WireGuard – A Fast and Free VPN Solution I SureCloud Consultant Corner
Welcome to Consultant Corner
With the rise of remote working across the globe, many businesses are brushing up on their extra reading and learning when finding flexible new solutions to their business needs. We have asked our expert cybersecurity consultants to write up 5-minute reads on trends they’re seeing and tips for IT teams to stay protected. These topics will be relevant for a long time and vary from VPN to brute-force attacks to barcodes. The kind of insight into risk management tools that our Consultants provide across this series of articles is included in our cyber resilience assessment services.
You can stay alerted to new blogs from ‘Consultant Corner’ as soon as they are made available; just register in our pop-up form below. After all, a cybersecurity blog a day keeps the malicious attackers at bay
This blog is focused on WireGuard VPN solutions and is written by Martin Ellis, Cybersecurity Consultant at SureCloud.
WireGuard VPN vs OpenVPN
WireGuard received a lot of press coverage after its release in the cyber news community, and now, with its subsequent inclusion in the Linux Kernel, it might be time for you to check it out.
Historically there have been a few major contenders in the free VPN space, with OpenVPN being by far the most popular. However, OpenVPN can be complex to configure, and users often resort to a management tool such as OpenVPN Access Server or piVPN to manage configuration. WireGuard is attempting to provide a simpler alternative that is secure by default and simpler to configure.
At the end of the post, we will go through how to set up a simple tunnel between two hosts, so that you can experiment with the new tool.
Authentication
WireGuard authentication is performed through the use of public keys; no shared secrets are passed; instead, hosts wishing to connect just communicate these public keys. At this time, there does not appear to be a standardised way of performing 2FA with WireGuard.
Platform Support
WireGuard is supported natively on Linux, with the main kernel module included in the standard mainline kernel codebase; for older versions of Linux, a module loadable through DKMS is available. Clients for Windows and macOS, Android and iOS, are also available.
Security
The WireGuard protocol has gone through several validation processes to prove the safety properties of the protocol. However, at the time of writing, no formal auditing of the code base is known to have been performed. This means that, whilst the WireGuard protocol may be technically secure, there could still be security issues in the implementation of the protocol that makes it exploitable. Other VPN solutions, such as OpenVPN, have had their code audited. On the counter side, the WireGuard codebase is currently much smaller than many other implementations, so an audit should be relatively easy.
Our Thoughts
Before we move on to how to set up a simple point-to-point tunnel using WireGuard, here are our final thoughts on if you should use it in production. At this point, due to its relative immaturity (its current list of known limitations and relatively long to-do list), SureCloud would not recommend using this in a production environment. However, now is the time to experiment and help drive a promising project forward.
Setting Up A Point-To-Point Tunnel
For our worked-through example, we will set up a point-to-point tunnel between a server (with a known IP address) and a client. First, install the WireGuard tools following the guidance on their website.
The WireGuard Server
This server must have a known IP address accessible to the client, so we will be setting up a listener on port UDP/55555. As such, that port must be visible through any firewalls running on the server. The first step is to create a private key pair – as above- on the WireGuard Server.
We will be setting up a new virtual network interface for the tunnel called wg0, and this interface will have the “private” IP 10.0.0.1. To do this, the next step is to edit the WireGuard config for our new virtual device, as shown above. The private key will be the contents of the `privatekey` file we created below. We will fill in the client’s public key later.
/etc/wireguard/wg0.conf
When we are ready, we will bring this interface up with the following command:
First, however, we will need to know the client public key.
The WireGuard Client
Configuring a client is also simple; first, as with the server, we generate a new key pair for this client.
At this point, we can fill in the final piece of information missing on the server. I would recommend doing that now and setting the client’s public key, which we missed earlier.
Next, we will set up the virtual network device on the client; once again, we will edit the WireGuard config for the virtual wg0 network device. This time we are configuring this client to have the virtual IP of 10.0.0.2. Notice that in this config, we do not configure a listener; instead, we tell the client where to find the listener on the server we wish to access.
/etc/wireguard/wg0.conf
Bringing Up The Bridge and Testing
We are now ready to bring up the tunnel on first the server; then the client runs the command to our left.
We can test the tunnel from the client by pinging the virtual IP on the server:
Once you finish experimenting, take the tunnel down with this command.
How can SureCloud help?
As a provider of recognised GRC and integrated cyber risk management products and services, SureCloud is well-placed to offer advice on how and when to use WireGuard. This kind of advice and recommendations comes as part of our Cyber Resilience Assessment services. But, for a deeper dive into what risk management tools and cybersecurity services we can offer, head over to our Cyber Risk Management capability overview.
About SureCloud
SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle, from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.