tags : VPN, Networking, Security
Random Internet comments(unverified)
- WireGuard is a free and open-source software application and communication protocol
- It’s stealth and has mitigation for DOS attacks.
- Wireguard doesn’t answer to scans and offers better latency.
- It implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations.
- If you have a router that allows it, put wireguard on port 53. That’s one of the most common “Always Open”-ports in any network.
- Allowing any :53 is a common error in a captive portal/hotspot setup and is usually exploited to have free internet. People can exploit public Wifi and pass gigs over UDP:53
- lots of places actually block random UDP ports and you can’t establish a connection.
- OpenVPN can have that same problem, and the solution in Wireguard is the same as OpenVPN; run it on a well-known service port, such as 443 or 53.
- It’s peer to peer, so you don’t have to give any particular node power over the whole network.
Flavors
- Wireguard userspace? kernel?
- Wireguard over TCP: not obfuscated, hence it can be easily censored
- Wireguard over TLS
- Only UDP. Does not do TCP by default but there are implementations
- WireGuard benefits greatly from DNS-over-QUIC on hardware accelerated devices, even without hardware acceleration, DNS-over-QUIC further improve its base security/privacy/efficiency/performance, using WireGuard with DNS-over-HTTPS or DNS-over-TLS will slightly reduce its effectiveness in the privacy area to OpenVPN TCP/UDP
Cryptography
- Encryption: ChaCha20
- Authentication: Poly1305
- Key exchange algorithm: Curve25519
Resources
- wg-access-server, it’s wireguard with a web UI to add devices via qr code or config files
- blog.ipfire.org - Why Not WireGuard
- https://github.com/WeeJeWel/wg-easy
- https://github.com/pirate/wireguard-docs
- vlax + wg