WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Installation

To install WireGuard for your client platform, please go to the following page:

view WireGuard Installation

Configuration Request

The next step after the client is installed is to request a client configuration QR code image.  Please submit the following form and the QR code will be generated and sent to your email address.  You must agree to the VPN policy below.

VPN Policy

  1. PURPOSE
    The purpose of this is to provide policies for Remote Access Virtual Private Network (VPN) connections to the ARES of Delaware County organizational network.

  2. SCOPE
    This policy applies to all ARES of Delaware County organization volunteers, employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the ARES of Delaware County organization network. This policy applies to implementations of VPN that are directed through a VPN Gateway.

  3. POLICY
    Approved ARES of Delaware County organization volunteers, employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a “user managed” service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.

    1. It is the responsibility of authorized personnel with VPN privileges to ensure that unauthorized users are not allowed access to ARES of Delaware County organization internal networks.
    2. VPN use is to be controlled using a public/private key system with a strong pass phrase.  These keys will be generated and contained in a QR code to be scanned into your WireGuard VPN Client software.
    3. VPN gateways will be set up and managed by ARES of Delaware County organization network operational groups or other authorized parties.
    4. All computers connected to ARES of Delaware County organization internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is considered standard; this includes personal computers. 
    5. Users of computers that are not ARES of Delaware County organization owned equipment must configure the equipment to comply with ARES of Delaware County organization's VPN and Network policies.
    6. Only WireGuard VPN clients may be used.
    7. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of ARES of Delaware County organization's network, and as such are subject to the same rules and regulations that apply to ARES of Delaware County organization owned equipment, i.e., their machines must be configured to comply with ARES of Delaware County organization’s security policies. 

  4. ENFORCEMENT

    1. All staffs are required to comply with this security policy and its appendices. Disciplinary actions including termination may be taken against any ARES of Delaware County organization staffs who fail to comply with the ARES of Delaware County organization’s security policies or circumvent/violate any security systems and/or protection mechanisms.
    2. Staff having knowledge of personal misuse or malpractice of IT Systems must report immediately to management and IT Security.
    3. ARES of Delaware County organization's staff must ensure that ARES of Delaware County organization's contractors and other parties authorized by the ARES of Delaware County organization using its internal computer systems, comply with this policy.
    4. Where the role of the service provider is outsourced to a vendor, the outsourced vendor should ensure compliance with this policy.

VPN Access Request Form

I agree with the terms of the VPN policy listed above.

 

Features

Simple & Easy-to-use

WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between IP addresses, just like Mosh. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.

Cryptographically Sound

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers.

Minimal Attack Surface

WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities. Compared to behemoths like *Swan/IPsec or OpenVPN/OpenSSL, in which auditing the gigantic codebases is an overwhelming task even for large teams of security experts, WireGuard is meant to be comprehensively reviewable by single individuals.

High Performance

A combination of extremely high-speed cryptographic primitives and the fact that WireGuard lives inside the Linux kernel means that secure networking can be very high-speed. It is suitable for both small embedded devices like smartphones and fully loaded backbone routers.

Well Defined & Thoroughly Considered

WireGuard is the result of a lengthy and thoroughly considered academic process, resulting in the technical whitepaper, an academic research paper which clearly defines the protocol and the intense considerations that went into each decision.

Conceptual Overview

If you'd like a general conceptual overview of what WireGuard is about, read onward here. You then may progress to installation and reading the quickstart instructions on how to use it.

If you're interested in the internal inner workings, you might be interested in the brief summary of the protocol, or go more in depth by reading the technical whitepaper, which goes into more detail on the protocol, cryptography, and fundamentals. If you intend to implement WireGuard for a new platform, please read the cross-platform notes.

WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it. All issues of key distribution and pushed configurations are out of scope of WireGuard; these are issues much better left for other layers, lest we end up with the bloat of IKE or OpenVPN. In contrast, it more mimics the model of SSH and Mosh; both parties have each other's public keys, and then they're simply able to begin exchanging packets through the interface.