The original link: fuckcloudnative. IO/posts/wireg…

WireGuard is an Open source WireGuard protocol written by Jason Donenfeld and others in C language. It is regarded as the next generation WireGuard protocol. It is designed to solve many problems that have plagued other WireGuard protocols such as IPSec/IKEv2, Open WireGuard, and L2TP. It has some similarities with modern Wappen products like Tinc and the MeshBird in that it has advanced encryption and simple configuration. As of January 2020, it has been incorporated into version 5.6 of the Linux kernel, which means that most users of Linux distributions will have WireGuard out of the box.

Whether you want to break through walls or network between servers, WireGuard is the Lego of networking, just as ZFS is the Lego of building file systems.

WireGuard performance tests compared to other Wapian protocols:

You can see that WireGuard directly crushes other Wapian protocols. As for Open Wideband, there are about 100,000 lines of code, while WireGuard is only about 4000 lines of code. The codebase is quite minimal and is a work of art. If you look at the performance of the Open, forget it.

WireGuard advantages:

  • Thin provisioning allows you to use the default value
  • With minimal key management, each host requires only one public key and one private key.
  • Just like a normal Ethernet interface, it runs as a Linux kernel module and consumes less resources.
  • The ability to transmit some or all of the traffic to any host in the LAN through wassen.
  • The ability to reconnect automatically after the network has recovered from a failure has hit a nerve.
  • It offers faster connections and lower latency than the current mainstream Wayfarne protocol (see chart).
  • It uses more advanced encryption technology and has the ability of forward encryption and anti-degrade attack.
  • Supports any type of layer 2 network communication, for exampleARP,DHCPICMP, not just TCP/HTTP.
  • It can run in a host to provide communication between containers, or it can run in a container to provide communication between hosts.

WireGuard cannot do:

  • Similar to the Gossip protocol to achieve network self-healing.
  • Bypass the dual NAT through the signaling server.
  • Keys are automatically assigned and revoked through a central server.
  • Sends raw Layer 2 Ethernet frames.

Of course, you can compensate for this by using WireGuard as the underlying protocol to implement your desired functionality.

This WireGuard tutorial series is divided into two parts, the first part is theoretical and the second part is practical. This is the first part of the tutorial.

1. The WireGuard terminology

Peer/Node/Device

A host that connects to wassen and registers itself with a Wassen subnet address (such as 192.0.2.3). You can also select routes for IP addresses other than their own by specifying subnet ranges using comma-separated CIDR.

Bounce Server

A peer node that is reachable on the public network and can relay traffic to other peer nodes behind the NAT. Bounce Server is not a special node, it is like any peer node, the only difference is that it has a public IP and has enabled kernel-level IP forwarding to forward Wapen traffic to other clients.

Subnets

A set of private IP addresses, such as 192.0.2.1-255 or 192.168.1.1/24, typically followed by NAT, such as office LAN or home network.

CIDR notation

This is a way of using a mask to represent the size of a subnet, which needs no explanation.

NAT

The private IP address of a subnet is provided by a router. However, you cannot access the private subnet through the public network. NAT is required for network address translation. The router tracks the outgoing connection and forwards the response to the correct internal IP.

Public Endpoint

Public IP address of a node: port number, for example, 123.124.125.126:1234, or use the domain name some.domain. TLD :1234. If peer nodes are not on the same subnet, the public endpoints of the nodes must use public IP addresses.

Private key

The WireGuard private key for a single node is generated by using wg genkey > example.key.

Public Key

The WireGuard public key of a single node is generated as follows: WG pubkey < example.key > example.key.pub

DNS

Domain name server (DNS), used to resolve domain names to the IP address of the Wassen client, preventing DNS requests from leaking out of the Wassen.

2. Working principle of WireGuard

How the relay server works

Bounce Server like a normal peer node, it can act as a relay Server between The Wassen clients behind the NAT and forward any received Wassen subnet traffic to the correct peer node. The WireGuard doesn’t really care how the traffic is forwarded, it’s handled by the system kernel and the iptables rules.

If all peer nodes are reachable on the public network, the relay server is not required. Only peer nodes behind the NAT need to be considered.

In WireGuard, the client and server are basically equal, the only difference is who actively connects to whom. Both parties listen to a UDP port, and whoever actively connects is the client. The active client needs to specify the public IP address and port number of the peer. The passive server does not need to specify the IP address and port number of other peer nodes. If both the client and server are behind the NAT, a relay server needs to be added. Both the client and server specify a relay server as a peer node. Their traffic will first enter the relay server and then be forwarded to the peer.

The WireGuard is roamable, which means that the WireGuard will remember the new address whenever it sees the other address speak from the new address (just like MOSH, but bidirectional). Therefore, if both parties keep online and communicate frequently enough (for example, if persistent-keepalive is configured), the IP addresses on both sides are not fixed and will not be affected.

How does Wireguard route traffic

WireGuard can be used to build very complex network topologies. Here are some typical topologies:

① Direct end-to-end connection

This is the simplest topology. All nodes are either on the same LAN or directly accessed through the public network. In this way, WireGuard can be directly connected to the peer end without the need for trunk hops.

② One end is behind the NAT, and the other end is directly exposed through the public network

In this case, the simplest solution is to use the exposed end as the server, specify the public IP address and port of the server on the other end, and use the persistent-Keepalive option to maintain the long connection so that the NAT can remember the mapping.

③ Both ends are behind the NAT and connected through a trunk server

In most cases, when both parties are behind the NAT, the NAT randomizes the source port. Therefore, direct connection may be difficult. A relay server can be added, which is used by both communication parties as the peer, and then the long connection is maintained. Traffic is forwarded through the relay server.

④ Both ends are behind the NAT and holes are made through UDP NAT

As mentioned above, direct connections are not practical when both parties are behind the NAT, because most NAT routers randomize source ports so strictly that it is impossible to coordinate a fixed open port for both parties in advance. You must use a signaling server (STUN) that communicates in the middle which random source ports are assigned to each other. Both communication parties make an initial connection to a common signaling server, which records a random source port and returns it to the client. This is how WebRTC works in modern P2P networks. Sometimes, even if there is a known source port on both ends of the signaling server and, also cannot connect directly, because the NAT router strict rules only accept from the original destination address (signaling server) traffic, will require a new open a random source port to accept from other IP traffic (such as other clients attempt to use the original communication source port). This is what carrier-level NAts do, such as cellular networks and some enterprise networks, which use this approach specifically to prevent holes in connections. Refer to the section on NAT-to-NAT connection practices in the next section for more details.

If one end is connected to multiple peer ends and a specific route is available, it preferentially uses the specific route to access an IP address. Otherwise, traffic is forwarded to the trunk server, which then forwards traffic according to the system routing table. You can calculate the length of each hop by measuring the ping time and find out how WireGuard routes a given address by checking the output of the peer end (WG show wg0).

WireGuard packet format

The WireGuard uses encrypted UDP packets to encapsulate all data. UDP does not ensure that the packets can be delivered or arrive in sequence, but TCP connections in the tunnel ensure that the data can be delivered effectively. The WireGuard packet format is as follows:

For more information about WireGuard packets, see the following documents:

  • Wireshark.org/docs/dfref/…
  • Lekensteyn/wireguard-dissector
  • Nbsoftsolutions.com/blog/viewin…

The performance of the WireGuard

WireGuard claims to perform better than most Wirbuten protocols, but there is a lot of controversy about this, as some encryption methods support hardware level acceleration.

WireGuard handles routing directly at the kernel level, encrypting data directly using the system kernel’s cryptographic module, and coexisting with Linux’s built-in cryptographic subsystem, which uses WireGuard’s Zinc cryptographic library via apis. The WireGuard uses UDP to transmit data. By default, the WireGuard does not transmit any UDP packets when not in use. Therefore, the WireGuard uses less power than the conventional WireGuard, and can be used all the time like 55, which is also faster than other WireGuard.

More information about performance comparisons can be found in the following documents:

  • wireguard.com/performance
  • Reddit.com/r/linux/com…
  • restoreprivacy.com/open Wapen – IPS…

WireGuard security model

WireGuard uses the following encryption techniques to secure data:

  • useChaCha20For symmetric encryption, usePoly1305Perform data validation.
  • usingCurve25519Perform key exchange.
  • useBLAKE2As a hash function.
  • useHKDFDecrypt it.

WireGuard encryption is essentially an instantiation of Trevor Perrin’s Noise framework. It is simple and efficient, while the rest of the WireGuard encryption is secured through a series of negotiations, handshakes, and complex state machines. WireGuard is the equivalent of Qmail in the Wfart protocol, with several orders of magnitude less code than other Wfart protocols.

For more information about WireGuard encryption, see the link below:

  • Wireguard.com/papers/wire…
  • Eprint.iacr.org/2018/080.pd…
  • Courses.csail.mit.edu/6.857/2018/…
  • Wireguard.com/talks/black…
  • Arstechnica.com/gadgets/201…

WireGuard key management

WireGuard implements bidirectional authentication by providing each peer with a simple public and private key. Each peer generates a key during the setup phase and shares the key only between peers. No certificates or pre-shared keys are required for each node other than the public and private keys.

In larger deployments, you can use separate services such as Ansible or Kubernetes Secrets to handle key generation, distribution, and destruction.

Here are some services that help with key distribution and deployment:

  • Pypi.org/project/wir…
  • trailofbits/algo
  • StreisandEffect/streisand
  • its0x08/wg-install
  • brittson/wireguard_config_maker
  • wireguardconfig.com

If you don’t want to hardcode it directly in the wg0.conf configuration file, you can read the key from a file or command, which makes it easier to manage the key through a third-party service:

[Interface]
...
PostUp = wg set %i private-key /etc/wireguard/wg0.key <(cat /some/path/%i/privkey)Copy the code

Technically, the same private key can be shared between multiple servers, as long as clients do not use the same key to connect to both servers at the same time. But sometimes clients need to connect to multiple servers at the same time. For example, you can use DNS polling to balance connections between two servers with the same configuration. In most cases, each peer node must use independent public and private keys. In this way, each peer node cannot read the traffic of the other node, ensuring security.

The next article will provide you with a step-by-step guide to configuring WireGuard from scratch, covering advanced configuration methods such as dynamic IP, NAT to NAT, IPv6, and more.


Kubernetes 1.18.2 1.17.5 1.16.9 1.15.12 Offline installation package publishing address store.lameleg.com, welcome to experience. The latest SEALos V3.3.6 is used. Host name resolution configuration optimization, LVSCARE mount /lib/module to solve ipvS loading problems on startup, fix LVSCARE community netlink incompatibility with 3.10 kernel, SealOS generate 100 year certificate and other features. More features github.com/fanux/sealo… . Join the SealOS group by scanning the QR code below. The sealOS robots that have integrated sealOS can see sealOS in real time.