wireguard-linux
Mirror only. Official repository is at https://git.zx2c4.com/wireguard-linux
Top Related Projects
An open source, self-hosted implementation of the Tailscale control server
Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
The easiest, most secure way to use WireGuard and 2FA.
Userspace WireGuard® Implementation in Rust
Set up a personal VPN in the cloud
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
Quick Overview
WireGuard-linux is the official Linux kernel implementation of WireGuard, a modern, fast, and secure VPN protocol. It provides a simple and efficient way to create secure point-to-point connections in routed or bridged configurations, offering high-speed performance and low attack surface.
Pros
- High performance and low latency compared to other VPN protocols
- Simple configuration and ease of use
- Strong, modern cryptography with a focus on security
- Lightweight codebase, making it easier to audit and maintain
Cons
- Relatively new compared to established VPN protocols like OpenVPN or IPsec
- Limited support for older Linux kernel versions
- Fewer advanced features compared to some other VPN solutions
- May require manual firewall configuration in some cases
Code Examples
As WireGuard-linux is a kernel module and not a typical code library, we'll provide configuration examples instead of code snippets.
- Basic WireGuard interface configuration:
[Interface]
PrivateKey = your_private_key_here
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = peer_public_key_here
AllowedIPs = 10.0.0.2/32
Endpoint = peer.example.com:51820
- Enabling IP forwarding for WireGuard:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
- Firewall configuration example (using iptables):
sudo iptables -A INPUT -i wg0 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -A FORWARD -o wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Getting Started
To get started with WireGuard-linux:
-
Install WireGuard:
sudo apt update sudo apt install wireguard
-
Generate private and public keys:
wg genkey | tee privatekey | wg pubkey > publickey
-
Create a configuration file (e.g.,
/etc/wireguard/wg0.conf
) using the example provided in the "Code Examples" section. -
Start the WireGuard interface:
sudo wg-quick up wg0
-
To enable the interface at boot:
sudo systemctl enable wg-quick@wg0
Remember to configure your firewall and IP forwarding as needed for your specific use case.
Competitor Comparisons
An open source, self-hosted implementation of the Tailscale control server
Pros of headscale
- Implements a control server for Tailscale, providing a self-hosted alternative
- Offers a user-friendly interface for managing network connections
- Supports multi-user environments and access control features
Cons of headscale
- Less mature and potentially less stable than WireGuard
- May have a steeper learning curve for users unfamiliar with Tailscale
- Limited to Tailscale-compatible clients, whereas WireGuard is more versatile
Code Comparison
headscale:
func (ns *Namespace) GetUsers() ([]*User, error) {
users := []*User{}
err := ns.db.Where("namespace = ?", ns.Name).Find(&users).Error
return users, err
}
wireguard-linux:
static int wg_peer_remove(struct wg_device *wg, struct wg_peer *peer)
{
if (peer->is_dead)
return 0;
peer->is_dead = true;
/* ... */
}
The headscale code snippet demonstrates user management within namespaces, while the wireguard-linux code focuses on low-level peer management. This reflects the different abstraction levels and purposes of the two projects.
Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
Pros of Netmaker
- Provides a user-friendly web interface for network management
- Offers automated peer discovery and configuration
- Supports multi-cloud and hybrid network setups
Cons of Netmaker
- Requires additional infrastructure for management
- May have a steeper learning curve for users new to network management
- Potentially higher resource overhead compared to bare WireGuard
Code Comparison
Netmaker (Go):
func (network *Network) GetNetworkNodes() ([]models.Node, error) {
var nodes []models.Node
collection := database.FetchRecords(database.NODES_TABLE_NAME)
err := collection.Find(bson.M{"network": network.NetID}).All(&nodes)
return nodes, err
}
WireGuard-linux (C):
static int wg_peer_create(struct wg_device *wg, struct wg_peer *peer)
{
int ret;
ret = noise_handshake_init(&peer->handshake, &wg->static_identity,
peer->public_key, peer);
if (ret)
return ret;
ret = cookie_checker_init(&peer->cookie_checker, peer->public_key);
return ret;
}
The code snippets demonstrate different approaches: Netmaker focuses on high-level network management in Go, while WireGuard-linux implements low-level networking protocols in C.
The easiest, most secure way to use WireGuard and 2FA.
Pros of Tailscale
- User-friendly and easier to set up for non-technical users
- Built-in features like access controls, DNS, and automatic key rotation
- Cross-platform support with clients for various operating systems
Cons of Tailscale
- Closed-source core components and reliance on centralized coordination servers
- Less flexibility for advanced networking configurations
- Potential privacy concerns due to the centralized nature of the service
Code Comparison
Tailscale (Go):
func (c *Conn) Close() error {
c.mu.Lock()
defer c.mu.Unlock()
if c.closed {
return nil
}
c.closed = true
return c.pconn.Close()
}
WireGuard (C):
static void wg_socket_reinit(struct wg_device *wg)
{
struct socket *new4, *new6;
struct udp_tunnel_sock_cfg cfg = {
.sk_user_data = wg,
.encap_type = UDP_ENCAP_XFRM,
.encap_rcv = wg_receive
};
}
The code snippets demonstrate different approaches: Tailscale uses Go and focuses on connection management, while WireGuard uses C and deals with low-level socket operations. This reflects their design philosophies, with Tailscale providing a higher-level abstraction and WireGuard offering more direct control over networking components.
Userspace WireGuard® Implementation in Rust
Pros of boringtun
- Written in Rust, offering memory safety and performance benefits
- Cross-platform compatibility, including Windows support
- User-space implementation, allowing easier deployment in various environments
Cons of boringtun
- May have slightly higher overhead compared to kernel-space implementation
- Potentially less integrated with the Linux kernel's networking stack
- Newer project with a smaller community and less extensive testing
Code Comparison
wireguard-linux (C):
static inline void chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
const u8 *ad, const size_t ad_len,
const u64 nonce, const u8 key[CHACHA20POLY1305_KEY_SIZE])
{
chacha20_encrypt(dst, src, src_len, key, nonce);
poly1305_mac(dst + src_len, dst, src_len, ad, ad_len, key);
}
boringtun (Rust):
pub fn encrypt_packet_with_counter(
src: &[u8],
dst: &mut [u8],
nonce: u64,
key: &[u8; 32],
) -> Result<usize, WireGuardError> {
ChaCha20Poly1305::new(key.into())
.encrypt_in_place_detached(&nonce.to_le_bytes().into(), &[], dst)?;
Ok(src.len() + AEAD_TAG_SIZE)
}
Set up a personal VPN in the cloud
Pros of algo
- Easier to set up and manage for non-technical users
- Includes additional security features like DNS-based ad blocking
- Supports multiple cloud providers out of the box
Cons of algo
- Less flexible and customizable than wireguard-linux
- May have higher resource usage due to additional features
- Limited to specific deployment scenarios
Code comparison
algo:
def deploy(server, config, args):
algo_server = AlgoServer(server, config, args)
algo_server.install()
algo_server.config()
wireguard-linux:
static int wg_set_device(struct net_device *dev, struct nlattr *tb[])
{
struct wg_device *wg = netdev_priv(dev);
int ret;
ret = wg_set_device_keys(wg, tb);
if (ret)
return ret;
}
The algo project is written in Python and focuses on high-level deployment and configuration, while wireguard-linux is written in C and deals with low-level kernel interactions. This reflects their different purposes: algo aims for ease of use and quick deployment, while wireguard-linux provides the core VPN functionality with maximum performance and flexibility.
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
Pros of Streisand
- Offers a wider range of VPN protocols and services beyond just WireGuard
- Provides automated setup scripts for multiple cloud providers
- Includes additional privacy-enhancing tools like Tor and DNS encryption
Cons of Streisand
- More complex setup and maintenance due to multiple services
- Potentially higher resource usage and overhead
- Less focused on performance optimization compared to WireGuard
Code Comparison
Streisand (setup script excerpt):
#!/bin/bash
set -e
if [ ! -e ~/.ssh/id_rsa.pub ]; then
ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa
fi
WireGuard (kernel module initialization):
static int __init mod_init(void)
{
int ret;
ret = device_init();
if (ret < 0)
return ret;
return 0;
}
While Streisand focuses on automating the deployment of various VPN services, WireGuard is a dedicated, high-performance VPN protocol implementation. Streisand offers more versatility and ease of setup across different platforms, but WireGuard provides a more streamlined and efficient VPN solution with a focus on simplicity and performance.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Linux kernel
There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML and PDF. Please read Documentation/admin-guide/README.rst first.
In order to build the documentation, use make htmldocs
or
make pdfdocs
. The formatted documentation can also be read online at:
https://www.kernel.org/doc/html/latest/
There are various text files in the Documentation/ subdirectory, several of them using the reStructuredText markup notation.
Please read the Documentation/process/changes.rst file, as it contains the requirements for building and running the kernel, and information about the problems which may result by upgrading your kernel.
Top Related Projects
An open source, self-hosted implementation of the Tailscale control server
Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
The easiest, most secure way to use WireGuard and 2FA.
Userspace WireGuard® Implementation in Rust
Set up a personal VPN in the cloud
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot