10.10.0.2/32, fd80::2/128 Client’s conguration le

[Interface] PrivateKey = [client 's private key] Address = 10.10.0.2/24, fd80::2/64 ListenPort = 2307 DNS = 10.10.0.1 PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[ Peer ] PublicKey = [server 's public key] PresharedKey = [preshared.key] AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = [wireguard server]:2307 Protocol

Silent and stealthy I WireGuard does not alter state or respond if a packet is unauthenticated. I WireGuard isn’t chatty. This is great for mobile devices 1-RTT I No cypher negotiation, etc. I This makes WireGuard appear stateless. I It also makes for very fast connection time. Protocol

DoS Protection I Handshake responses are smaller than initiation messages. I If a peer is under load, it uses a cookie scheme similar to IKEv2 but manages to: stay stealthy; prevent cookie from being MitM’d; not allow this scheme to DoS another peer. Key Rotation I Keys are rotated every 120 seconds or every 264 − 216 − 1 messages. But it doesn’t matter if we miss a rekey, since the handshake is 1-RTT anyway. Protocol

Roaming I Cryptokey routing. I Designed for roaming: outages don’t aect the tunnel, switching networks (e.g. WiFi → 4G) is seamless, not much scope for leaks. Protocol

Reviews I Formal verication. Proven symbolically by Tamarin, a protocol verication tool. Analogous protocols have been formally veried too. https://www.wireguard.com/formal-verification/ I Audited by humans too. https://eprint.iacr.org/2018/080 Landscape

VPN providers oering WireGuard I (also oering SOCKS5 multihop) I Azire (for free) VPN providers allegedly considering it I ProtonVPN I PIA VPN providers that have donated I Mullvad I PIA Support

I Any kernel ≥ 3.10. I Packaged by pretty much all main distributions, including OpenWrt/LEDE. I In-tree for a bunch of custom Android ROMs. I Will become part of the kernel in future. I wg will become part of ip. I integration exists. Userspace

Userspace implementations in: I Go; I Rust. Userspace Android app (in beta) already exists using wireguard-go. Userspace Links

I WireGuard I https://www.wireguard.com/ I Thread on obfuscation: https://lists.zx2c4.com/pipermail/wireguard/2016-July/000184.html

I Mullvad I https://mullvad.net/en/blog/2017/9/27/wireguard-future/ I https://www.mullvad.net/en/blog/2017/12/8/ introducing-post-quantum-vpn-mullvads-strategy-future-problem/ I https://www.mullvad.net/en/guides/running-wireguard-router/ I https://www.mullvad.net/en/guides/wireguard-and-mullvad-vpn/ I https://mullvad.net/en/guides/socks5-proxy/#wireguard-socks5

I Azire I https://www.azirevpn.com/wireguard

I XDA I https://forum.xda-developers.com/android/development/ wireguard-rom-integration-t3711635