Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

1-2: How Wireguard Works

Before diving in to running Wireguard commands, it’s worth a moment to explore Wireguard’s design. It’s fairly simple!

Like all private networking, Wireguard encrypts packets of data between a sender and a receiver. Wireguard’s elegance is in how that encryption and send takes place.

Asymmetric Cryptography

Every member of a Wireguard network, also known as a Peer, is associated with a cryptographic keypair. You may have encountered public/private keys before, such as with SSH or HTTPS certificates. This is not a cryptography course, so we won’t go too far into the weeds on this, but remember that the public key is shared with the world, and the private key is kept secret.

In Wireguard, every Peer is identified on the network by their public key, not their IP address! IP addresses change, but keys should remain the same no matter what.

If you’re curious, the keys are 256-bit Curve25519 points.

Key Exchange

When two Peers want to communicate, a shared key for the session is established via Wireguard’s handshake protocol. The keypairs from each party are used to establish a shared encryption key for the session. Optionally, a preshared key is also used for encrypting the session, which adds additional cryptographic strength and quantum resistance to the secrets.

Sending Data

When sending data to a Peer, the destination address is referenced on a cryptokey routing table that connects known public keys to allowed IP addresses for that key. If there’s a match between the destination address and an allowed IP, the appropriate session is used for encrypting the data. If no such session exists, a new one is created using the respective keypairs.

The packet is encrypted with the ChaCha20-Poly1305 authenticated encryption algorithm.

UDP

Any type of network data may be sent over a Wireguard connection, but the connection itself uses User Datagram Protocol (UDP) for transmission. This keeps the tunnel extremely lightweight.

Okay, enough theory. Let’s walk through a simple Wireguard connection to see how this all works in practice.

Check For Understanding

  • How are Peers identified in a Wireguard network?
  • How does Wireguard decide where to send data?