Convert Figma logo to code with AI

WireGuard logowireguard-linux

Mirror only. Official repository is at https://git.zx2c4.com/wireguard-linux

1,245
197
1,245
0

Top Related Projects

22,053

An open source, self-hosted implementation of the Tailscale control server

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.

18,532

The easiest, most secure way to use WireGuard and 2FA.

Userspace WireGuard® Implementation in Rust

28,868

Set up a personal VPN in the cloud

23,178

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

Quick Overview

WireGuard-linux is the official Linux kernel implementation of WireGuard, a modern, fast, and secure VPN protocol. It provides a simple and efficient way to create secure point-to-point connections in routed or bridged configurations, offering high-speed performance and low attack surface.

Pros

  • High performance and low latency compared to other VPN protocols
  • Simple configuration and ease of use
  • Strong, modern cryptography with a focus on security
  • Lightweight codebase, making it easier to audit and maintain

Cons

  • Relatively new compared to established VPN protocols like OpenVPN or IPsec
  • Limited support for older Linux kernel versions
  • Fewer advanced features compared to some other VPN solutions
  • May require manual firewall configuration in some cases

Code Examples

As WireGuard-linux is a kernel module and not a typical code library, we'll provide configuration examples instead of code snippets.

  1. Basic WireGuard interface configuration:
[Interface]
PrivateKey = your_private_key_here
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = peer_public_key_here
AllowedIPs = 10.0.0.2/32
Endpoint = peer.example.com:51820
  1. Enabling IP forwarding for WireGuard:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
  1. Firewall configuration example (using iptables):
sudo iptables -A INPUT -i wg0 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -A FORWARD -o wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Getting Started

To get started with WireGuard-linux:

  1. Install WireGuard:

    sudo apt update
    sudo apt install wireguard
    
  2. Generate private and public keys:

    wg genkey | tee privatekey | wg pubkey > publickey
    
  3. Create a configuration file (e.g., /etc/wireguard/wg0.conf) using the example provided in the "Code Examples" section.

  4. Start the WireGuard interface:

    sudo wg-quick up wg0
    
  5. To enable the interface at boot:

    sudo systemctl enable wg-quick@wg0
    

Remember to configure your firewall and IP forwarding as needed for your specific use case.

Competitor Comparisons

22,053

An open source, self-hosted implementation of the Tailscale control server

Pros of headscale

  • Implements a control server for Tailscale, providing a self-hosted alternative
  • Offers a user-friendly interface for managing network connections
  • Supports multi-user environments and access control features

Cons of headscale

  • Less mature and potentially less stable than WireGuard
  • May have a steeper learning curve for users unfamiliar with Tailscale
  • Limited to Tailscale-compatible clients, whereas WireGuard is more versatile

Code Comparison

headscale:

func (ns *Namespace) GetUsers() ([]*User, error) {
    users := []*User{}
    err := ns.db.Where("namespace = ?", ns.Name).Find(&users).Error
    return users, err
}

wireguard-linux:

static int wg_peer_remove(struct wg_device *wg, struct wg_peer *peer)
{
    if (peer->is_dead)
        return 0;
    peer->is_dead = true;
    /* ... */
}

The headscale code snippet demonstrates user management within namespaces, while the wireguard-linux code focuses on low-level peer management. This reflects the different abstraction levels and purposes of the two projects.

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.

Pros of Netmaker

  • Provides a user-friendly web interface for network management
  • Offers automated peer discovery and configuration
  • Supports multi-cloud and hybrid network setups

Cons of Netmaker

  • Requires additional infrastructure for management
  • May have a steeper learning curve for users new to network management
  • Potentially higher resource overhead compared to bare WireGuard

Code Comparison

Netmaker (Go):

func (network *Network) GetNetworkNodes() ([]models.Node, error) {
    var nodes []models.Node
    collection := database.FetchRecords(database.NODES_TABLE_NAME)
    err := collection.Find(bson.M{"network": network.NetID}).All(&nodes)
    return nodes, err
}

WireGuard-linux (C):

static int wg_peer_create(struct wg_device *wg, struct wg_peer *peer)
{
    int ret;
    ret = noise_handshake_init(&peer->handshake, &wg->static_identity,
                               peer->public_key, peer);
    if (ret)
        return ret;
    ret = cookie_checker_init(&peer->cookie_checker, peer->public_key);
    return ret;
}

The code snippets demonstrate different approaches: Netmaker focuses on high-level network management in Go, while WireGuard-linux implements low-level networking protocols in C.

18,532

The easiest, most secure way to use WireGuard and 2FA.

Pros of Tailscale

  • User-friendly and easier to set up for non-technical users
  • Built-in features like access controls, DNS, and automatic key rotation
  • Cross-platform support with clients for various operating systems

Cons of Tailscale

  • Closed-source core components and reliance on centralized coordination servers
  • Less flexibility for advanced networking configurations
  • Potential privacy concerns due to the centralized nature of the service

Code Comparison

Tailscale (Go):

func (c *Conn) Close() error {
    c.mu.Lock()
    defer c.mu.Unlock()
    if c.closed {
        return nil
    }
    c.closed = true
    return c.pconn.Close()
}

WireGuard (C):

static void wg_socket_reinit(struct wg_device *wg)
{
    struct socket *new4, *new6;
    struct udp_tunnel_sock_cfg cfg = {
        .sk_user_data = wg,
        .encap_type = UDP_ENCAP_XFRM,
        .encap_rcv = wg_receive
    };
}

The code snippets demonstrate different approaches: Tailscale uses Go and focuses on connection management, while WireGuard uses C and deals with low-level socket operations. This reflects their design philosophies, with Tailscale providing a higher-level abstraction and WireGuard offering more direct control over networking components.

Userspace WireGuard® Implementation in Rust

Pros of boringtun

  • Written in Rust, offering memory safety and performance benefits
  • Cross-platform compatibility, including Windows support
  • User-space implementation, allowing easier deployment in various environments

Cons of boringtun

  • May have slightly higher overhead compared to kernel-space implementation
  • Potentially less integrated with the Linux kernel's networking stack
  • Newer project with a smaller community and less extensive testing

Code Comparison

wireguard-linux (C):

static inline void chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
                                            const u8 *ad, const size_t ad_len,
                                            const u64 nonce, const u8 key[CHACHA20POLY1305_KEY_SIZE])
{
    chacha20_encrypt(dst, src, src_len, key, nonce);
    poly1305_mac(dst + src_len, dst, src_len, ad, ad_len, key);
}

boringtun (Rust):

pub fn encrypt_packet_with_counter(
    src: &[u8],
    dst: &mut [u8],
    nonce: u64,
    key: &[u8; 32],
) -> Result<usize, WireGuardError> {
    ChaCha20Poly1305::new(key.into())
        .encrypt_in_place_detached(&nonce.to_le_bytes().into(), &[], dst)?;
    Ok(src.len() + AEAD_TAG_SIZE)
}
28,868

Set up a personal VPN in the cloud

Pros of algo

  • Easier to set up and manage for non-technical users
  • Includes additional security features like DNS-based ad blocking
  • Supports multiple cloud providers out of the box

Cons of algo

  • Less flexible and customizable than wireguard-linux
  • May have higher resource usage due to additional features
  • Limited to specific deployment scenarios

Code comparison

algo:

def deploy(server, config, args):
    algo_server = AlgoServer(server, config, args)
    algo_server.install()
    algo_server.config()

wireguard-linux:

static int wg_set_device(struct net_device *dev, struct nlattr *tb[])
{
    struct wg_device *wg = netdev_priv(dev);
    int ret;

    ret = wg_set_device_keys(wg, tb);
    if (ret)
        return ret;
}

The algo project is written in Python and focuses on high-level deployment and configuration, while wireguard-linux is written in C and deals with low-level kernel interactions. This reflects their different purposes: algo aims for ease of use and quick deployment, while wireguard-linux provides the core VPN functionality with maximum performance and flexibility.

23,178

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

Pros of Streisand

  • Offers a wider range of VPN protocols and services beyond just WireGuard
  • Provides automated setup scripts for multiple cloud providers
  • Includes additional privacy-enhancing tools like Tor and DNS encryption

Cons of Streisand

  • More complex setup and maintenance due to multiple services
  • Potentially higher resource usage and overhead
  • Less focused on performance optimization compared to WireGuard

Code Comparison

Streisand (setup script excerpt):

#!/bin/bash
set -e

if [ ! -e ~/.ssh/id_rsa.pub ]; then
  ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa
fi

WireGuard (kernel module initialization):

static int __init mod_init(void)
{
    int ret;

    ret = device_init();
    if (ret < 0)
        return ret;
    return 0;
}

While Streisand focuses on automating the deployment of various VPN services, WireGuard is a dedicated, high-performance VPN protocol implementation. Streisand offers more versatility and ease of setup across different platforms, but WireGuard provides a more streamlined and efficient VPN solution with a focus on simplicity and performance.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Linux kernel

There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML and PDF. Please read Documentation/admin-guide/README.rst first.

In order to build the documentation, use make htmldocs or make pdfdocs. The formatted documentation can also be read online at:

https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory, several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the requirements for building and running the kernel, and information about the problems which may result by upgrading your kernel.