There is currently some hype around a new VPN technology called WireGuard. Compared to OpenVPN and IPSec it is claimed to be much easier to setup, while still being secure. After long development as a standalone project, it got recently integrated into the Linux kernel.
As there is now no need to manually build the modules, I thought that I could try it as well. I rarely actually need a VPN, and in most of these cases a SSH tunnel is sufficient (OpenSSH can provide a SOCKS proxy to tunnel traffic). But some nice features like roaming and Android support got me interested.
As I'm running Debian 10 on my router, I needed to install a newer kernel; the first version that includes WireGuard is 5.6. (There are also ways to use it on older kernels, but it's a bit more effort). So I installed a newer one and the userspace tools from the backports repository:
# apt -t buster-backports install linux-image-amd64 wireguard
- creating a keypair on each device
- writing a short configuration file containing public keys of all peers and their allowed addresses
- creating a network interface and assigning an IP address
applying the configuration file with the
The configuration on the clients connecting to the router is very similar. In addition their configuration also contains the hostname of the peer they should automatically connect to.
After following these steps on the router and the first client, I was able to ping the router over the tunnel. The router immediately learned the address of the client and it was then also possible to establish connections in the other direction.
For automatic startup after boot, I later migrated the network setup into
auto wg0 iface wg0 inet static address 10.x.x.x/16 pre-up ip link add wg0 type wireguard pre-up wg setconf wg0 /etc/wireguard/wireguard.conf post-down ip link del wg0
Only contacting the configured peers is boring, I want to be able to reach other devices in my network over the tunnel, or even the Internet. So I also had to make a few adjustments to the nftables configuration:
- allow WireGuard port (UDP) in input chain
- allow contacting the DNS server running on the router
- allow traffic from WireGuard interface to LAN and WAN in the forward chain
I then installed the WireGuard Android app on my phone via the F-Droid repository. The setup there was again very similar: Generating a keypair, entering the public key of the other peer (router), and setting addresses in the configuration dialog. (There are also ways to provision the device by importing already existing config files, or even via QR code)
Unfortunately Android allows only one VPN connection, so I had to disable Blokada (DNS-based ad-blocker), to allow the WireGuard connection (though it seems to be planned to support custom WireGuard connections from Blokada). But then the tunnel was also quickly established from my phone, and I could reach the other peers and even the Internet.
Setting up WireGuard was very easy and straightforward. Several years ago I used to run OpenVPN, but as far as I can remember there was more effort involved in getting it running.
The documentation is really good, and it can be used on many platforms (support is also available in OpenWrt).
In my opinion it is indeed a good alternative to other VPN solutions.