The following provides a beginner’s understanding of what VPN protocols are, how Wireguard works as a VPN protocol, plus a description of its features, advantages, and disadvantages. To best understand this article, the reader should ideally know basic network terminology, the ISO OSI model of network communication, and how basic network cryptography works.
Introduction to VPN protocols
VPN stands for Virtual Private Network. A virtual private network (VPN) is a technology that creates a safe and encrypted connection over a less secure network, such as the internet. A Virtual Private Network is a way to extend a private network using a public network. VPN is commonly used in business situations to provide secure communication channels over public infrastructure.
VPNs may be constructed in different ways to achieve the goal of secured communication. They can be between two end-systems, or between two or more networks. They can be built using tunnels or encryption at essentially any layer of the protocol stack, or networks connected to a service provider’s network by leased lines, Frame Relay, or ATM (Asynchronous transfer mode). A VPN can also consist of dial-up subscribers connecting to centralized services or other dial-up subscribers.
For the purposes of this article, we will focus on VPN protocols operating on the protocol stack as defined by the ISO OSI layer model.
VPNs use secure protocols to provide private communications over the internet. Organizations which decide to use VPNS as their means of secure communications choose between IPSec and SSL secure protocols.
Operates on the Network Layer of the OSI model, securing communications by authenticating and encrypting each Internet Protocol packet of a data stream. This also includes mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
A protocol developed by Netscape for securely transmitting documents over the Internet. It operates on the Application Layer of the OSI model. To establish a connection that is secure for communication between application tiers, the VPN uses the certificate-based authentication, data encryption, and message integrity verification mechanisms provided by the SSL protocol. Examples of SSL based VPNs include OpenVPN, Barracuda, Cloudflare, Cisco AnyConnect and many others.
Additional differences between IPSec and SSL based VPN protocols are given below:
Another major difference between IPSec and SSL VPNs lies in the endpoints for each protocol. While an IPSec VPN allows users to connect remotely to an entire network and all its applications, SSL VPNs give users remote tunnelling access to a specific system or application on the network.
The deciding factors between the two depend on the infrastructure of the corporate network, specific security requirements, costs and reliability.
What makes Wireguard different?
WireGuard is a secure network tunnel, operating at layer 3 (the network layer), implemented as a kernel virtual network interface for Linux, which aims to replace both IPsec as well as SSL-based VPN protocols like OpenVPN.
The WireGuard protocol provides a secure OSI Layer 3 network tunnel between two endpoints. It uses a cryptographic handshake protocol based on the Noise Protocol Framework to provide mutual authentication, key agreement, and forward secrecy. There is no single client or server role in the protocol.
WireGuard avoids storing any state (data that relates to sessions or network information) prior to authentication and does not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated, WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided by not allowing unauthenticated packets to influence any state.
A generic sequence of events in the protocol is as follows:
- The endpoint that starts the handshake is referred to as an initiator while the peer that it tries to communicate with is called the responder.
- During the course of the handshake, pairs of public cryptographic schemes called “ephemeral Curve25519 key pairs” are generated, which are to be used to encrypt/decrypt sent and received data.
- After completing the handshake, both peers can send data. The data is encrypted at one end and decrypted at the other end using the aforementioned key-pairs.
- After the initiator receives the data from the responder, if it has no data packets immediately queued up to send, it sends an empty packet to confirm the end of data packets being sent.
- All aforementioned private keys and symmetric session keys are erased after a certain time. Endpoints that approach the session expiration time or message limit must create new keys if they wish to continue communication and this can be accomplished by starting a new handshake.
There is periodic key rotation which ensures limited impact in the event of key compromise. Peers may change roles over time. For example, after some inactivity from both sides, a responder might become an initiator of a new session and its peer will subsequently assume the role of a responder. A single UDP source port is used for both the handshake protocol and while sending data, which simplifies Network Address Translation traversal.
Peers are able to send encrypted WireGuard packets to each other at particular Internet endpoints. To ensure that IP traffic is routed to exactly one of those endpoints, WireGuard uses “Cryptokey routing”.
In Cryptokey routing, an endpoint is associated with a set of allowed IP addresses, possibly covering all IPv4 or IPv6 addresses. Data sent to the WireGuard network interface will be sent to an endpoint only if the destination IP address is part of the set of allowed IP addresses. Inbound data is only accepted if the source IP address of the decrypted packet is within the set of allowed IP addresses from the authenticated peer.
Encryption in Wireguard
Wireguard’s cryptographic suite is derived from the Noise cryptographic framework. We have already mentioned the pair of cryptographic key-pairs called ephemeral Curve25519 key pairs, which help encrypt and decrypt data. WireGuard supports a mode in which any pair of peers might additionally pre-share a single 256-bit symmetric encryption key between themselves in order to add an additional layer of symmetric encryption.
Wireguard uses the following constructions and algorithms in its encryption/decryption capabilities:
- Noise protocol framework: A collection of cryptographic handshake patterns which provide building blocks to construct new secure protocols with authenticated key agreement.
- ChaCha20-Poly1305: The ChaCha20 stream cipher and Poly1305 authenticator, used in an Authenticated Encryption with Additional Data (AEAD) construction. It provides authenticity and confidentiality of transported data.
- X25519: An elliptic-curve-Diffie-Hellman (ECDH) function. It is used in the key agreement protocol.
- HKDF: The HMAC-based Key Derivation Function (HKDF) is a construction to derive one or more keys from an initial secret. It is used to link all pieces of the handshake state to each other, including keys and protocol messages. It also ensures that the original key material that is involved in calculations cannot be recovered.
- BLAKE2: A fast cryptographic hash function used by the HKDF and as a message authentication code (MAC).
The cryptographic capabilities in Wireguard have the following features:
- Avoids key-compromise impersonation: A key-compromise impersonation is a phenomenon in which an attacker installs a client certificate on your device, and then impersonates websites. The Wireguard protocol is secure against such attacks because if the key is compromised, the key cannot be used to impersonate any other party.
- Avoids replay attacks: A replay attack is an attack in which an attacker sniffs messages being sent on a channel to intercept them and resend them under the cloak of authentic messages. To protect against replay attacks, the responder may not send encrypted data messages until it has received an encrypted data message from the initiator that acknowledges receipt of the response handshake message.
- Perfect forward secrecy: Temporary and static key pairs are used in a series of Diffie-Hellman computations to ensure forward secrecy.
- Achieves "AKE security": Authenticated Key Exchange (AKE) is the exchange of session keys in a key exchange protocol which also authenticates the identities of parties involved in key exchange. Authenticated Key Exchange is achieved through the “IK” pattern from Noise.
- Identity hiding: Provides hiding of static public keys used in encryption.
Cross Platform Support in Wireguard
The software implementation of WireGuard was originally developed for Linux, but has support for other platforms, provided by a Go language implementation of Wireguard including Microsoft Windows and macOS (and even Android and iOS).
‘wg’ is the configuration utility for getting and setting the configuration of WireGuard tunnel interfaces. Interfaces themselves can be added and removed and their IP addresses and routing tables can be. The ’wg‘ utility provides a series of sub-commands for changing WireGuard-specific aspects of WireGuard interfaces. This utility is common to all cross-platform implementations of Wireguard
- Linux: A separate implementation can be run in an existing Linux installation. There also exists a kernel module for Wireguard which is faster and has better integrated features right into the OS.
- Windows: There is a fully-featured WireGuard client for Windows. It is the only official and recommended way of using WireGuard on Windows. WireGuard for Windows has been designed from the ground-up to make full use of standard Windows services, Access Control List and command line interface capabilities, making WireGuard deployable in enterprise scenarios or as part of Active Directory domains.
- macOS: The Go language implementation for macOS uses the ‘utun’ driver. The implementation is an application for iOS and for macOS, as well as many components shared between the two of them.
Also, Wireguard supports containers: a standard unit of software that packages code and all its dependencies so the application runs quickly and reliably from one computing environment to another. One famous example of containers is Docker. It is possible to create a WireGuard interface in a main network namespace which has access to the Internet, and then have it moved into a network namespace belonging to, say, a Docker container, as that container's only interface.
Benefits and Limitations of Wireguard
Wireguard provides the following benefits:
- A test performed on Wireguard shows that it performs better than other VPN protocols on multi-core machines, and can take full advantage of multithreading.
- Wireguard has a lean and light code-base by design, implemented in just over 4000 lines of code, which will ease auditing and vulnerability finding. It also helps to make the attack surface smaller in comparison to the 60,000 lines of the OpenVPN implementation.
- WireGuard focuses on simplicity and usability.
- Wireguard can deliver a scalable system.
- Wireguard can be deployed on the outer edges of networks, as a trustworthy and reliable access point, which does not readily reveal itself to attackers nor provide a viable attack target.
- The cryptokey routing table paradigm in Wireguard is easy to learn and will promote safe network designs.
- WireGuard was designed from a practical perspective, meant to solve real world secure networking problems.
Despite these advantages, there are also drawbacks. Due to the lack of authenticity for the IP address, there is scope for an attack. WireGuard performs no validation of the source IP address during connection migration. This weakness makes WireGuard VPN providers complicit in denial-of-service attacks against other hosts. Thus IP address authentication has to be performed externally.
Also, if each peer starts an initiation at the same time and subsequently receives a handshake initiation from the other party, it would overwrite its own original handshake state with a new state based on the received message and reply with a handshake response message. However, since each peer has overwritten its original handshake initiation, it would no longer be able to complete the handshake. Effectively, the peers are unable to communicate with each other until a new handshake is attempted. An attacker could potentially use this detail to prevent sessions from being established.
Using Wireguard and Syntropy Stack
We have looked into what VPN protocols are and how Wireguard compares to the traditional models of IPSec and SSL models. We have described its strengths in cryptographically securing and transmitting data as well as its weaknesses.
In totality, its strengths (staying silent before transactions and the Noise cryptographic suite among others) have caused it to grow in popularity and cross-platform support. Thus, Wireguard is a promising VPN protocol technology, as described by its feature description and its role in securing communication in the Syntropy Stack.
Syntropy Stack uses WireGuard to establish secure connections between internet-connected endpoints and devices. The Syntropy Agent, which is an easy-to-use dependency to automatically encrypt and connect endpoints within a network, uses the Wireguard tunnel to secure communications on the network.
Virtual endpoints act as the synthetic placeholders for any kind of end device to be placed into it. The primary goal of these is to maintain the consistency within Syntropy Stack and enable users to easily generate Wireguard configurations.
Syntropy Stack connects containers and services running in Docker, Kubernetes, or edge devices via secure WireGuard tunnels.
Links and Resources
- Wu, Peter. "Analysis of the WireGuard protocol." Master's Thesis, Analysis of the WireGuard protocol, Eindhoven University of Technology (2019). https://lekensteyn.nl/files/pwu-wireguard-thesis-final.pdf
- Donenfeld, Jason A. "WireGuard: Next Generation Kernel Network Tunnel." NDSS. 2017. https://www.wireguard.com/papers/wireguard.pdf
- Ferguson, Paul, and Geoff Huston. "What is a VPN?." (1998): 1-22. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.169.7689&rep=rep1&type=pdf
- Venkateswari, P., and Dr T. Purusothaman. "Comparative Study of Protocols Used for Establishing VPN." arXiv preprint arXiv:1001.4200 (2010). https://arxiv.org/pdf/1001.4200
- Zhipeng, Zhang, et al. "VPN: a boon or trap?: a comparative study of MPLs, IPSec, and SSL virtual private networks." 2018 Second International Conference on Computing Methodologies and Communication (ICCMC). IEEE, 2018. https://www.researchgate.net/profile/Sonali-Chandel/publication/329297988_VPN_a_Boon_or_Trap_A_Comparative_Study_of_MPLS_IPSec_and_SSL_Virtual_Private_Networks/links/5c1a697a92851c22a336d277/VPN-a-Boon-or-Trap-A-Comparative-Study-of-MPLS-IPSec-and-SSL-Virtual-Private-Networks.pdf
- Chawla, Baljot Kaur, O. P. Gupta, and B. K. Sawhney. "A Review on IPsec and SSL VPN." International Journal of Scientific & Engineering Research 5.11 (2014): 21-24. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.684.7182&rep=rep1&type=pdf
VPN: A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.
ISO-OSI Layer Model: The ISO open systems interconnection (OSI) layer model is a conceptual model created by the International Organization for Standardization which enables diverse communication systems to communicate using standard protocols. The OSI provides a standard for different computer systems to be able to communicate with each other.
Gateway: A computer that sits between different networks or applications. The gateway converts information, data or other communications from one protocol or format to another.
Handshake: Handshaking is the process that establishes communication between two networking devices.
Authenticated key agreement: Key agreement protocols are used to establish common keys between two or more entities. The established key can then be used to assure confidentiality of exchanged messages through encryption.
Elliptic-Curve-Diffie-Hellman (ECDH) function: The Elliptic Curve Diffie–Hellman function is an anonymous key agreement scheme, which allows two parties, each having an elliptic-curve public–private key pair, to establish a shared secret over an insecure channel.
Cryptographic Hash Function: A cryptographic hash function (CHF) is an equation used to verify the validity of data. A CHF translates a message into a fixed size numerical string called the hash. A CHF is single directional, making it extraordinarily difficult to reverse in order to recreate the information used to make it. This means that if you’re hashing a single sentence, the resulting output should be the same size as one you’d get when hashing an entire book.
Authenticated encryption with associated data (AEAD): AEAD are encryption schemes which provide both confidentiality and integrity for their ciphertext.