What is WireGuard? A Closer Look at a New VPN Technology

Finjan TeamBlog, Cybersecurity

Finjan What is WireGuard? A Closer Look at a New VPN Technology

A new VPN (Virtual Private Network) technology called WireGuard that’s being billed as perhaps “the most secure, easiest to use, and simplest VPN solution in the industry” is currently gaining traction. It’s especially popular among application developers working for companies that are looking to build their backend infrastructure (administration, archives, and other non-customer facing business units or applications) on the new platform.

Initially released for Linux-based operating systems, WireGuard is now compatible with a range of other platforms. In this article, we’ll be looking at the characteristics of this new VPN technology, and how WireGuard may serve as the solution for businesses wishing to deploy faster and more secure Virtual Private Networks.

Wireguard – Simplicity in Use

With our growing reliance on mobile devices to gain internet access – and increasing concerns over internet censorship and data privacy – Virtual Private Networks now have to cater for personal and corporate desktop environments, as well as smartphones, tablets, and a range of connected devices. Products like the InvinciBull™ VPN from Finjan Mobile (a combination of VPN service and secure web browser) have evolved to meet this demand.

But the encryption protocols on which mainstream VPN products have had to rely, have raised issues in the past. The OpenVPN system is generally preferred to the immensely complex IPSec standard. But with around 120,000 lines of code in its makeup (each potentially open to hackers), OpenVPN itself is extremely complex and relatively slow to run – not to mention, hard to secure.

The new VPN solution proposed by WireGuard and launched in 2015 has a cryptographic foundation based on less than 4,000 lines of code, with ease of use at its heart.

In terms of mobile usage, WireGuard has been designed as a “stealth VPN,” not transmitting any packets by default, unless there’s actual data to be sent. This reduces the amount of “chatter” associated with a WireGuard VPN-protected device, and cuts down the amount of information potentially available for eavesdroppers or packet sniffers to get a hold of. This approach also extends mobile device battery life.

Wireguard Provides Strong Encryption

A process called Cryptokey Routing is at the heart of WireGuard encryption. The mechanism works by associating public encryption keys with a list of VPN tunnel IP addresses which are allowed inside the tunnel.

A unique private key and a list of peers is associated with each network interface. Each of the peers has a short and simple public key, used in authenticating it with other peers. These public keys may be distributed for use in configuration files in a number of ways, much like the transmission of SSH public keys.

In any server configuration, each peer (client application, etc.) can send packets to the network interface having a source IP address matching its corresponding list of allowed IP addresses. When the network interface wishes to send a packet to a peer, it looks at the destination IP of the data packet, and compares it to each peer’s list of allowed IPs, in order to determine which peer to send it to.

For the tech-minded, here’s how the process is described by WireGuard itself:

“WireGuard associates tunnel IP addresses with public keys and remote endpoints. When the interface sends a packet to a peer, it does the following:

This packet is meant for 192.168.30.8. Which peer is that? Let me look… Okay, it’s for peer ABCDEFGH. (Or if it’s not for any configured peer, drop the packet.)
Encrypt entire IP packet using peer ABCDEFGH’s public key.
What is the remote endpoint of peer ABCDEFGH? Let me look… Okay, the endpoint is UDP port 53133 on host 216.58.211.110.
Send encrypted bytes from step 2 over the Internet to 216.58.211.110:53133 using UDP.
When the interface receives a packet, this happens:

I just got a packet from UDP port 7361 on host 98.139.183.24. Let’s decrypt it!
It decrypted and authenticated properly for peer LMNOPQRS. Okay, let’s remember that peer LMNOPQRS’s most recent Internet endpoint is 98.139.183.24:7361 using UDP.
Once decrypted, the plain-text packet is from 192.168.43.89. Is peer LMNOPQRS allowed to be sending us packets as 192.168.43.89?
If so, accept the packet on the interface. If not, drop it.
Behind the scenes there is much happening to provide proper privacy, authenticity, and perfect forward secrecy, using state-of-the-art cryptography.”

The list of allowed IP addresses acts as a sort of routing table when transmitting packets, and as a kind of access control list, when receiving them. WireGuard calls this a Cryptokey Routing Table, which works by the simple association of public encryption keys and allowed IP addresses.

Wireguard Features IP Roaming On Both Ends

In a typical WireGuard VPN deployment, the client (or peer) configuration contains an initial endpoint for its destination server, so that it knows where to send encrypted information before it has received any.The configuration of the server doesn’t contain any initial endpoints for its clients (peers). Rather, the server is left to discover the endpoint of its peers by examining the location from which correctly authenticated data originates.

Since the clients continue tracking the server, if that system changes its location, the clients will discover the new server endpoint, and update their configuration, accordingly. Encrypted information is sent by both client and server, based on the most recent IP endpoint for which they authentically decrypted data.

So IP addresses can be readily switched on both ends, without breaking the system. Users can switch between Wi-Fi, cellular, and other connections without having to manually perform any of the configuration.

Wireguard Also Boasts Strong Performance on a Range of Systems

Though initially designed and optimized for running inside the Linux Kernel, WireGuard can currently be adapted for a number of different platforms. For example, WireGuard may be used on systems running Ubuntu, macOS, and Android. There’s a user-space portable version in development, which will enable developers to include VPN functionality for apps in the Play Store without requiring root access.

Wireguard – A Work in Progress

It should be noted that WireGuard is still a work in progress. Their website includes a description of the protocol, cryptography, and key exchange mechanisms, and hosts downloads of a technical white-paper going into more detail. The development team at WireGuard is currently recruiting Android GUI developers to assist them in making improvements to the core technology. There’s also a mailing list for contributors to submit recommendations and code using git-send-email.

WireGuard’s critical reception has been generally warm, with its encryption standards receiving a “thumbs up” from cryptographic researchers.

Most indications are positive, and a new era of VPN protection based on WireGuard is a growing prospect. The XDA Developers Forum sums it up like this:

“Overall, WireGuard appears to be the future of VPNs and secure network tunnels, embracing rock solid modern cryptography, a secure auditable code base, and an innovative protocol well suited for smartphones.”

Share this Post

Summary
Finjan What is WireGuard? A Closer Look at a New VPN Technology
Article Name
What is WireGuard? A Closer Look at a New VPN Technology
Description
What is WireGuard? The XDA Developers Forum sums it up like this: "Overall, WireGuard appears to be the future of VPNs and secure network tunnels, embracing rock solid modern cryptography, a secure auditable code base, and an innovative protocol well suited for smartphones."
Author
Publisher Name
Finjan
Publisher Logo