Wireguard VPN Overview
Reading time: 2 min.
WireGuard is a relatively new protocol. It claims to be greatly simplified and faster comparing to alternatives, it uses UDP as primary transport and encapsulates encrypted traffic from IP layer. Let's investigate if it's true!
Some differences help to stand out of other VPN solutions:
- Routing as a part of Peer configuration
- QR code for simplified configuration using camera on mobile devices. iPhone, iPad and other things, you'll love it!
- Site-to-site or client-to-server connections are not very different from the configuration perspective
- Supports DNS as part of configuration for Peer
- Easy to implement routing for all traffic or for only for selected networks
I was able to connect Mikrotik, FrtizBox 6690, macos, iPad and iPhone using WireGuard with little efforts.
Concepts
Virtual Network Interface. Peers configuration. Private key.
Peers configuration
WireGuard uses the table of peers of the folliwing structure
Routed network per peer
It can be even just a single host, or the whole subnet
Public key of the peer
The peer is either single client or router for the subnet
Private key
You don't distribute this part. Private key is used to decrypt traffic that was encrypted using public key. Therefore we put public key as a part of configuration to every distributable peer config.
Configuration
In order to understand how to create config, let's try to understand what happends on the interface.
What happends on server
- Virtual network interface of the server (wireguard) accepts a packet for routing.
- It checks if the destination for packet is among Peers section of config.
- If the peer is defined, the packet is encrypted using peer public key and sent to remote address of the client.
- To accept the packet the client should be connected to server. For this client uses "Endpoint" section of the config. It contains IP and Port of the server.
What happends on client
- Client received the packet on its virtual interface.
- The packet is encrypted using public key of this client, so it tries to decrypt it using own private key.
- If succeeds, continues with routing, i.e. sends to other destinations packet designated to connected subnet.
What is required for config
So it becomes apparent what to do.
- We need to exchange public keys for server and client.
Configuration for client should contain server public key. Configuration for server should contain client public key.
- Address of client subnet should be specified on server in the peer section.
- Client should contain Endpoint - IP:Port of the server
Mikrotik
Mikrotik is supported from version 7 of RouterOS.
Fritzbox 6699
