COVID-19 Meeting Notes!

4 views
Skip to first unread message

Aaron Johnson

unread,
Apr 14, 2020, 9:59:52 PM4/14/20
to QCLUG

This was our first fully remote meeting!


We were sure to use the most secure video conference solution on the market (hint it starts with z and ends with oom)


Topic: Wireguard primer from Chris Cooper

- Linux kernel module

- avoids copying data between kernel space and userspace

- lightweight crypto (even fast on mobile!)

- ChaCha20 google designed crypto algorithm

- minimal overhead

- UDP only

- key exchange on time not data


Wireguard is faster in terms of bandwidth and latency than than traditional alternatives such as

- IPSec

- OpenVPN


Wireguard security

- only 4000 lines of code currently

- open source and auditable

- modern crypto, Curve25519, ChaCha20 (similar to AES), Poly1305


Single suite of Crypto rather than maintaining multi levels of crypto algorithms (eg TLSv1 TLSv1.1 TLSv1.2)

This means that keeping with latest will be crucial to maintain functionality since backwards compat is not avail.


Simplicity

- Interface based, shows up like another network adapter

- Roaming made easy and automatic (eg switching between active Internet connections)

- Native split-tunnel (eg only transfer what you need)


Simple configurations as well, interface (client/self side), and peer (server/remote side)

Uses elliptic curve based hash key which gives you shorter key lengths...?


Compatibility, many of these include userspace clients but the goal is to get things in kernelspace cross platform

- Linux Kernel 5.6+ (mainline in trunk)

- Packages available for earlier kernels

- FreeBSD/OpenBSD

- Android and IOS

- MacOS

- Windows


Config management

- one keypair per interface

- static IP allocation

- helper scripts available

- no usernames

- no passwords

- supports split client (routes only tunnel traffic through wireguard)


IP addressing isn't native currently

You can either statically configure your clients

or build a dynamic configuration service that would

give a unique IP address for each client

There are 3rd parties that are doing something like this already with more advanced features such as tailscale.com


encrypted container traffic is a feature that is currently being worked on an implemented


Finally we got a live demo which mostly consisted of using a wrapper script (wg_config) that generates a config with an IP address and spits out a QR code that you can scan with the android app


He showed a simplistic script that shows how to set up wireguard interfaces inside of network namespaces as well as using iptables


The end of the meeting was mostly a bunch of back and forth about things such as filesystems (ext vs xfs vs zfs) and hard drives as well as ssd complaints

Reply all
Reply to author
Forward
0 new messages