WireGuard (2024)

Table of contents:

Table of Contents

WireGuard (WG)
- History
- Protocol dependencies
- Wireshark
- Preference Settings
- Example capture file
- Display Filter
- Capture Filter
- Key Log Format
- Live capture with decryption support
- External links

WireGuard is a VPN protocol.

History

WireGuard was initially started by Jason A. Donenfield in 2015 as a Linux kernel module. As of January 2020, it has been accepted for Linux v5.6. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation.

Protocol dependencies

UDP: WireGuard uses UDP as its transport protocol. There is no standard port and typically WireGuard is detected through heuristics.

Wireshark

WireGuard dissection and decryption support was added in Wireshark 3.0 (Bug 15011).

As of Wireshark 3.2, decryption secrets can be embedded in a pcapng file (Bug 15571).

Preference Settings

WireGuard static keys (wg.keys): A table of long-term static keys to enable WireGuard peer identification or partial decryption
Dissect transport data (wg.dissect_packet): Whether the IP dissector should dissect decrypted transport data.
Key log filename (wg.keylog_file): The path to the file which contains a list of secrets (see Key Log Format)

Example capture file

The test suite contains two capture samples:

Screenshot (with decryption keys configured): https://twitter.com/Lekensteyn/status/1027938328203669505

Display Filter

A complete list of WireGuard display filter fields can be found in the display filter reference.

The protocol name is wg.

Capture Filter

To filter WireGuard traffic while capturing, you can use:

Key Log Format

Decryption can be enabled by supplying a key log file. This text file must follow the following format:

Every line consists of the key type, equals sign ('='), and the base64-encoded 32-byte key with optional spaces before and in between. The key type is one of LOCAL_STATIC_PRIVATE_KEY, REMOTE_STATIC_PUBLIC_KEY, LOCAL_EPHEMERAL_PRIVATE_KEY, or PRESHARED_KEY. This matches the output of extract-handshakes.sh

A PRESHARED_KEY line is linked to a session matched by a previous LOCAL_EPHEMERAL_PRIVATE_KEY line.

Warning: LOCAL_STATIC_PRIVATE_KEY and potentially PRESHARED_KEY are long-term secrets, users SHOULD only store non-production keys, or ensure proper protection of the pcapng file.

Live capture with decryption support

Wireshark can decrypt WireGuard traffic when appropriate keys are configured.

On Linux, one can use kprobes to tap into the WireGuard kernel module and extract keys for new sessions from memory.

Assuming that your WireGuard traffic goes over the wlan0 interface using port 51820:

sudo /path/to/extract-handshakes.sh > wg.keys &tshark -i wlan0 -owg.keylog_file:wg.keys -f 'udp port 51820'

Note that the extract-handshake.sh requires a special offsets file which is specific to a kernel configuration.

Step-by-step instructions for these are not yet available for the version merged in Linux v5.6. What you basically have to do is to build offset-finder.c with the headers from drivers/net/wireguard/ and kernel headers and config matching your current kernel.

External links

https://www.wireguard.com/ - Official website

Imported from https://wiki.wireshark.org/WireGuard on 2020-08-11 23:27:32 UTC

I've been immersed in the realm of networking and security for quite some time, especially in VPN technologies. I've closely followed the development and integration of WireGuard into various operating systems, witnessing its evolution from its inception by Jason A. Donenfield in 2015 to its acceptance into the Linux kernel v5.6 in January 2020.

WireGuard, a VPN protocol known for its simplicity and efficiency, primarily utilizes UDP as its transport protocol. Unlike traditional VPNs, WireGuard doesn't have a standard port, making its detection reliant on heuristics rather than a predetermined port number. This characteristic often poses a challenge when trying to identify WireGuard traffic using conventional means.

The integration of WireGuard into Wireshark, starting from version 3.0 (with Bug 15011), has been a significant milestone. This update allowed for WireGuard dissection and decryption support within Wireshark. Additionally, Wireshark 3.2 introduced the capability to embed decryption secrets in a pcapng file, enhancing the ease of decryption.

For those diving into capturing WireGuard traffic, there are specific preference settings within Wireshark to consider. These settings include options to manage WireGuard static keys for peer identification and decryption, toggling the IP dissector to dissect decrypted transport data, and specifying the key log file's path.

WireGuard's display filters within Wireshark, designated under the protocol name 'wg,' offer a comprehensive list of filter fields. These filters enable users to precisely target WireGuard traffic for analysis, enhancing the efficiency of packet examination.

Moreover, the article provides insight into capture filters, key log formats necessary for decryption, and guidance for live capture with decryption support using Wireshark. This includes steps for configuration and usage, particularly for tapping into the WireGuard kernel module on Linux systems and extracting keys from memory.

The external links provided offer access to the official WireGuard website, serving as a valuable resource for additional information and updates regarding the protocol.

This amalgamation of information from the WireGuard integration into Wireshark, coupled with the protocol's characteristics and its practical application in live capture scenarios, forms a comprehensive guide for enthusiasts and professionals navigating WireGuard's implementation and analysis.

FAQs

Is there anything better than WireGuard? ›

There are no known security flaws in either protocol. If security is your topmost priority, the conservative option is OpenVPN. It has simply been around much longer than WireGuard, gone through more third-party security audits, and has a far longer track record than WireGuard.

Read On ›

Can WireGuard be trusted? ›

Is WireGuard secure? WireGuard is considered by many to be one of the safest, most secure VPN protocol options available today. Simplified design using less code equals fewer bugs and security vulnerabilities, while WireGuard's faster state-of-the-art cryptography employs superior default security settings.

Discover More Details ›

Does WireGuard mask your IP? ›

The main drawback of the WireGuard protocol is that it was not built for anonymity and privacy. Its privacy is primarily questioned because it requires users to log their data. Instead of assigning a different IP address to the user, it gives the same IP address each time.

Is WireGuard vulnerable? ›

One of the key advantages of WireGuard is its minimal attack surface. The protocol's codebase is remarkably small, consisting of only a few thousand lines of code. This lean design reduces the potential for vulnerabilities and makes it easier to audit and maintain the codebase.

See Details ›

Is Tailscale better than WireGuard? ›

Performance. Using WireGuard directly offers better performance than using Tailscale. Tailscale does more than WireGuard, so that will always be true. We aim to minimize that gap, and Tailscale generally offers good bandwidth and excellent latency, particularly compared to non-WireGuard VPNs.

Find Out More ›

Is IKEv2 faster than WireGuard? ›

Based on these findings, if you're looking for the fastest secure tunneling protocol, you should go with NordLynx (or WireGuard). The second fastest will be IKEv2, which can confidently hold its own even when connecting to the other side of the world.

Tell Me More ›

Can WireGuard VPN be tracked? ›

WireGuard does not provide obfuscation, meaning that internet service providers (ISPs) can see when you are using it — although, of course, they can't see what you're using it for.

Show Me More ›

Can WireGuard VPN be detected? ›

Yes, WireGuard can be detected. It doesn't do VPN obfuscation, mostly because of the insistence on UDP transmission mode.

Explore More ›

Who is behind WireGuard? ›

Jason A. Donenfeld

Can police track IP VPN? ›

The good news is that there is almost no way to track live, encrypted VPN traffic. Law enforcement can only obtain data, if available, about websites visited and so on. Otherwise, hackers and snooping government agencies are generally blocked by the fact that the data is encrypted.

Show Me More ›

Is WireGuard not secure? ›

WireGuard has forward secrecy of data packets, thanks to its handshake, but the handshake itself encrypts the sender's public key using the static public key of the responder, which means that a compromise of the responder's private key and a traffic log of previous handshakes would enable an attacker to figure out who ...

Read The Full Story ›

How often does WireGuard handshake? ›

Internally WireGuard stores the time of the latest handshake so that it knows what to do when exchanging data with a peer: When fewer than 120 seconds have elapsed, just send data as the session is still active. 120 to 179 seconds have elapsed, send data and interleave a handshake to renew the session.

See Details ›

Is WireGuard a stealth? ›

Deep packet inspection techniques, though, can easily spot the difference between HTTPS and VPN packets. Stealth is our custom WireGuard-based VPN protocol that uses several technologies to make it much harder to detect and block, including running over an obfuscated TLS tunnel over TCP.

Get More Info Here ›

Does WireGuard tunnel all traffic? ›

0.0/0 means all trafic gets routed through your wireguard VPN. But you could also only send specific IP's through the VPN. For eg with: 192.168. 1.100/32, 192.168.

Is WireGuard as secure as OpenVPN? ›

The biggest notable differences between WireGuard and OpenVPN are speed and security. While WireGuard is generally faster, OpenVPN provides heavier security. The differences between these two protocols are also what make up their defining features.

What is the alternative to WireGuard? ›

The best overall WireGuard alternative is SoftEther VPN. Other similar apps like WireGuard are Twingate, Netgate pfSense, Absolute Secure Access, and OpenVPN Access Server. WireGuard alternatives can be found in Business VPN Software but may also be in Zero Trust Networking Software or Firewall Software.

View Details ›

Which protocol is better OpenVPN or WireGuard? ›

Which protocol is better WireGuard or IPSec? ›

Compared to IPsec, the WireGuard connection has a 20% lower latency and a 15% higher throughput. When it comes to performance, WireGuard usually performs better than IPSec and even quicker than other VPN protocols like OpenVPN.

Learn More ›

Is SSH tunnel better than WireGuard tunnel? ›

For those of you who don't want to read it all: Raw WAN connections are slower than connections on the LAN by only about 13%. Tunneling through ssh and wireguard is slower by about another 30-40%, and wireguard beats ssh head to head by about 35% in both transmit and receive.

Discover More Details ›