Getting Started with WireGuard

miguelmota | 362 points

> It’s kernel-based which reduces attack surface and can be ran in virtually any device.

Excuse my ignorance, but can someone explain why a kernel based networking stack has less of an attack surface then a user-space based stack?

I mean logically user-space should be more secure no?

greatjack613 | 2 months ago

Hm. I guess no-one has bothered with nftables yet, even when dealing with network code that's becoming part of the new upstream kernel (not just this blog, AFAIK wireguard upstream doesn't have any examples on using nftables either, just iptables).

I guess we need a new networking how-to?

Anyone aware of some resources I might have missed?

OK, I guess the nftables wiki is the "how-to": https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

e12e | 2 months ago

Does wireguard have a noticeable overhead wrt data size compared to a unencrypted connection? I was thinking of setting up it on a small RPi-Like board at home, then on the laptop I carry around (when the lockdown is over). The purpose would be connecting to the Internet through the home broadband public IP which could be handy. However the laptop connects through a metered 4G connection which, although the data cap is more than reasonable, raises some concerns should the encryption require a lot more data than normal.

squarefoot | 2 months ago

I would suggest using Algo VPN to set up WireGuard https://github.com/trailofbits/algo

mathieubordere | 2 months ago

I know its orthogonal to WireGuard itself, but I'd like to see these guides sometime provide some guidance around DNS, so that I can access services without having to remember the VPN client IP addresses.

jimmcslim | 2 months ago

If you're using NetworkManager and wireguard, try out the integration between the two as well. It lets you treat the tunnel as any other VPN in nm, and also easily avoids some issues with routing loops if you roam back on to your home network. Before, I always had to manually use wg-quick when I came back home or left.

http://blogs.gnome.org/thaller/2019/03/15/wireguard-in-netwo...

parshimers | 2 months ago

I also made a guide for connecting with the official iOS and macOS WireGuard clients, as I originally found it a bit difficult with the current UI.

https://www.naut.ca/blog/2020/02/17/setting-up-a-wireguard-v...

rubatuga | 2 months ago

I made an Ansible script for the server : https://github.com/Tazeg/ansible-wireguard. If it helps.

tazeg95 | 2 months ago

Just FYI, WireGuard is baked right into the Linux 6.x kernel. Unless you're on a rolling distro you won't see it yet, but very cool indeed.

pkulak | 2 months ago

One thing that is imo downplayed about WireGuard as opposed to other VPNs is ease of use, specifically: - setup is easy - automated config of large setups is easy - it is extremely resilient under network temporary failure

ur-whale | 2 months ago

Does anyone have a guide for setting up server-to-server wireshark connection?

Everything I have found so far is about consumer VPN stuff.

I'm interested in possibly using wireshark for server-to-server as a less painful alternative to TLS.

borplk | 2 months ago

Do you have to use the wireguard client or could say the VPN stack in Windows be used to connect to a wireguard server?

platz | 2 months ago

Is there like a simpler configuration esp. for clients using windows / mac?

boromi | 2 months ago

dedea

enrichpu | 2 months ago