On this page On this page
Episode 36 – Protocol Shorts: WireGuard
In this Protocol Shorts episode of netstack.fm , we explore WireGuard, a modern and lightweight VPN protocol. Glen explains what makes it different from traditional VPNs and why its simplicity and security model are gaining attention among developers.
The episode also highlights real world use cases and why VPNs like WireGuard remain essential for securely accessing private resources.
Rama
If you like this podcast you might also like our modular network framework in Rust: https://ramaproxy.org
00:00 Intro00:18 Introduction to WireGuard01:41 WireGuard Properties03:24 Why WireGuard?07:43 Current Use Cases and Adoption of WireGuard11:42 Get started with WireGuard14:37 Final Words15:17 Outro
Music for this episode was composed by Dj Mailbox.https://on.soundcloud.com/4MRyPSNj8FZoVGpytj .
Elizabeth (Plabayo)
0:18 | 🔗
Welcome to netstack.fm. This is our protocol short series. Today I am gonna be your host. Now and then I hear positive comments about Wireguard and even excitement. Why? To understand why I have Glen here. Welcome, Glen FM. This is our protocol short series. Today I am gonna be your host. Now and then I hear positive comments about WireGuard and even excitement. Why? To understand why I have Glen here. Welcome Glen. Hello Elizabeth. So what is WireGuard? So WireGuard is a type of VPN Elizabeth (Plabayo)
0:43 | 🔗
So what is WireGuard and VPN stands for Virtual Private Network where you're basically connecting a client, so a device, phone, computer, it doesn't really matter, and a VPN server using a tunnel. And when we hear tunnel, what we really mean is encryption. And depending on the type of VPN, you live either on layer four or layer three, sometimes even on layer seven. Elizabeth (Plabayo)
0:53 | 🔗
where you're basically connecting a client, so a device, phone, computer, it really matter, and a VPN server using a tunnel. And when we hear tunnel, what we really mean is encryption. And depending on the type of VPN, you live either on layer four or layer three, sometimes even on layer seven. But WireGuard is a lightweight, open source, and very fast implementation. But WireGuard is a lightweight, open source and very fast implementation of Elizabeth (Plabayo)
1:23 | 🔗
or a VPN and it's also a protocol, and it lives on layer 3 where traffic between the device and the VPN server and back to the device is encrypted by encrypting the IP packets. a VPN. And it's also a protocol. WireGuard is also a protocol. And it lives on layer 3, where traffic between the device and the VPN server and back to the device is encrypted by encrypting the IP packets. Elizabeth (Plabayo)
1:42 | 🔗
in short, what are the main properties that make WireGuard different from older VPN technologies? what are the main properties that make Wirecard different from older VPN technologies? Elizabeth (Plabayo)
1:51 | 🔗
So first of all it's pretty modern and new. It was initially released in 2015 or 2016. It is very lightweight in the sense that First of all, it's pretty modern and new. was initially released in 2015 or 2016. It is very lightweight in the sense that Elizabeth (Plabayo)
2:04 | 🔗
A. You don't really maintain state. B. A. You don't really maintain state. B. Elizabeth (Plabayo)
2:11 | 🔗
The code base of the reference implementation such as the Linux version are very small. I believe around 4000 to 6000 lines of code which is very easy to audit. The code base of the reference implementation such as the Linux version are very small. I believe around 4000 to 6000 lines of code which is very easy to audit. Elizabeth (Plabayo)
2:25 | 🔗
The logic is relatively simple. The hardest part to understand is the cryptography and the mathematics behind it, but that's cryptography in general. But if you're an expert in that domain, such as a security analyst or The logic is relatively simple. The hardest part to understand is the cryptography and the mathematics behind it but that's cryptography in general. But if you're an expert in that domain such as a security analyst or Elizabeth (Plabayo)
2:39 | 🔗
the developer working within that space, you will be used to that, so that's no issue. So for those people, very easy to audit, which for example, if you compare it to something like OpenVPN, I think that's like a couple of lines of code. a developer working within that space, will be used to that, so that's no issue. So for those people, it's very easy to audit, which for example, if you compare it to something like OpenVPN, I think that's like a couple thousand lines of code. Elizabeth (Plabayo)
2:54 | 🔗
If you're not familiar with code, it would be like trying to ask you And if you're not familiar with code, it would be like trying to ask you, find mistakes in this article of two pages versus finding a mistake in a book of 300 pages. Elizabeth (Plabayo)
2:59 | 🔗
find mistakes in this article of two pages versus finding a mistake in a book of 300 pages. I It will be, you know, you can see where it will be the easiest to find mistakes, especially if it's a book with a lot of concepts which tie into each other. And so you have to try to figure out where is there a logic flow. It's a lot easier, there's lot less content to look at. it will be, you know, you can see where it will be the easiest to find mistakes, especially if it's a book with a lot of concepts which tie into each other. And so you have to try to figure out where is there a logic flow. It's a lot easier if there's a lot less content to look at. Elizabeth (Plabayo)
3:25 | 🔗
I see it make it easy security My next question is, why does WireGuard matter today and who is actually using it in practice? Yeah, so... I see it make it for security My next question is, why does Wirecard matter today and who is actually using it in practice? Yeah, so those are two different questions and I would like to focus on the first one first. Like why it matters is perhaps first asking what if we don't have VPN? And so I can think of two use cases. One is you have a little server in your home and it contains information such as your photos, maybe even your ID cards, all kinds of personal information. Now, sometimes you want this information also remotely available. Elizabeth (Plabayo)
3:42 | 🔗
Why it matters is perhaps first asking what if we don't have VPN. And so I can think of two use cases. One is you have a little server in your home and it contains information such as your photos, maybe even your ID card, all kind of personal information. Now sometimes you want this information also remotely available. because maybe you have to show your ID card somewhere and you want to show it. Another use case is, let's say you have a little doctor practice and you have the files of your patients on the server in your home office or your doctor's practice, but you also go on house visits and so you need this information both for reading but also to add extra information as you are with the patient in their home. Elizabeth (Plabayo)
4:11 | 🔗
because maybe you have to show your ID card somewhere and you want to show it. Another use case is let's say you have a little doctor practice. and you have the files of your patients on the server in your home office or your doctor's practice but you also go on house visits and so you need this information both for reading but also to add extra information as you are with the patient in their home. Indeed. And so in both cases you are remote. And so in both cases, you are remote. Elizabeth (Plabayo)
4:42 | 🔗
If we don't have VPN, you are basically going to rely on authentication. So let's say you are connecting to your server over HTTPS and then you use some kind of username password or maybe use a passkey or use two-factor authentication. Probably several layers of these things. And you would think that's okay, but if you look at all the... If we don't have VPN, you are basically going to rely on authentication. So let's say you are connecting to your server over HTTPS and then you use some kind of username password or maybe use a passkey or use two factor authentication. Probably several layers of these things. And you would think that's okay. But if you look at all the Elizabeth (Plabayo)
5:08 | 🔗
vulnerabilities that people find and time and over like every month you keep seeing new reports of bugs in stacks of software databases server software routers doesn't really matter and attackers find these mistakes they chain them together and they find a way to get around authentication and the problem is vulnerabilities that people find and time and over like every month you keep seeing new reports of bugs in stacks of software, databases, server software, routers, doesn't really matter. And attackers find these mistakes, they chain them together and they find a way to get around authentication. And the problem is Elizabeth (Plabayo)
5:33 | 🔗
It's a lot worse than a physical attack. Let's say you have a house, you want to secure your house. You only have so many criminals in your neighborhood that will target your house. In the IT world, however, this server of this doctor, if it is not with the VPN, will be publicly available. It's not just publicly to its city, it's publicly to the entire world. It's a lot worse than a physical attack. Let's say you have a house, you want to secure your house. You only have so many criminals in your neighborhood that will target your house. In the IT world, however, this server of this doctor, if it is not with the VPN, it will be publicly available. It's not just publicly to its city, it's publicly to the entire world. Elizabeth (Plabayo)
5:58 | 🔗
Of course, the doctor could do simple things like saying I only allow IP connections from within my own country. Sure. But even then you have stuff like proxies so the attackers can get around that. If it's publicly available, it is by definition publicly available somehow to the entire world. Meaning anybody can hammer into your server and try to find these mistakes. They are not your mistake. They're just because of dependencies you use or because the software stack you have. And if you're a doctor, it's not like you're going to be the one developing that Of course, the doctor could do simple things like saying I only allow IP connections from within my own country, sure, but even then you have stuff like proxies so the attackers can get around that. If it's publicly available, it is by definition publicly available somehow to the entire world. Meaning anybody can hammer into your server and try to find these mistakes. They are not your mistake. They are just because of dependencies you use or because the software stack you have. And if you're a doctor, it's not like you're going to be the one developing that. Elizabeth (Plabayo)
6:28 | 🔗
So you use something that you found either open source or you pay for it. So you use something that you found either open source or you pay for it. Elizabeth (Plabayo)
6:33 | 🔗
And so you're allowed authentication and authentication by definition doesn't work as history shows over and over again. So that's why you want the VPN. But like I also mentioned something like open VPN and there are some other ones like IPsec and a couple of other ones. They are either closed source or they might still be open source, but they are like pretty complex. And so you're allowing authentication and authentication by definition doesn't work as history shows over and over again. So that's why you want the VPN. But like I also mentioned something like open VPN and there are some other ones like IPsec and you've a couple of other ones. They are either closed source or they might still be open source but they're like pretty complex. Elizabeth (Plabayo)
6:59 | 🔗
And so it's very hard to know if there's a mistake in there or not that can be abused. Especially now with lamp technology, which is pretty good in finding patterns, sometimes a lot better than like humans. And so it's very hard to know if there's a mistake in there or not that can be abused. Especially now with LLM technology, which is pretty good in finding patterns, sometimes a lot better than like humans, Elizabeth (Plabayo)
7:12 | 🔗
because it is a lot of data and computers were always good at finding data. And our LLAM technology also allows us to do that on code and find those mistakes at scale. because it is a lot of data and computers who are always good at finding data. And now LLM technology also allows us to do that on code and find those mistakes at scale. And so you want something very small because then you can go back to a very pure form of auditing where you almost mathematically can prove and also where you can prove completely is it secure or not. It will never be 100 % but it's as close as you get. Elizabeth (Plabayo)
7:24 | 🔗
And so you want something very small because then you can go back to a very few form of auditing where you almost mathematically can prove and also where you can prove, yeah, completely is this secure or not. It will never be 100 % but it's as close as you can. It seems like it is an important tool and it seems like widespread. So where do usually people encounter WireGuard nowadays? Yeah, so that's a bit of thing. It is not used frequently enough. So I was mentioning authentication doesn't really work yet. It's often the biggest form of authentication, even worse. It seems like it is an important tool and it seems like widespread. So where do usually people encounter Wirecard nowadays? Yeah, so that's a bit of thing. It is not used frequently enough. So I was mentioning authentication doesn't really work yet. It's often the biggest form of authentication. Even worse Elizabeth (Plabayo)
8:11 | 🔗
is that some resources are publicly available and they have no authentication at all. So sometimes you read about this database and then they find a mistake in it and suddenly attackers can abuse it. or sometimes you have these things like home routers and they get installed in someone's house is that some resources are publicly available and they have no authentication at all. So sometimes you read about this database and then they find a mistake in it and suddenly attackers can abuse it. So, or sometimes you have these things like home routers and they get ⁓ installed in someone's house. Elizabeth (Plabayo)
8:32 | 🔗
and by default they have some kind of default password which you can just find in the manual. and by default they have some kind of default passwords which you can just find in the manual. Yeah. Yeah. So it's not widespread enough. So it's very niche in a sense like the minority will be using it today and if they will be using it it's often as part of other products. So maybe some people heard of tailscale and they are a company which implements technology on top of WireGuard and... Elizabeth (Plabayo)
8:37 | 🔗
Yeah, that's a big issue. Yeah. So it's not widespread enough. so it's very niche in a sense like the minority will be using it today. And if they will be using it, it's often as part of other products. So maybe some people heard of tail scale and they are a company which implements technology on top of Weigard. And sometimes they might be developers or companies using some kind of Sometimes they might be developers or companies using some kind of Elizabeth (Plabayo)
9:03 | 🔗
Cloud infrastructure which they can access through a VPN and those things might be driven by WireGuard either by an official implementation of WireGuard or by someone implementing the protocol which is WireGuard because you can also just of course Read the white paper. You can also implement the protocol yourself and then also use it. So cloud infrastructure which they can access through a VPN and those things might be driven by WireGuard. Either by an official implementation of WireGuard or by someone implementing the protocol which is WireGuard because you can also just of course read the white paper, you can also implement the protocol yourself and then also use it. So... Most people don't use something like this and for those that do use WireGuard or a derivative of it, they might not even realize. But if we go back to our example of our doctor or to our example of the person that want to have personal data access from a remote point with something like WireGuard or with WireGuard specific, what they can do Elizabeth (Plabayo)
9:27 | 🔗
Most people don't use something like this and for those that do use WireGuard or derivative of it they might not even realize. But if we go back to our example of our doctor or to our example of the person that want to have personal data access from a remote point with something like WireGuard or with WireGuard specific What they can do is they can ensure that this remote resource, this server is not even accessible. So no one in the world can even access it. The only way to access it is through a wire guard tunnel. And the only way to do that is by having a private key which is attached to a public key known to that server. is they can ensure that this remote resource, this server, is not even accessible. So no one in the world can even access it. The only way to access it is through a WireGuard tunnel. And the only way to do that is by having a private key which is attached to a public key known to that server. Elizabeth (Plabayo)
10:17 | 🔗
And that's pretty powerful. That means by definition it's completely sealed off and only if you have access to this private key you can access the server. And so then at that point the security relies on how securely can you store this private key. And that's pretty powerful. That means by definition, it's completely sealed off. And only if you have access to this private key, you can access the server. And so then at that point, the security relies on how securely can you store this private key. Elizabeth (Plabayo)
10:38 | 🔗
So those will be the main reason why So those will be the main reason why... Elizabeth (Plabayo)
10:41 | 🔗
from the implementation point of view makes sense and it's very attractive for many developers and engineers, right? To adopt this WireGuard. Yeah, it's interesting because it means you can have... From the implementation point of view, it makes sense and it's very attractive for many developers and engineers, right? To adopt this WireGuard. Yeah, it's interesting because it means you can have... Elizabeth (Plabayo)
11:00 | 🔗
Things like developer infrastructure, can have servers, can have all kinds of things, not just for developers, but yeah, certainly also for developers. You can have them remotely accessible without the insecurity of having to rely on authentication. And so that's... Things like developer infrastructure, can have servers, you can have all kinds of things, not just for developers, but yeah, certainly also for developers. You can have them remotely accessible without the insecurity of having to rely on authentication. so that's, and not just that, but as we mentioned at the start of the episode, WireGuard is a very simple implementation. So it's a lot hard to make mistakes. Elizabeth (Plabayo)
11:16 | 🔗
And not just that, but as we mentioned at start of the episode, Viagorg is a very simple implementation. So it's a little hard to make mistakes. And the longer it will be used, easier it will be. Like let's say there was a mistake in it, you fix it once and it's also fixed for everybody. I don't know so far from any mistake that was found in it. And it allows you to securely have these resources accessible. And the longer it will be used, the easier it will be. Like, let's say there is a mistake in it, you fix it once and it's also fixed for everybody. But I don't know so far from any mistake that was found in it. And it allows you to securely have these resources accessible. Elizabeth (Plabayo)
11:43 | 🔗
Since it's ⁓ an accessible resource, which one would you to have access for a Wirecard, the official website? Yeah, if you want to learn more about it, then can also head to the show notes. Like I would start with the official websites. They also gave some great talks about it on conference like BlackHeads. They also have reference and presentations in several other languages. Since it's an accessible resource, which one would to have access for a Wirecard, the official website? Yeah, if you want to learn more about it, then you can also add it to the show notes. Like I would start with the official websites. They also gave some great talks about it on conference like BlackHat. They also have reference implementations in several other languages including Rust for example and you can look at that. They have the white paper online, they have all kind of resources online to learn more about how it works. It also comes with a little tutorials like how to set it up yourself. If you're familiar to the comment line you can just set it up pretty quickly. We use for example to Elizabeth (Plabayo)
12:10 | 🔗
including Rust for example and you can look at that. They have the white paper online, they have all kind of resources online to learn more about how it works. It also comes with a little tutorials like how to set it up yourself. If you're familiar to the comment line you can just set it up pretty quickly. We use for example to secure some of our private servers so we can access it from our developer machines Elizabeth (Plabayo)
12:32 | 🔗
to secure some of our private servers so we can access from our developer machines. without having it publicly exposed to the internet. so we were talking about ⁓ having some server only accessible from specific machines that you trust. Elizabeth (Plabayo)
12:38 | 🔗
without having it exposed to the internet. so we were talking about ⁓ having some server only accessible from... specific machines that you trust. But another use case of it is it could be your personal VPN. So let's say you need for specific use cases, you need something like a static IP address. Because sometimes you might work with clients or companies or organizations that can only allow you into their resources while you do consultancy for them or work with them. But another use case of it is it could be your personal VPN. So let's say you need for specific use cases, you need something like a static IP address. Because sometimes you might work with clients or companies or organizations that can only allow you into their resources while you do consultancy for them or work with them. Elizabeth (Plabayo)
13:21 | 🔗
for an IP address that they can whitelist or put on a allow list. And so what you can also do is you can set up. for an IP address that they can whitelist or put on an allow list. And so what you can also do is you can set up Elizabeth (Plabayo)
13:31 | 🔗
a little server for very cheap in some cloud like let's say Hetzner or one of these providers and you connect to it using WireGuard a little server for very cheap in some clouds, like let's say Hetzner or one of these providers, and you connect to it using WireGuard. Elizabeth (Plabayo)
13:41 | 🔗
that server forwards your traffic then to any destination and at that point your IP address for the public becomes the IP address of that server which is by definition static so at that point doesn't matter if you're at home or in an internet cafe or remotely at some client you will always have the same IP address allowing you that server forward through traffic then to any destination. And at that point, your IP address for the public becomes the IP address of that server, which is by definition static. So at that point, doesn't matter if you're at home or in an internet cafe or remotely at some clients, you will always have the same IP address allowing you Elizabeth (Plabayo)
14:00 | 🔗
because it to the allow list of IP addresses to access those resources. So that's another use case of something like WireGuard to get yourself some kind of because it added to the allow list of IP addresses to access those resources. So that's another use case of something like WireGuard to get yourself some kind Elizabeth (Plabayo)
14:11 | 🔗
static IP address if you ever need those. Because in end that's another use case why some people use VPNs. Like most people come into contact because they want to have some IP address from another company or something. so that's another use case, but it's something you totally own. Like you don't rely on some trust of some other company. static IP address if you ever need those because in end that's another use case why some people use VPNs like most people come into contact because they want to have some IP address from some other company or something and so that's yeah another use case but it's something you totally own like you don't rely on some trust of some other company you Elizabeth (Plabayo)
14:30 | 🔗
you just rely on the thing you own yourself for basically no money at all. you you just rely on the thing you own yourself for basically no money at all Elizabeth (Plabayo)
14:37 | 🔗
Yeah, that's awesome. And it's so good that it's open source. So thank you very much, Glen. so good that is open source. Thank you very much, Graham, Elizabeth (Plabayo)
14:44 | 🔗
And thank you to our listeners for being with us and giving us your feedback. And also, I would like to ask you if you know someone or if you are someone with expertise on this theme please reach out to us. We will be so and happy to hear from you to keep unpacking this theme And thank you to our listeners for being with us and giving us your feedback. And also I would like to ask you if you know someone or if you are someone with expertise on this team. Please reach out to us. We will be so and happy to hear from you to keep unpacking this team. Thank you very much. Until the next protocol shorts. Elizabeth (Plabayo)
15:11 | 🔗
thank you very much until the next protocol shorts bye Elizabeth (Plabayo)
15:18 | 🔗
Netstack.fm is brought to you by Rama, an open source framework for moving and transforming network packets. Rama is built and maintained by Plabayo a company focused on secure, open, and resilient infrastructure with rust, protocols, and purpose. The theme music of this podcast was composed by DJ Mailbox. For more conversations like this, subscribe so you don't miss what's coming next. And if you know someone who could benefit from this episode, share it with them. They might appreciate have experience in protocols, networking, or infrastructure, and want to share your work, your ideas, or experience, we would love to hear from you. Reach out at hello@netstack.fm. Thank you for being here. See you next time for the next handshake.