Does the server get a separate wg interface for every client that connects? Or does it do something like multipoint GRE interfaces with next hop addresses in the arp table?
Does this do a DH key agreement to guarantee forward secrecy or does it literally encrypt the packet with the peers public key?
Also is it in the scope of this project for peers to discover each other for direct communication, like a Phase3 DMVPN?
> Does the server get a separate wg interface for every client that connects?
No. Each wg interface has a public/private key. It then has a list of peers' public keys and associated allowed IPs. By tying each public key to the allowed IPs of that public key, you can be sure that if a packet comes from wg0 and comes from a particular src IP, it comes from who you want. So no need for a new wg0 for each peer.
> Does this do a DH key agreement to guarantee forward secrecy or does it literally encrypt the packet with the peers public key?
It uses a 1-RTT ECDH key agreement based on the Noise Protocol Framework, with identity hiding, perfect forward secrecy, and so forth. So, it does what you hoped it does. :)
> Phase3 DMVPN
I'm not familiar with this, but I'll read up on it. Just found a large cisco document describing it. I suspect that "automatic discovery" wouldn't be very much to my taste, but I'll read up on it before dismissing it wholesale.
The idea of Phase3 is that you have multiple node routers connected to a VPN hub. Think branch offices. When one node starts to talk to another node, the Hub initially facilitates the traffic, but it sends a NHRP(Next Hop Resolution Protocol) packet to the nodes telling them the public IPs of eachother, the nodes then negotiate their own VPN tunnel and start communicating directly without passing all traffic through the hub.
If I understand wireguard correctly it seems NHRP could be run using wiregard for transport, but it would cool if a separate NHRP daemon wasn't required, especially since wiregard is already tracking the mapping of internal to public IPs.
DMVPN capability would be outstanding and would make WireGuard much more useful in a AWS VPN situation. This video from the 2015 AWS re:Invent [0] conference has an overview of DMVPN and how it could be used in a AWS VPC.
>> Does the server get a separate wg interface for every client that connects?
> No. Each wg interface has a public/private key. It then has a list of peers' public keys and associated allowed IPs. By tying each public key to the allowed IPs of that public key, you can be sure that if a packet comes from wg0 and comes from a particular src IP, it comes from who you want. So no need for a new wg0 for each peer.
Does this mean that it is impossible for two clients to connect to the same VPN server from behind router doing NAT? Or does each client choose a random source port for their traffic and then the combination of source port and source IP identifies the client?
Oh cool you came to the kernel recipes talk. Much has progressed since then.
I wrote an email on LKML and netdev today to David Miller, the network subsystem maintainer. It's not ready for a [PATCH] set now, but it is ready to get initial feedback from them, so that I can start to get things ready for upstreaming. So: that's on the roadmap and a primary objective!
Would you mind dual-licensing under a more permissive license (BSD or MIT) so the work can be included in the BSD family of operating systems as well as Linux?
I answered this question elsewhere. The answer is that - probably, why not? I need to think about it for more than a few seconds. But the only reason I chose GPLv2 is because that's what Linux uses. I'll quit being lazy and think more carefully about licenses, and hopefully we'll wind up with something good for the BSDs.
I am not a lawyer but in my eyes having a BSD/MIT license will also save you from a corporation "adopting" your technology and sue you afterwards for infringing a super vague patent of theirs... or something along the lines.
If your work is in the public domain, then at least the corporations would have much harder time hijacking and wall-garden it, and the chances of them simply giving up are higher. Or so I hope.
I've read a good chunk of your website. GREAT WORK! Do not give up, you're doing next-level work. =)
The corporations haven't really left us with good impressions in the last 15 years though, did they?
If I learned anything from those last 15 years is that they'll sue you if you don't agree the Moon is made of cheese if it suits their agenda.
So I remain cynical towards them. If they can hijack a good technology for their own profit, they will do it. I think we all knew that much at this point?
As I pointed out, I am not a lawyer. I have however read news vaguely similar to what I described, many times through the years. It really makes me fearful that in the end you're vulnerable just for publishing your work...
I do hope I am very naively wrong. But history hasn't given us much comfort in this area so far.
Thanks for considering it! For what it's worth, there is dual BSD/GPL precedent in various places in Linux (e.g., most of the drm GPU drivers, NTB, etc).
Can I bind it to external ip addresses and give a certain user an outgoing (or even private ips that I can then forward) address I chose? Don't know if my question makes sense but I'm interested in routing a certain user to a certain ip every time he/she connects.
WireGuard as a simple associations between public keys and each public keys list of allowed IPs. Within this structure, it seems like you should be able to do what you want.
Hey! Knew I recognized that username. You also make pass which I've been using since you released that too. Definitely going to give this a run. Thanks for more useful tools!
Don't have time for a detailed review. However, I like that you're working to replace IPsec with something simpler, easier to use, and with flexible deployment. Crypto algorithms look better than most VPN's I see as well. Good work on all that. Just remember to aid others' verification efforts later on by keeping it modular, minimal shared state, simple constructions in code, and so on. Whatever passes through a decent static analysis tool.
Also, one of easiest, formal methods is Design by Contract which can be emulated with asserts for pre- and post-conditions plus main invariants. Quite useful to encode operating assumptions in there. Such can also be used for automating test-case generation, fuzzing, dynamic analysis, and covert channel analysis. Oh yeah, definitely do a covert channel analysis on anything that gets near the keys to plug any leaks.
> Just remember to aid others' verification efforts later on by keeping it modular, minimal shared state, simple constructions in code, and so on. Whatever passes through a decent static analysis tool.
Yes this absolutely is the goal. I'm trying to keep the codebase as small and clear as possible.
> Design by Contract
Working out the precise pre and post conditions of every state would indeed be worthwhile. For all state transitions of the protocol, I've worked out by hand every possible combination and accounted it for it. I should publicize this work (i.e. type up my handwritten notes), and then let others join building on top of it.
"Working out the precise pre and post conditions of every state would indeed be worthwhile. For all state transitions of the protocol, I've worked out by hand every possible combination and accounted it for it. I should publicize this work (i.e. type up my handwritten notes), and then let others join building on top of it."
That's actually... great. It's exactly what high-assurance security did in kernels and VPN's. I'm impressed. You should definitely write that up and share it for peer review. Also, since you've done it, the next step is to review each one to make sure security properties are maintained or it fails fast, safe, and loud. :)
This looks interesting and I will be sure to check it out when I get the chance. I see from the examples on the site that it's IPv4 everywhre. Is there IPv6 support ? If not, is it on the roadmap ?
IPv6 definitely is supported. I should add some examples. Every place you see an IPv4 address an IPv6 one can go. They can even be mixed and matched. There's full support and it works quite well.
Open source projects that are not GPL'd cannot adopt the code; it's meant to be linked into the kernel, and so distribution will trigger the viral licensing clause covering the entirety of the kernel.
For example, there are a myriad of products based on BSD; everything from pfSense at the low-end, the Juniper routers at the high-end.
If the goal is to make money by licensing the code for non-GPLv2 use, then the GPL might make sense, if you're unconcerned about limiting market adoption by precluding integration by non-GPL products.
I suspect it has to be in kernel for efficiency reasons. Because applications access network devices through kernel interfaces; the kernel has to context switch and copy data to and from the userspace VPN process; This can be quite slow.
On a microkernel system, the standard way of connecting to the network stack might be through direct shared memory; and on such a system you could manage to run the VPN in userspace at essentially no cost.
However, on Linux, most of the network stack is in the kernel; the ABI for interacting with network hardware is stable. So while in theory you could write an efficient userspace VPN, it would require you to modify or at very least recompile your applications.
I'm the author of this and would be happy to answer any questions you have.