I think it's worth knowing how simple and easy it is to set up wireguard when you don't need a web UI or any of that other fluff on there. Every computer running linux on a recent enough kernel can do it on a completely clean base install -- I figure a lot of the appeal for me is that I'm not introducing any risks on my system by installing extraneous packages. Means less maintenance whenever those have to be updated for security problems, meaning we get to bird two stones with one kill. Can be set up with nothing more than the shell and vi. It's right in entrypoint.sh[1] and some dockerfiles - set up firewall; set up wireguard devices, keys and configs; set up dnsmasq. Three simple steps on linux or openbsd (Not sure if FreeBSD ever got past that integration issue yet)
Setting up the FW and routing is not trivial for anyone who hasn't had to deal with that aspect of Linux before. 99% of people are going to want a straightforward tunnel that simply forwards everything to the default route table of the server. Which is of course what the linked script does. But even experienced devs are doing to have no idea what the heck a prerouting chain or a masquerade rule does.
At least for me, a major issue turned out to the abstractions (like wg-quick, ufw, network-manager, openwrt) which on one hand obscure the inner workings but at the same time are limited enough that at some point you will be forced to dig deeper. They also don't always play nicely together wrt routes, routing polices and *tables rules.
I wasted so much time (probably weeks, added together) in my younger days banging my head against the wall with Linux networking. Throwing out other high-level tools/frameworks and starting "from scratch" on CentOS/Rocky/Debian with only systemd-networkd and nftables has now made me mostly comfortable and I finally feel in control of the networking stack on my Linux boxes. I say "mostly" because, well, Docker and CNI...
Just use OpenBSD, so much of that crap just gets out of the way because it was never glued on without anyone asking. For routing stuff like VPNs and routers especially this becomes my first choice, unless we're really needing to hit gigabit speeds... Try fresh air for once!
Two things I learned that were game-changers in setting up and managing Wireguard on Linux:
* The semantics and behavior of AllowedIPs. In itself, it means what IPs are allowed to be routed through the tunnel (that is, IPs "on the other end"). wg-quick will, additionally, add routes to these, but that's not part of Wireguard itself.
* systemd-networkd has native support for Wireguard netdevs and networks. It's pretty easy to set up and makes it a lot more flexible; it won't add routes to AllowedIPs like wg-quick but you can define the routes (and routing policies and tables) you want in the same file. [0]
As much flak as systemd gets, systemd-networkd has by far been the most sane way for me to manage networking on Linux, and I tried most.
I'd also like to take the opportunity to recommend nftables instead of iptables. Unless you already have good reasons to prefer iptables, nftables is so much easier to learn and manage.
Oh, and ufw gets ugly real fast. Managing it through ansible or similar is a real mess. firewalld is a lot more predictable IMO. Its routing story is not perfect but it's the best I found so far and can be complemented with ip and manual nftables rules[2].
I'm a linux user and I want plenty more than just a VPN connection. I want the icon that tells me the VPN is connected. I want the GUI that lets me manage which server I am connecting to and which servers are the most loaded at a particular moment. I want to control from which country my traffic appears on the public internet. I want the little graph showing me that my traffic is indeed flowing over the VPN service. I want a kill switch daemon ready to cut off my traffic should the VPN connection fail. And I want all of that without having to edit any scripts.
Then you should've known that KDE already have wireguard applet implemented in their network manager already in version 5.21 while Gnome is on a track and just waiting to be merged.
FFS, they still do and what's worse is that bringing up the VPN manually on the command line trigger a notification and a temporary vpn entry in the network panel. But it disappears when bringing down the VPN.
That is nice to see, I was looking at subspace last week and the last commit to https://github.com/subspacecloud/subspace had led me to believe it had withered and died, I was guessing due to the primary backing company having died?
So it is quite nice to see that it is living on as a fork.
There seems to be a relative explosion in end-user deployable overlay networks in the last few years. I wonder how many, especially non-tech companies, have end users routing the outside world in without company permission.
I know it's not rocket science to watch for each one, or be more sophisticated with deep packet inspection. But, I've worked at some old stodgy companies, and I'm reasonably sure they aren't really watching for it in a lot of places.
This has been a threat for 20+ years, certainly everyone I worked with had outgoing ssh tunnels through the socks proxy, with reverse port forwarding, back then.
If your network is reliant on a high firewall and nothing inside, you've already lost.
Yes, I'm not saying it is a new threat. Just a broader threat now that there's a lot of ready made solutions that can run in user space. And in some cases, like this one, have very newbie friendly UIs.
I would kill for this but integrated into home assistant. There is a wireguard add on but it's really limited and requires going in by ssh to get people's qr codes.
Anyone know of good tools for using WireGuard in large server fleets? I'm currently trying to pitch an alternative to OpenVPN at work, paid solutions being pretty much out of the question. ZeroTier (w/ open license network controller) might work but it doesn't look like mutual authentication is supported. Ideally we'd like to use X509 auth which OpenVPN is already capable of...
This is a big part of the problem Tailscale solves. If I was managing a large fleet and already had an auth infrastructure, I'd almost certainly just use it. (Tailscale is WireGuard, plus NAT traversal, plus user management, plus OIDC, plus UI. It's pretty magical.)
I would imagine it's too costly. We have thousands and thousands of machines and we're really not willing to pay anything to solve this, as nice as Tailscale would be.
Frustratingly there's no real "Enterprise" plan on their site, it's another one of those "get in touch" plans that I don't have the energy or time for. Guys at Tailscale, please just list an actual damn enterprise option so I can get an idea of how much it's going to cost if I push for this at work.
A quick google search for mutal authentication and wiregurd comes up with the whitepaper[1]:
“It uses a single round trip key exchange, based on NoiseIK, and handles all session creation transparently to the user using a novel timer state machine mechanism. Short pre-shared static keys—Curve25519 points—are used for mutual authentication in the style of OpenSSH. The protocol provides strong perfect forward secrecy in addition to a high degree of identity hiding. Transport speed is accomplished using ChaCha20Poly1305 authenticated-encryption for encapsulation of packets in UDP. An improved take on IP-binding cookies is used for mitigating denial of service attacks, improving greatly on IKEv2 and DTLS’s cookie mechanisms to add encryption and authentication”[13]
Furthermore the email it's introduced with[2]:
`Second, WireGuard uses something based on the Noise Protocol Framework (in Noise_IK) for key agreement and handshake, rather than, say, relegating to a userspace daemon. The reason, again, is massive simplicity and security savings. The Noise_IK handshake is extremely simple, and tight integration between the handshake and the transport
layer allows WireGuard itself to handle all session-state and connection-state and so-forth, making the whole process appear "stateless" to the administrator (you set it up with `wg`, and then it _just works_). There is no x509, no ASN.1, no huge complexity; the user configures the public keys, and then the rest is taken care of. Other configuration frameworks (based on x509 or SSL or LDAP or whatever you want) can then build on top of this in userspace, if that sort of thing is desired. But the basic handshake fundamentals are left to WireGuard. This is more or less similar to SSH, which cares about the authorized_keys file.`
It looks like some solutions for key management have sprouted up, check trustgrid[3] and locksmith [4]
I second this. Tailscale is great. However, if you're someone that prefers a selfhosted option (and open source) - there is HeadScale. It lets you run your own coordination server locally.
Unfortunately I can't justify a paid option right now, and I need to be able to support at least 5 to 10 users. Otherwise I would jump on it, it's very good.
[1] https://github.com/subspacecommunity/subspace/blob/master/en...
I think it's also worth mentioning this works even better than openvpn as a client on windows and my phones!