最後更新: 2023-11-24
WireGuard 簡介
WireGuard securely encapsulates IP packets over UDP.
核心
WireGuard interface
It works by adding a network interface (wg0, wg1, etc), like eth0 or wlan0, called.
Cryptokey Routing
Each network interface has a private key and a list of peers.
Each peer has a public key.
Public keys with a list of tunnel IP addresses that are allowed inside the tunnel.(AllowedIPs)
Public key must be unique between multiple peers on the same tunnel. Otherwise,
traffic to the conflicting networks will only be routed to the last peer in the list.
優點
Minimal Attack Surface
It is meant to be easily implemented in very few lines of code,
and easily auditable for security vulnerabilities.
High Performance
WireGuard lives inside the Linux kernel
Simple & Easy-to-use
At the heart of WireGuard is a concept called Cryptokey Routing
simply match on "is it from this IP? on this interface?
Ready for Containers
Known Limitations
- WireGuard does not focus on obfuscation
- WireGuard explicitly does not support tunneling over TCP
-
WireGuard uses ChaCha20Poly1305
(does not support hardware encryption devices)
Other Project
目錄