WireGuard

WireGuard Overview

Warning

Work in progress. Proceed with caution. Content is volatile and subject to change as VPP/TNSR WireGuard behavior is tested and refined.

WireGuard is a modern VPN Layer 3 protocol designed for speed and simplicity. It is designed for high performance and has only a small number of options in its configuration.

WireGuard utilizes a private and public key pair for itself and each peer. Communication with a peer is encrypted using its public key, and a peer decrypts the messages using its private key. Peers never need to know the private key of other peers, they only need their own private key. This makes exchanging keys safe as the public keys are public knowledge and it wouldn’t matter if a third party knows these. An administrator can grant someone access to a VPN using the public key, but it’s useless without the corresponding private key.

WireGuard behaves unlike other traditional VPN types in several ways:

  • It has no concept of connections or sessions

  • It has no facilities for user authentication

  • It has no facilities for pushing settings or other control messages to peers

A WireGuard tunnel consists of an instance with one or more peer definitions and an interface associated with the WireGuard instance. The instance and its peers contain all of the keys and other configuration data necessary to communicate between each other. The interface defines the address TNSR uses to communicate inside the WireGuard tunnel to the peers.

WireGuard interfaces carry Layer 3 information and above.