Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

1-1: What is Wireguard?

Wireguard is an encrypted networking protocol designed for secure peer-to-peer networking, and as an alternative to more “traditional” private networking technologies. It uses strong, modern cryptography to secure tunneled data and plaintext configuration files to govern its operation.

Wireguard is baked into the Linux kernel, making it extremely fast and simple to deploy on servers. But Wireguard also has implementations for about any platform you can imagine.

Differences from Other VPNs

In the past, you may have used VPN technologies like OpenVPN or built-in IPSec tunnels through enterprise firewalls. Wireguard differs from these in its simplicity and flexibility. You do not need a firewall to run a Wireguard network (although many can).

Additionally, Wireguard networks can take many different shapes. In a traditional VPN, you have one or many “external” clients gain access to an internal network via a tunneling service hosted by a firewall or edge device, granting the external device a presence on the internal network. While Wireguard can function this way, it operates on the principle of connecting peers together. What the peers do with the Wireguard traffic after the connection is established is up to them. This subtle difference significantly alters how we approach Wireguard and what we can do with it.

For a much deeper dive on how Wireguard works, I recommend reading their protocol explainer and their whitepaper.

What Can You Do with Wireguard?

Wireguard excels at building trusted networks across and independent of existing networking layers. Here are some use cases:

The Self-Hoster

Suppose you have a well-appointed homelab (perhaps with some guidance from a high-quality resource?). You want to publish your blog and a few other applications to the internet, but you don’t want to open any ports on your home router. With Wireguard, you can use a cloud-based server as a simple reverse proxy, with a point-to-point Wireguard tunnel between your in-home assets (properly isolated, of course) and the public reverse proxy. The result: internet availability of your apps without inviting a flood of attack traffic to your home router.

The Activist

Suppose you’re an activist that wants to coordinate with others in your organization, but you don’t want to advertise this activity to the prying eyes of an oppressive state. They may have visibility at the ISP level, meaning general traffic across the internet should be considered insecure. Commercial VPNs shift the risk to the VPN provider, but that is little improvement. With Wireguard, you can create a network of peers, between which all sensitive traffic (shared resources, communications) can be routed through that network, and wholly unreadable by any service provider.

The Archivist

Suppose you’re a collector of media. You have built an impressive collection of movies, TV shows, and music over the years. With streaming costs skyrocketing and crackdowns on sharing of account credentials, you want your extended family to be able to access your media library with a minimum of fuss.

By creating a Wireguard connection between your media server and your family’s home networks, the server becomes available without setting up a full-tunnel VPN between your home and theirs.

Built on Wireguard

Several professional tools have been built on Wireguard’s core technology. The most well-known is Tailscale, which is sort of Wireguard-as-a-service. It takes the basic tunneling technology, adds some light coordination and host configuration, and produces a highly resilient and flexible mesh network. The “open core” Netmaker provides a similar service, as does the actually open source Netbird.

Check For Understanding

  • How does Wireguard differ from other VPNs?