WireGuard

WireGuard is article description::a modern, simple, and secure VPN that utilizes start-of-the-art cryptography. Considered an alternative to OpenVPN, it can be used to create secure connections. Its goals are to be fast, simple, lean, and easy to configure. Wireguard consists of two components: userspace tools and a kernel module.

Wireguard is written and maintained by, a Gentoo developer.

Official and potentially more up-to-date installation instructions can be found upstream.

Kernels less than 5.6
Linux kernels less than 5.6 (<=5.5) did not include Wireguard as a feature in the upstream kernel code. Adding Wireguard support to these (older) kernels is possible via additional modules emerged below.

Attempting to add WireGuard support without having a few specific kernel symbols enabled will cause the emerge to fail. A few of the symbols are dependencies and can only be set by setting other options. Perform the necessary work to have the following symbols enabled before moving on to the next section:


 * CONFIG_NET - For basic networking support.
 * CONFIG_INET - For basic IP support.
 * CONFIG_NET_UDP_TUNNEL - For sending and receiving UDP packets.
 * CONFIG_NF_CONNTRACK - For determining the source address when constructing ICMP packets.
 * CONFIG_NETFILTER_XT_MATCH_HASHLIMIT - For ratelimiting when under DoS attacks.
 * CONFIG_IP6_NF_IPTABLES - Only if using CONFIG_IPV6 for ratelimiting when under DoS attacks.
 * CONFIG_CRYPTO_BLKCIPHER - For doing scatter-gather I/O.
 * CONFIG_PADATA - For parallel crypto (only available on multi-core machines).

Kernel 5.6 and higher
Starting with kernel 5.6, Wireguard is included in the upstream kernel sources. It is enabled via the following menuconfig option:

Emerge
Install the wireguard-tools package to generate encryption keys and manage Wireguard interfaces:

Less than 5.6
For Linux kernels less than 5.6 also install the modules:

Kernel module loading
When Wireguard support has been added as a module, be sure to instruct the selected init system to load the WireGuard kernel modules when the system boots. This will be slightly different for each init system.

OpenRC
Be sure the modules service is set to run in the boot runlevel:

systemd
systemd users will need to create a new file in the directory in order to instruct the module loading service to get the module loaded on boot:

Generate a keypair
Before using WireGuard a keypair has to be generated. This can be accomplished using :

Usage
Various network management methods are available to supervise Wireguard tunnels.

wg-quick configuration
Configuration can be automated using the utility, which will create tunnels using configuration files in the  file.

For more information on consult.

netifrc
The scripts (typically used with OpenRC) can be used to quickly bring Wireguard interfaces. Presuming a correctly defined file has been created:

To bring up the interface now:

Avoid using wg-quick
Using the wg-quick USE flag will add as dependency. For systems that want to keep the file from being modified by external utilities this might be a deal breaker. now has native support for wireguard and is no longer required. This assumes the wireguard interface configuration is defined in :

Create the symlink and bring the interface up when the system boots:

Bring the wireguard interface up:

NetworkManager
Wireguard is officially supported by NetworkManager as of version 1.16. That stated, as of version 1.26.6, managing Wireguard is only possible through the command.

After creating a Wireguard configuration file (such as ), the file can be imported into NetworkManager as a connection profile:

After the configuration has been imported, the connection can be activated via:

See the NetworkManager article for more details on managing connection profiles.

Unmerge
When removing Wireguard support be sure to each for all installed packages:

For example, to remove the userspace tools:

Rebuilding modules on kernel upgrades for kernels less than 5.6
When upgrading to a newer kernel that is less than version 5.6 (version 4.9.x LTS is a fitting example), it is important to re-emerge the Wireguard kernel modules. This is handled by default when using, but can be quickly performed using the following auto-generated Portage set:

External resources

 * http://lkml.iu.edu/hypermail/linux/kernel/1606.3/02833.html - The initial Request for Comments post to the Kernel Mailing List.
 * https://latacora.singles/there-will-be - A blog post complementing WireGuard.