Build a VPN Tunnel with WireGuard
Uncomplicated
A recent addition to the Linux kernel, WireGuard lets you build a VPN tunnel that relies on encryption to reduce potential security issues.
As a result of the COVID-19 pandemic, many employees have exchanged the office for their home to accommodate social distancing guidelines. In addition to getting used to working from home, many telecommuters must also deal with security issues when contacting colleagues or accessing company servers. While large corporations may take care of these issues for their employees, self-employed telecommuters and small businesses need to find their own solution.
WireGuard [1], the modern virtual private network (VPN) tunnel software developed by security researcher Jason Donenfeld, offers an easy-to-implement solution that relies on encryption to secure the connection between two endpoints. WireGuard found its way into the Linux kernel 5.6 at the end of March at the same time WireGuard v1.0.0 was released. The VPN program is now available for all common operating systems such as Linux, macOS, Windows, Android, and iOS.
Competition
Before WireGuard conquered the market in 2015, IPsec and OpenVPN were the top two contenders under a free license. Compared to WireGuard, however, both IPsec and OpenVPN are more difficult to set up, which is why WireGuard was already in use before becoming a kernel module.
Linux Torvalds had hoped WireGuard would be merged to the kernel in 2018. In comparison to OpenVPN and IPSec, Torvalds has called WireGuard "a work of art" [2]. If you have followed Torvalds' statements over the years, you know that he is generally very sparing with praise.
WireGuard gets by with only about 4,000 lines of source code. In comparison, OpenVPN together with the required OpenSSL weigh in at around 600,000 lines of code, while IPsec and StrongSwan use more than 400,000 lines. WireGuard offers far less attack potential than its competitors. The software also relies on modern algorithms: ChaCha20 [3] is used for encryption, while Curve25519 handles the key exchange [4].
Fast and Frugal
WireGuard shows its advantages over the established solutions in terms of speed and resource consumption. This manifests itself in far faster and more stable connections, especially when roaming. While OpenVPN often consumes 30 percent of battery power on Android, WireGuard keeps this in the lower single-digit range.
We tested WireGuard with Ubuntu 20.04 LTS, which comes with the backported module for WireGuard in kernel 5.4. Ubuntu users were already interested in WireGuard before its inclusion in the kernel, as evidenced by over 20,000 installations from the WireGuard PPA. There is also a backport for Debian 10 Buster.
Not Just for Linux
WireGuard can also be used with OpenBSD, FreeBSD, NetBSD, macOS, and Microsoft Windows (a stable version is imminent for Windows). For road warriors, there are apps for Android and iOS. You will want to use the original apps rather than third-party apps [5].
You can use WireGuard with modest hardware resources. In terms of the server, you don't need anything faster than an older laptop, a single board computer like the Raspberry Pi, or a rented V-Server on the web. In our test, we used a ThinkPad X220, a device that has been out of service for quite some time (see the box "DynDNS and Port Forwarding"). WireGuard supports constellations with two clients or with one server and multiple clients.
DynDNS and Port Forwarding
A local VPN network on your own LAN only makes sense in very rare cases. The typical application scenario involves dialing into the company network or your home LAN from somewhere outside. In this scenario, you need a DynDNS address, provided by something like the free DynDNS Service [6]. You also need to forward the port used by WireGuard (in our example port 51820/UDP) from the WLAN router to the computer used as a server. Details of the required configuration are usually provided in your device's operating manual. In the case of a FRITZ!Box, call the device's administration interface by typing the FRITZ!Box URL in your browser and then open the wizard in Internet | Shares | Port Shares by clicking on Add Device for Shares, which helps you set up port forwarding.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.