Created attachment 10527 [details]
Wireguard Technical Whitepaper

Wireguard (https://www.wireguard.com/) is a state-of-the-art Virtual-Private-Network implementation. It is included as a kernel module starting with Linux kernel 5.6. Prior kernel versions can use DKMS.

1. Updated encryption
   - ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539’s AEAD construction
   - Curve25519 for ECDH
   - BLAKE2s for hashing and keyed hashing, described in RFC7693
   - SipHash24 for hashtable keys
   - HKDF for key derivation, as described in RFC5869

2. Simple and minimal code base
   - WireGuard 3,800 lines
   - OpenVPN and OpenSSL 600,000 lines
   - IPSec + XFRM + StrongSwan 400,000 lines
   - Wireguard is easier to audit
   - Smaller attack surface in comparison to OpenVPN and IPSec
   - Better performance

3. Performance improvements
   - Layer-3-only VPN
   - Much less header overhead compared with existing VPN Solutions
   - Mesh, point-2-point and/or star infrastructure possible
   - No client/server infrastructure limitation
   - Integrated roaming support for switching public IP addresses
     (NAT, WLAN, cellular networks, etc.)
   - IPv6-in-IPv4 tunneling and vice-versa

4. Cross-platform ease of use
   Authentication: Public key bound to internal VPN-IP-address
   Authorization:  internal VPN-IP-address-based firewall rules
   Linux:   Kernel module
              Integrated since upstream kernel version 5.6
              DKMS packages for kernel versions < 5.6
            Configuration with "ip" command
            Systemd init-scripts available
            Container namespace-support
   UCS:     Subspace configuration web-frontend can be integrated into
            UCS-Self-Service with SAML-SSO
            (see https://github.com/subspacecloud/subspace)
   MacOS:   App
   Android: App
              Multiple Wireguard-VPN connections possibleper device
              (IPSec/OpenVPN/L2TP, etc. are limited to 1 connection per device)
   iOS:     App
   Windows: App