This article is the first in a series of using WireGuard in the cloud. This article starts by explaining what WireGuard is. Additional articles will demonstrate how to configure WireGuard for both Windows and Ubuntu for the following VPN types:
Additional articles will cover configuring WireGuard for Google Cloud including Google Cloud DNS.
What is WireGuard?
WireGuard is a new VPN released in 2020 by Jason A. Donenfeld. WireGuard is free and open-source and has the potential to shake up the VPN industry. The ease at which VPN connections can be created and established is a strong benefit. A point-to-point VPN can be created with an eight-line configuration file. Point-to-site and site-to-site add only a few more configuration lines. However, do not throw caution to the wind, this is new software and it may take several years to prove it is secure.
- Performance. WireGuard uses high-speed cryptographic primitives.
- Easy to configure. WireGuard even supports IP address roaming automatically.
- Platform Support. Windows, macOS, Linux, Android, IOS, and more are supported.
- Security. WireGuard uses a cryptographic key routing process.
- Stealth. Unless the correct key is used, WireGuard ignores the request.
- Simple virtual private network implementations. Approximately 4,000 lines compare to OpenVPN 100,000+ lines. This makes security audits easier.
- Each node is a peer. Very easy to create point-to-point, star, and mesh configurations.
- Uses a very simple and secure private key / public key authentication model.
- Supports multiple simultaneous tunnels.
- UDP-based tunnels.
- Supports IPv4 and IPv6 and can encapsulate v4-in-v6.
- Does not support username/password authentication.
- Does not support MFA or two-factor authentication.
- Does not support local user database authentication.
- Does not support LDAP, Active Directory, or Radius integration.
- No easy way to manage user profiles.
- Painful to manage a lot of users and devices.
- Troubleshooting problems is difficult due to a lack of debug/logging information.
Example Configure File
This example configuration for Windows 10 connects to a Ubuntu server running in Google Cloud. Full VPC connectivity is enabled, including a Google Cloud DNS policy for internal DNS resolution. When the WireGuard VPN is up, DNS traffic is sent to the Google Cloud DNS server to resolve private and public hostnames. This configuration also allows connectivity from Google Cloud to my internal network that is behind a Comcast router using NAT for internal addresses. This is the entire configuration of WireGuard on Windows 10 in only 10 lines. The Ubuntu side is almost identical. I can fire up a new VPN in five minutes, add a peer in two minutes. Very impressive. This will work equally well from Google Cloud to AWS or Azure or Oracle.
[Interface] PrivateKey = uJB7aBUKh7nKpA9ofbRVemhdk1YgDaPjpittVi+rqUE= ListenPort = 51820 Address = 192.168.9.2/24 DNS = 10.138.0.16 [Peer] PublicKey = pngivCimLHSLNKdQ3GuW3MFnCa+bM4r3YZbBcS8inCU= AllowedIPs = 192.168.9.1/32, 10.138.0.0/16 Endpoint = 184.108.40.206:51820 PersistentKeepalive = 30
WireGuard is a very interesting VPN that can easily replace OpenVPN and in some cases dedicated routers. Once the configuration is set up, connection management, routing, and DNS are automatic. For Windows, WireGuard provides a tray icon to quickly bring the VPN up or down, and add/edit peers. On reboot, the VPN is automatically brought back up. The biggest drawback that I see is peer public key management.
“WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.”
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.