WireGuard is a modern, secure VPN that utilities start-of-the-art cryptography. Its goal is to be similar, faster, and easier to configure than other VPN software stacks.
Wireguard is written and maintained by Jason A. Donenfeld (zx2c4), a Gentoo developer.
Official and potentially more up-to-date installation instructions can be found upstream.
Currently the official packaged release for WireGuard is keyword protected. Instruct Portage to use it by appending the following line to package.accept_keywords:
Attempting to install WireGuard without having a few specific kernel options enabled will cause the merge to fail. A few of the symbols can only be set by setting other options. Perform the necessary work to have the following symbols enabled before moving on to the next section:
- CONFIG_NET - For basic networking support.
- CONFIG_INET - For basic IP support.
- CONFIG_NET_UDP_TUNNEL - For sending and receiving UDP packets.
- CONFIG_NF_CONNTRACK - For determining the source address when constructing ICMP packets.
- CONFIG_NETFILTER_XT_MATCH_HASHLIMIT - For ratelimiting when under DoS attacks.
- CONFIG_IP6_NF_IPTABLES - Only if using CONFIG_IPV6 for ratelimiting when under DoS attacks.
- CONFIG_CRYPTO_BLKCIPHER - For doing scatter-gather I/O.
- CONFIG_PADATA - For parallel crypto, only available on multi-core machines.
[*] Networking support --> Networking options --> [*] TCP/IP networking [*] IP: Foo (IP protocols) over UDP [*] Network packet filtering framework (Netfilter) --> [*] Advanced netfilter configuration Core Netfilter Configuration --> [*] Netfilter connection tracking support [*] Netfilter Xtables support [*] "hashlimit" match support [*] IPv6: Netfilter Configuration (only if using IPv6) [*] Cryptographic API --> [*] Cryptographic algorithm manager [*] Parallel crypto engine
Finally, emerge the package:
emerge --ask virtual/wireguard
WireGuard is in the process of being mainlined into the Linux kernel. Until it is included with the kernel sources, users will need to rebuild the module when upgrading or downgrading the Linux kernel on their systems. After building the new kernel sources, this can be done by using the
emerge --ask @module-rebuild
Kernel module loading
Be sure to instruct the init system to load the WireGuard kernel modules when the system boots.
Be sure the modules service is set to run in the boot runlevel:
rc-update add modules boot
systemd users will need to create a new file in the /etc/modules-load.d/ directory in order to instruct the module loading service to get the module loaded on boot:
It is necessary to generate keys before connecting to any networks. Following the conventional schema home directory layout, create a directory to hold WireGuard's keys:
Next, use the key generation to create a key pair:
wg genkey | tee privatekey | wg pubkey > publickey
emerge --ask --depclean --verbose net-misc/wireguard
- OpenVPN - Robust and highly flexible tunneling application.
- http://lkml.iu.edu/hypermail/linux/kernel/1606.3/02833.html - The initial Request for Comments post to the Kernel Mailing List.
- http://latacora.singles/2018/05/16/there-will-be.html - A blog post complementing WireGuard.