Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Third-Party Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Cyber Security

WireGuard – A Fast and Free VPN Solution I SureCloud Consultant Corner

WireGuard – A Fast and Free VPN Solution I SureCloud Consultant Corner
Written by

Ellie Owen

Published on

30 Oct 2020

WireGuard – A Fast and Free VPN Solution I SureCloud Consultant Corner

 

Welcome to Consultant Corner

With the rise of remote working across the globe, many businesses are brushing up on their extra reading and learning when finding flexible new solutions to their business needs. We have asked our expert cybersecurity consultants to write up 5-minute reads on trends they’re seeing and tips for IT teams to stay protected. These topics will be relevant for a long time and vary from VPN to brute-force attacks to barcodes. The kind of insight into risk management tools that our Consultants provide across this series of articles is included in our cyber resilience assessment services.

 

You can stay alerted to new blogs from ‘Consultant Corner’ as soon as they are made available; just register in our pop-up form below. After all, a cybersecurity blog a day keeps the malicious attackers at bay

 

This blog is focused on WireGuard VPN solutions and is written by Martin Ellis, Cybersecurity Consultant at SureCloud.

WireGuard VPN vs OpenVPN

WireGuard received a lot of press coverage after its release in the cyber news community, and now, with its subsequent inclusion in the Linux Kernel, it might be time for you to check it out.

 

Historically there have been a few major contenders in the free VPN space, with OpenVPN being by far the most popular. However, OpenVPN can be complex to configure, and users often resort to a management tool such as OpenVPN Access Server or piVPN to manage configuration. WireGuard is attempting to provide a simpler alternative that is secure by default and simpler to configure.

 

At the end of the post, we will go through how to set up a simple tunnel between two hosts, so that you can experiment with the new tool.

Circles Connected | Compliance Management | Risk Management

Authentication

WireGuard authentication is performed through the use of public keys; no shared secrets are passed; instead, hosts wishing to connect just communicate these public keys. At this time, there does not appear to be a standardised way of performing 2FA with WireGuard.

Platform Support

WireGuard is supported natively on Linux, with the main kernel module included in the standard mainline kernel codebase; for older versions of Linux, a module loadable through DKMS is available. Clients for Windows and macOS, Android and iOS, are also available.

Cloud Padlock | Risk Management | GRC Software

Security

The WireGuard protocol has gone through several validation processes to prove the safety properties of the protocol. However, at the time of writing, no formal auditing of the code base is known to have been performed. This means that, whilst the WireGuard protocol may be technically secure, there could still be security issues in the implementation of the protocol that makes it exploitable. Other VPN solutions, such as OpenVPN, have had their code audited. On the counter side, the WireGuard codebase is currently much smaller than many other implementations, so an audit should be relatively easy.

Our Thoughts

Before we move on to how to set up a simple point-to-point tunnel using WireGuard, here are our final thoughts on if you should use it in production. At this point, due to its relative immaturity (its current list of known limitations and relatively long to-do list), SureCloud would not recommend using this in a production environment. However, now is the time to experiment and help drive a promising project forward.

Setting Up A Point-To-Point Tunnel

For our worked-through example, we will set up a point-to-point tunnel between a server (with a known IP address) and a client. First, install the WireGuard tools following the guidance on their website.

The WireGuard Server

This server must have a known IP address accessible to the client, so we will be setting up a listener on port UDP/55555. As such, that port must be visible through any firewalls running on the server. The first step is to create a private key pair – as above- on the WireGuard Server.

We will be setting up a new virtual network interface for the tunnel called wg0, and this interface will have the “private” IP 10.0.0.1. To do this, the next step is to edit the WireGuard config for our new virtual device, as shown above. The private key will be the contents of the `privatekey` file we created below. We will fill in the client’s public key later.

/etc/wireguard/wg0.conf

When we are ready, we will bring this interface up with the following command:

First, however, we will need to know the client public key.

The WireGuard Client

Configuring a client is also simple; first, as with the server, we generate a new key pair for this client.

 

At this point, we can fill in the final piece of information missing on the server. I would recommend doing that now and setting the client’s public key, which we missed earlier.

Next, we will set up the virtual network device on the client; once again, we will edit the WireGuard config for the virtual wg0 network device. This time we are configuring this client to have the virtual IP of 10.0.0.2. Notice that in this config, we do not configure a listener; instead, we tell the client where to find the listener on the server we wish to access.

/etc/wireguard/wg0.conf

Bringing Up The Bridge and Testing

We are now ready to bring up the tunnel on first the server; then the client runs the command to our left.

We can test the tunnel from the client by pinging the virtual IP on the server:

Once you finish experimenting, take the tunnel down with this command.

How can SureCloud help?

As a provider of recognised GRC and integrated cyber risk management products and services, SureCloud is well-placed to offer advice on how and when to use WireGuard. This kind of advice and recommendations comes as part of our Cyber Resilience Assessment services. But, for a deeper dive into what risk management tools and cybersecurity services we can offer, head over to our Cyber Risk Management capability overview.

About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk.

SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle, from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.

Discover SureCloud’s Cyber Resilience Assessment Solution here.