During this time of lockdown and remote working, many are brushing up on their extra reading and learning. We have asked our expert cybersecurity consultants to write up 5-minute reads on trends they’re seeing and tips for IT teams to stay protected. These topics aren’t COVID-19 specific and vary from VPN to brute-force attacks to barcodes.
You can stay alerted to new blogs from ‘Consultant Corner’ as soon as they are made available just register in our pop-up form below. After all, a cybersecurity blog a day keeps the malicious attackers at bay.
This blog is focused on WireGuard VPN solutions and is written by, Martin Ellis, Cybersecurity Consultant at SureCloud.
Recently WireGuard, a new VPN solution, has been getting a lot of press coverage in the cyber news community, and with its recent inclusion in the Linux Kernel, it might be time for you to check it out.
Historically there have been a few major contenders in the free VPN space with OpenVPN being by far the most popular. However, OpenVPN can be complex to configure, and users often resort to a management tool such as OpenVPN Access Server or piVPN to manage configuration. WireGuard is attempting to provide a simpler alternative that is secure by default and simpler to configure.
At the end of the post, we will go through how to set up a simple tunnel between two hosts, so you can experiment with the new tool.
WireGuard authentication is performed through the use of public keys, no shared secrets are passed, hosts wishing to connect with each other just communicate these public keys. It should be noted at this time, there does not appear to be a standardised way of performing 2FA with WireGuard.
WireGuard is supported natively on Linux with the main kernel module being included in the standard mainline kernel codebase, for older versions of Linux a module loadable through DKMS is available. Clients for Windows and MacOS, Android and iOS are also available.
The WireGuard protocol has gone through a number of validation processes to prove safety properties of the protocol. However, at the time of writing, no formal auditing of the code base is known to have been performed. This means that whilst the WireGuard protocol may be technically secure, there could be security issues in the implementation of the protocol that makes it exploitable. Other VPN solutions such as OpenVPN have had their code audited. On the counter side to this, the WireGuard codebase is currently much smaller than many other implementations, and as such, an audit should be relatively easy.
Before we move on to how to set up a simple point to point tunnel using WireGuard, here are our final thoughts on if you should use it in production. At this point, due to its relative immaturity, it’s current list of known limitations and relatively long to-do list. SureCloud would not recommend using this in a production environment. However, now is the time to experiment and help drive a promising project forward.
For our worked through example, we are going to set up a point to point tunnel between a server (with a known IP address) and a client. First, install the WireGuard tools following the guidance on https://www.wireguard.com/install/.
This server must have a known IP address accessible to the client, we will be setting up a listener on port UDP/55555 and as such, that port must be visible through any firewalls running on the server. The first step is to create a private key pair as above on the WireGuard Server.
We will be setting up a new virtual network interface for the tunnel called wg0, and this interface will have the “private” IP 10.0.0.1. To do this, the next step is to edit the WireGuard config for our new virtual device, as shown above. The private key will be the contents of the `privatekey` file we created bellow. We will fill in the client’s public key later.
When we are ready, we will bring this interface up with the follow command:
First, however we will need to fill to know the client public key.
Configuring a client is also simple, first as with the server, we generate a new key pair for this client.
At this point, we can fill in the final piece of information missing on the server, so I would recommend doing that now and setting the client’s public key we missed earlier.
Next, we will set up the virtual network device on the client; once again, we will edit the WireGuard config for the virtual wg0 network device. This time we are configuring this client to have the virtual IP of 10.0.0.2. Also, notice that in this config we do not configure a listener, but instead tell the client where to find the listener on the server we wish to access.
We are now ready to bring up the tunnel on first the server then the client run the following command:
We can test the tunnel from the client by pinging the virtual IP on the server:
Once you are finished experimenting take the tunnel down with.
SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.