re smaller surface area, adding some numbers, &quot;WireGuard weighs in at around 4,000 lines of code; this compares to 600,000 total lines of code for OpenVPN + OpenSSL or 400,000 total lines of code for XFRM+StrongSwan for an IPSEC VPN. Two orders of magnitude fewer lines of code mean a lot less attack surface to find flaws in.&quot;
<a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2018&#x2F;08&#x2F;wireguard-vpn-review-fast-connections-amaze-but-windows-support-needs-to-happen&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2018&#x2F;08&#x2F;wireguard-vpn-review...</a>note openvpn sans openssl is 70k (supports multiple crypto libs), but given Wireguard&#x27;s code size is including crypto, it seems apt to compare totals.linus on a comparison, &quot;Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn&#x27;t perfect, but I&#x27;ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it&#x27;s a work of art.&quot; 
<a href="https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;761939&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;761939&#x2F;</a>

But these are related, aren&#x27;t they? Not trying to be pedantic or argumentative at all, just better understanding (for myself at least). Being kernel based means it cannot depend on external&#x2F;3rd party libraries, which does reduce the attack surface. Of course user-land library can also be written with no other library dependencies, but I think kernel based forces this as a requirement, doesn&#x27;t it (I don&#x27;t know for sure, please correct me if I&#x27;m wrong)?

Thank you for clarifying the differences in a more understandable way. The bullet points in the post have been made more clear now.

Indeed, the author is confusing things here:- It has a vastly smaller attack surface than e.g. OpenVPN, because it is much less complex.- Its performance is improved by being kernel based.- Compatibility is helped by it being in the mainline kernel, i.e. every device shipping a recent enough kernel will be able to have it (no need to deploy&#x2F;version libraries etc).These don&#x27;t have anything to do with each other.

That sounds interesting.Can you elaborate on which attacks userland system are susceptible to that a kernel is not?

This goes both ways. Userland systems are susceptible to a myriad of attacks that a kernel, being privileged code, is not. We rely on the kernel (plus CPU rings) for most of the security enforcement in a machine, after all.However, IF that code is compromised, the consequences are much more catastrophic.

BTW if people want to try userspace WireGuard: <a href="https:&#x2F;&#x2F;github.com&#x2F;cloudflare&#x2F;boringtun" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;cloudflare&#x2F;boringtun</a>

I have only experimented a bit with WireGuard because I wanted to avoid OpenVPN. The argument seems to be that it&#x27;s more secure because it&#x27;s implementation is small (the implication being that it&#x27;s easier to audit) and being in the kernel ensures mass adoption (ensuring even more likelihood of audits and quick patches.) I&#x27;m interested if there are other technical advantages for specific threat models.

I have been a bit weary of the WireGuard hype for much the same reason. Surely kernel mode is (a) the equivalent of running as root (b) opens up greater attack surface by virtue of running at kernel level

&gt; It’s kernel-based which reduces attack surface and can be ran in virtually any device.Excuse my ignorance, but can someone explain why a kernel based networking stack has less of an attack surface then a user-space based stack?I mean logically user-space should be more secure no?

@WGH_ You&#x27;re dead - presumably because the profile is new, and immediately made a comment? I think maybe anti-spam is a bit aggressive, unless there&#x27;s some linked account that accounts for the ban?At any rate, I agree information on bpf as a iptables work-a-like is scarce. This helps a bit:<a href="https:&#x2F;&#x2F;www.netronome.com&#x2F;blog&#x2F;bpf-ebpf-xdp-and-bpfilter-what-are-these-things-and-what-do-they-mean-enterprise&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.netronome.com&#x2F;blog&#x2F;bpf-ebpf-xdp-and-bpfilter-wha...</a>Then there&#x27;s of course the kernel docs, eg:
<a href="https:&#x2F;&#x2F;git.kernel.org&#x2F;pub&#x2F;scm&#x2F;linux&#x2F;kernel&#x2F;git&#x2F;torvalds&#x2F;linux.git&#x2F;tree&#x2F;Documentation&#x2F;bpf&#x2F;index.rst?h=v5.6" rel="nofollow">https:&#x2F;&#x2F;git.kernel.org&#x2F;pub&#x2F;scm&#x2F;linux&#x2F;kernel&#x2F;git&#x2F;torvalds&#x2F;lin...</a>See also: <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;introducing-the-bpf-tools&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;introducing-the-bpf-tools&#x2F;</a>

What is BPF (in the context of iptables&#x2F;nftables replacement) exactly? I tried searching for it, but only found some articles about early stage kernel support. Nothing about userspace or how to use it at all. It looks like there&#x27;s still no BPF firewall at this time.

even for simple cases, I prefer nftables. If for no other reason thn I think the syntax is simpler and easier to understand.

The community kind of skipped right over nftables to BPF. Simple use cases use iptables, complicated ones use BPF, nftables isn&#x27;t flexible enough for the complicated use cases so everyone keeps using iptables.

So unfortunately it makes less sense for one-liners. Case in point: to use the masquerade action in a postrouting&#x2F;nat chain, you also have to register a (possibly empty) prerouting&#x2F;nat chain.You don&#x27;t have to do that since Linux 4.18: <a href="https:&#x2F;&#x2F;wiki.nftables.org&#x2F;wiki-nftables&#x2F;index.php&#x2F;Performing_Network_Address_Translation_(NAT)#Stateful_NAT" rel="nofollow">https:&#x2F;&#x2F;wiki.nftables.org&#x2F;wiki-nftables&#x2F;index.php&#x2F;Performing...</a>

IMO nftables is best used with your full ruleset defined in a file, and atomically loaded. nftables certainly does make your ruleset more grokkable than statefully appending ad-hoc rules everywhere, but you necessarily need the whole picture to gain from it.So unfortunately it makes less sense for one-liners. Case in point: to use the masquerade action in a postrouting&#x2F;nat chain, you also have to register a (possibly empty) prerouting&#x2F;nat chain.

Hm. I guess no-one has bothered with nftables yet, even when dealing with network code that&#x27;s becoming part of the new upstream kernel (not just this blog, AFAIK wireguard upstream doesn&#x27;t have any examples on using nftables either, just iptables).I guess we need a new networking how-to?Anyone aware of some resources I might have missed?OK, I guess the nftables wiki is the &quot;how-to&quot;:
<a href="https:&#x2F;&#x2F;wiki.nftables.org&#x2F;wiki-nftables&#x2F;index.php&#x2F;Main_Page" rel="nofollow">https:&#x2F;&#x2F;wiki.nftables.org&#x2F;wiki-nftables&#x2F;index.php&#x2F;Main_Page</a>

Is this one of those cases where is Wireguard implemented traffic compression as a &quot;feature&quot; it would become a huge security flaw?I remember hearing that this is the case for naive HTTPS compression, but I never properly had insight in the how.

Thanks, looks good for mobile metered connections too then.

I just sent 200MiB of zeros over my wireguard connection to my VPS and my transmit counter on my wifi card went up by 238MB. Vs sending 1024MiB over just wifi to my Pi where the transmit counter went up by 1.04GiB.

Does wireguard have a noticeable overhead wrt data size compared to a unencrypted connection? I was thinking of setting up it on a small RPi-Like board at home, then on the laptop I carry around (when the lockdown is over). The purpose would be connecting to the Internet through the home broadband public IP which could be handy. However the laptop connects through a metered 4G connection which, although the data cap is more than reasonable, raises some concerns should the encryption require a lot more data than normal.

I would suggest using Algo VPN to set up WireGuard <a href="https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo</a>

I know its orthogonal to WireGuard itself, but I&#x27;d like to see these guides sometime provide some guidance around DNS, so that I can access services without having to remember the VPN client IP addresses.

Interesting. I haven&#x27;t had that happen because I do split-tunnel, but I will have to keep that in mind in scenarios when I try to forward everything thru the tunnel. All I needed to do for split tunnel was just adjust the route metric. (<a href="https:&#x2F;&#x2F;tujun.ga&#x2F;2020&#x2F;02&#x2F;18&#x2F;wireguard&#x2F;" rel="nofollow">https:&#x2F;&#x2F;tujun.ga&#x2F;2020&#x2F;02&#x2F;18&#x2F;wireguard&#x2F;</a>) Agreed about the lack of GUI though, I do wish there was a GTK applet for it.

I seem to recall configuring it entirely (sans key generation) in KDE Plasma network settings. I&#x27;m guessing you&#x27;re referring to another applet?

In my experience, this does work somewhat, but doesn&#x27;t set up the routes properly[1] and doesn&#x27;t provide an interface to the networkmanager applet, so you are still left with configuring the profiles in the terminal. There is much left to be desired. Sadly the third-party plugin isn&#x27;t much better and seems to be discontinued[2].[1] <a href="https:&#x2F;&#x2F;forum.manjaro.org&#x2F;t&#x2F;wireguard-with-networkmanager-1-16-how-to&#x2F;81544&#x2F;13" rel="nofollow">https:&#x2F;&#x2F;forum.manjaro.org&#x2F;t&#x2F;wireguard-with-networkmanager-1-...</a>
[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;max-moser&#x2F;network-manager-wireguard&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;max-moser&#x2F;network-manager-wireguard&#x2F;</a>

If you&#x27;re using NetworkManager and wireguard, try out the integration between the two as well. It lets you treat the tunnel as any other VPN in nm, and also easily avoids some issues with routing loops if you roam back on to your home network. Before, I always had to manually use wg-quick when I came back home or left.<a href="http:&#x2F;&#x2F;blogs.gnome.org&#x2F;thaller&#x2F;2019&#x2F;03&#x2F;15&#x2F;wireguard-in-networkmanager&#x2F;" rel="nofollow">http:&#x2F;&#x2F;blogs.gnome.org&#x2F;thaller&#x2F;2019&#x2F;03&#x2F;15&#x2F;wireguard-in-netwo...</a>

I also made a guide for connecting with the official iOS and macOS WireGuard clients, as I originally found it a bit difficult with the current UI.<a href="https:&#x2F;&#x2F;www.naut.ca&#x2F;blog&#x2F;2020&#x2F;02&#x2F;17&#x2F;setting-up-a-wireguard-vpn&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.naut.ca&#x2F;blog&#x2F;2020&#x2F;02&#x2F;17&#x2F;setting-up-a-wireguard-v...</a>

I made an Ansible script for the server : <a href="https:&#x2F;&#x2F;github.com&#x2F;Tazeg&#x2F;ansible-wireguard" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Tazeg&#x2F;ansible-wireguard</a>.
If it helps.

haha, yes, apologies. Whatever the new one is.

also available in ubuntu 20.04 (universe) via the dkms&#x2F;module support thats been standard for use w&#x2F; wireguard for years. wireguard also just hit 1.0 from a stable api perspective.

Just FYI, WireGuard is baked right into the Linux 6.x kernel. Unless you&#x27;re on a rolling distro you won&#x27;t see it yet, but very cool indeed.

One thing that is imo downplayed about WireGuard as opposed to other VPNs is ease of use, specifically:
 - setup is easy
 - automated config of large setups is easy
 - it is extremely resilient under network temporary failure

Here&#x27;s a (cleaned up) guide from our internal docs: <a href="https:&#x2F;&#x2F;miha.frangez.me&#x2F;2020&#x2F;04&#x2F;08&#x2F;wireguard-point-to-point-setup&#x2F;" rel="nofollow">https:&#x2F;&#x2F;miha.frangez.me&#x2F;2020&#x2F;04&#x2F;08&#x2F;wireguard-point-to-point-...</a>

It&#x27;s not really different from what&#x27;s shown here, only you set AllowedIPs to a single address instead of all addresses (0.0.0.0&#x2F;0). Here&#x27;s a short guide I just wrote: <a href="https:&#x2F;&#x2F;jtvjan.nl&#x2F;documents&#x2F;s2s-wireguard.md" rel="nofollow">https:&#x2F;&#x2F;jtvjan.nl&#x2F;documents&#x2F;s2s-wireguard.md</a>

Yes somehow I had wireshark in mind! :)

Assuming you meant Wireguard both times, I have a small guide I wrote for my team that I can throw up on my site. If I don&#x27;t post a link here in a couple hours, reply here so I get a notification.

Does anyone have a guide for setting up server-to-server wireshark connection?Everything I have found so far is about consumer VPN stuff.I&#x27;m interested in possibly using wireshark for server-to-server as a less painful alternative to TLS.

You have to use the Wireguard client. In that regard it&#x27;s similar to OpenVPN.Wireguard uses a custom protocol that isn&#x27;t supported by Windows&#x27; built-in VPN client. Most OSes only natively support IPsec&#x2F;L2TP or PPTP.

Wiregaurd uses its own protocol.There is a wire guard client for Windows.

Do you have to use the wireguard client or could say the VPN stack in Windows be used to connect to a wireguard server?

If you are just interested in configuring clients, Wireguard for Windows comes with a GUI that you can use. For Mac I&#x27;d suggest just using wg-quick[^1].[^1]: <a href="https:&#x2F;&#x2F;manpages.debian.org&#x2F;unstable&#x2F;wireguard-tools&#x2F;wg-quick.8.en.html" rel="nofollow">https:&#x2F;&#x2F;manpages.debian.org&#x2F;unstable&#x2F;wireguard-tools&#x2F;wg-quic...</a>

Mac clients can just download it from the App Store: <a href="https:&#x2F;&#x2F;apps.apple.com&#x2F;us&#x2F;app&#x2F;wireguard&#x2F;id1451685025?mt=12" rel="nofollow">https:&#x2F;&#x2F;apps.apple.com&#x2F;us&#x2F;app&#x2F;wireguard&#x2F;id1451685025?mt=12</a> It has a GUI, but you still need to understand its concepts to configure it.

I commented this earlier, here&#x27;s an iOS&#x2F;macOS client guide:<a href="https:&#x2F;&#x2F;www.naut.ca&#x2F;blog&#x2F;2020&#x2F;02&#x2F;17&#x2F;setting-up-a-wireguard-vpn&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.naut.ca&#x2F;blog&#x2F;2020&#x2F;02&#x2F;17&#x2F;setting-up-a-wireguard-v...</a>

Is there like a simpler configuration esp. for clients using windows &#x2F; mac?

Getting Started with WireGuard