WireGuard, a work of art

Introduce

If you used to use Facebook in the 10th years of the 21st century, you were going through a hard time for Facebook users back then – using a VPN, because the Vietnamese carrier blocked Facebook’s IP. So what is a VPN that can bypass the rules of the network operator like that?

VPN (Virtual Private Network – virtual private network) allows users to create a tunnel (tunnel) to connect to another network on the Internet. VPN is very suitable when you want to use the Internet for private purposes, prevent ISP access – network service providers, or you access Wifi in a cafe and still want privacy, or The other thing is that you are sitting at work but want to get data from your home hard drive.

The story at a certain company, during work hours, YouTube was blocked, but the learning materials were all there, so one of my social brothers had to use a VPN to watch Yotube.

“Although you are living in Vietnam, but you are always in America” ​​- Quoting a certain social brother.

However, this article is not about introducing what VPN is, how it works. Here, I want to introduce to you a type of VPN nearly 1 year I regularly use. It is completely different from OpenVPN, IPSec that you all know, those are the VPN standards for a long time. Today I want to introduce WireGuard – modern VPN now.

What is WireGuard?

Like OpenVPN and IPSec, WireGuard is a VPN system, it also helps you to establish an encrypted connection between your client and server via an Internet connection. WireGuard is operated in layer 3, designed as a virtual network interface of Kernel for Linux. WireGuard was born as a replacement for IPSec in most use cases, and relies on TLS-based solutions like OpenVPN, while WireGuard is safer, faster, and easier to use.

Linus Torvalds sent a mail to David Miller with this message

Pulled.
Btw, on an unrelated issue: I see that Jason actually made the pull request to have wireguard included in the kernel.
Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.

Linus Torvalds , the creator of Linux, talked about WireGuard as a work of art. WireGuard has OpenSource code on Github and it has less than 4000 lines of code , less than 1% of the code of OpenVPN (600,000 lines), making it easy to check and verify.

WireGuard has been integrated into Kernel 5.6 (you can read it at https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html ). So from Kernel 5.6 onwards, WireGuard is installed by default, and will give people access to more and better WireGuard.

How fast is WireGuard?

I’ve been saying WireGuard is faster than OpenVPN or IPSec, so how fast is it. There is an objective test below, everyone can see and compare

Exchange keys and packets

WireGuard uses Noise_IK handshake from Noise, based on the work of CurveCP, NaCL, KEA +, SIGMA, FHMQV and HOMQV. All are packaged and sent via UDP.

Key exchange has the following good properties:

• Avoid impersonation
• Avoid replay attacks
• Perfect forward secrecy
• Achieved “AKE Security”
• Incognito

Disadvantages of WireGuard

• Only UDP protocol is supported
• Still being contribute to be better
• Works best on Linux

Refer

• https://www.wireguard.com/
• https://www.wireguard.com/protocol/
• https://www.wireguard.com/papers/wireguard.pdf
• https://www.wireguard.com/repositories/
• https://lists.openwall.net/netdev/2018/08/02/124
• https://duo.com/decipher/wireguard-vpn-added-to-linux-kernel