WireGuard

WireGuard is a modern, simple, and secure VPN that utilizes state-of-the-art cryptography. Considered an alternative to OpenVPN, it can be used to create secure connections. Its goals are to be fast, simple, lean, and easy to configure. Wireguard consists of two components: userspace tools and a kernel module.

Wireguard is written and maintained by Jason A. Donenfeld (zx2c4) , a Gentoo developer.

Official and potentially more up-to-date installation instructions can be found upstream.

Installation

Kernel

Kernels less than 5.6

Linux kernels less than 5.6 (<=5.5) did not include Wireguard as a feature in the upstream kernel code. Adding Wireguard support to these (older) kernels is possible via additional modules emerged below.

Attempting to add WireGuard support without having a few specific kernel symbols enabled will cause the emerge to fail. A few of the symbols are dependencies and can only be set by setting other options. Perform the necessary work to have the following symbols enabled before moving on to the next section:

• CONFIG_NET - For basic networking support.
• CONFIG_INET - For basic IP support.
• CONFIG_NET_UDP_TUNNEL - For sending and receiving UDP packets.
• CONFIG_NF_CONNTRACK - For determining the source address when constructing ICMP packets.
• CONFIG_NETFILTER_XT_MATCH_HASHLIMIT - For ratelimiting when under DoS attacks.
• CONFIG_IP6_NF_IPTABLES - Only if using CONFIG_IPV6 for ratelimiting when under DoS attacks.
• CONFIG_CRYPTO_BLKCIPHER - For doing scatter-gather I/O.
• CONFIG_PADATA - For parallel crypto (only available on multi-core machines).^[1]

[*] Networking support -->
    Networking options -->
        [*] TCP/IP networking
        [*]   IP: Foo (IP protocols) over UDP
        [*] Network packet filtering framework (Netfilter) -->
            [*] Advanced netfilter configuration
            Core Netfilter Configuration -->
                [*] Netfilter connection tracking support
                [*] Netfilter Xtables support
                [*]   "hashlimit" match support
            [*] IPv6: Netfilter Configuration (only if using IPv6)
[*] Cryptographic API -->
    [*] Cryptographic algorithm manager
    [*] Parallel crypto engine

Kernel 5.6 and higher

Starting with kernel 5.6, Wireguard is included in the upstream kernel sources. It is enabled via the following menuconfig option:

Device Drivers  --->
    [*] Network device support  --->
        [*] Network core driver support
        <*>   WireGuard secure network tunnel

Working kernel config.

USE flags

Emerge

Install the wireguard-tools package to generate encryption keys and manage Wireguard interfaces:

Less than 5.6

For Linux kernels less than 5.6 also install the modules:

Configuration

Kernel module loading

If WireGuard support has been added as a module, it may be necessary to instruct the selected init system to load the WireGuard kernel modules when the system boots.

Create a new file in the /etc/modules-load.d/ directory in order to instruct the module loading service to get the module loaded on boot:

wireguard

Or if VPN access is not needed very often, load kernel module manually:

Loaded modules can be reviewed with lsmod.

Files

wg.conf

A WireGuard configuration file (the first of which is normally named wg0.conf) can be written as outlined in the man page. Review the CONFIGURATION FILE FORMAT and CONFIGURATION FILE FORMAT EXAMPLE sections in man 8 wg:

As mentioned in the man page, WireGuard configuration files are defined in the INI format. A typical configuration file looks something like the following:

[Interface]
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820

[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
Endpoint = 192.95.5.67:1234
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

[Peer]
PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
Endpoint = [2607:5300:60:6b0::c05f:543]:2468
AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

[Peer]
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
Endpoint = test.wireguard.com:18981
AllowedIPs = 10.10.10.230/32

Usage

Generate a keypair

Before using WireGuard a keypair has to be generated. This can be accomplished using wg(8):

Network management methods

Various network management methods are available to supervise Wireguard tunnels.

wg-quick

Configuration can be automated using the wg-quick utility, which will create tunnels using configuration files in the /etc/wireguard file:

For more information on wg-quick consult man 8 wg-quick.

netifrc

The net-misc/netifrc scripts (typically used with OpenRC) can be used to quickly bring Wireguard interfaces. Presuming a correctly defined /etc/wireguard/wg0.conf file has been created:

To bring up the interface now:

Avoid using wg-quick

Using the wg-quick USE flag will add virtual/resolvconf as dependency. For systems that want to keep the resolv.conf file from being modified by external utilities this might be a deal breaker. net-misc/netifrc now has native support for wireguard and wg-quick is no longer required. This assumes the wireguard interface configuration is defined in /etc/wireguard/wg0.conf:

wireguard_wg0="/etc/wireguard/wg0.conf"

Remove "Address" and "DNS" from wg0.conf, because they won't be recognized by net-misc/netifrc. Copy them and add to the config:

config_wg0="1.2.3.4/32"
dns_servers_wg0="5.6.7.8"

Replace the values above with personal wireguard addresses. Either get them from a provider or configure them on the personal wireguard setup.

Create the symlink and bring the interface up when the system boots:

Bring the wireguard interface up:

Example /etc/conf.d/net file for netifrc with Wireguard instead of using wg-quick:

# Make sure to change all values for your setup! These are just an example.
#
# Make sure that net-dns/openresolv, virtual/resolvconf, their
# dependencies and other resolv.conf managers aren't installed,
# to keep the setup simple and secure! This might require you to
# add -wg-quick to net-vpn/wireguard-tools and rebuild the package.

# Bring up hardware network interface!
# Change enp5s0, to your interface, shown when running: ip addr
config_enp5s0="dhcp"

# Setup a DNS server here if you're going to change to another DNS server
# when bringing up the Wireguard interface. Some providers give you an address.
# It's better to change the address for privacy reasons.
# Change enp5s0, to your interface, shown when running: ip addr
dns_servers_enp5s0="1.2.3.4 123.12.21.1"

# Bring up Wireguard virtual network interface!
# The IP here is from your VPN provider or custom Wireguard setup.
config_wg0="5.6.7.8/32"

# Connect to Wireguard endpoint using config!
# You need to create this config if it doesn't exist.
wireguard_wg0="/etc/wireguard/wg0.conf"

# Prevent DHCP from setting a DNS server gotten from your router.
dhcp="nodns"

postup() {
	# After the wg0 interface is up, we add routing and firewall rules,
	# which prevent packets from going through the normal routes, which are
	# for "plaintext" packets.
	# routing rules taken from: https://www.wireguard.com/netns/
	# firewall rules taken from: man wg-quick
	#
	# If the connection to the VPN goes down, the firewall rule makes sure
	# no other connections can be open, until you remove the interface
	# using: rc-service net.wg0 stop
	#
	# For the nftables firewall rule to work, make sure you set:
	# SAVE_ON_STOP="no"
	# in: /etc/conf.d/nftables
	if [ "${IFACE}" == "wg0" ];
	then
		# set a firewall mark for all wireguard packets
		wg set wg0 fwmark 334455 || exit 1
		
		# route all packets to the wg0 interface in table 2468
		ip route add default dev wg0 table 2468 || exit 1
		
		# if packet doesn't have the wireguard firewall mark,
		# send it to table 2468
		ip rule add not fwmark 334455 table 2468 || exit 1
		
		# if packet isn't going out the wg0 interface, doesn't have
		# the wireguard firewall mark and isn't broadcast or multicast
		# reject it (don't drop it like there's no connection)
		nft insert rule ip filter output oifname!="wg0" mark!=334455 fib daddr type!=local counter reject || exit 1
		
		# Make sure only DNS server is the one from your provider or
		# a custom one fitting your needs!
		# If there is one, otherwise you can remove this line.
		echo "nameserver 9.10.11.12" > /etc/resolv.conf || exit 1
	fi
	return 0
}

predown() {
	# Prevent bringing down interface in case there's a NFS root.
	# taken from: https://github.com/gentoo/netifrc/blob/4bd8be5f43d07a9e92b73174c7fbef8b989aaa55/doc/net.example.Linux.in
	if is_net_fs /; then
		eerror "root filesystem is network mounted -- can't stop ${IFACE}"
		return 1
	fi

	# When bringing down the interface using rc-service, make sure that all
	# rules specific to isolating the wireguard connections are gone, so
	# that normal connections can work again.
	# Change the DNS values for your setup!
	if [ "${IFACE}" == "wg0" ];
	then
		# Bringing back default nftables rules.
		rc-service nftables reload || exit 1

		# Removing wireguard specific routing rules.
		ip route del default dev wg0 table 2468 || exit 1
		ip rule del not fwmark 334455 table 2468 || exit 1

		# Bringing back your own DNS settings, in case they were
		# changed in postup()
		echo "nameserver 1.2.3.4" > /etc/resolv.conf || exit 1
		echo "nameserver 123.12.21.1" >> /etc/resolv.conf || exit 1
	fi
	return 0
}

NetworkManager

Wireguard is officially supported by NetworkManager as of version 1.16^[3]. That stated, as of version 1.26.6, managing WireGuard is only possible through the nmcli command. Review the latest documentation upstream for the extensive list of key-value properties.

After creating a WireGuard configuration file (such as wg0.conf), the file can be imported into NetworkManager as a connection profile:

After the configuration has been imported, the connection can be activated via:

See the NetworkManager article for more details on managing connection profiles.

Removal

Unmerge

When removing Wireguard support be sure to each for all installed packages:

For example, to remove the userspace tools:

Troubleshooting

Rebuilding modules on kernel upgrades for kernels less than 5.6

When upgrading to a newer kernel that is less than version 5.6 (version 4.9.x LTS is a fitting example), it is important to re-emerge the Wireguard kernel modules. This is handled by default when using genkernel, but can be quickly performed using the following auto-generated Portage set:

See also

• OpenVPN — software that enables the creation of secure point-to-point or site-to-site connections.
• vpnc — IPsec (Cisco/Juniper) VPN concentrator client

External resources

• https://github.com/trailofbits/algo - A project with scripts to help setup a personal VPN server.
• http://lkml.iu.edu/hypermail/linux/kernel/1606.3/02833.html - The initial Request for Comments post to the Kernel Mailing List.
• https://www.latacora.com/blog/2018/05/16/there-will-be/ - A blog post complementing WireGuard.

References