-
Notifications
You must be signed in to change notification settings - Fork 10
About the project
The main goal of this project is to simplify deploying a WireGuard VPN server using self-hosted solutions. Those can be an on-premise server with a publicly route-able address, or a third party vendor hosted solution (AWS, DigitalOcean, Vultr, etc). Often times spinning up a virtual private server instance and deploying a VPN tunnel are non-trivial tasks requiring a significant amount of time, effort, and concentration. WireGuard-Ligase is designed to change this.
If you are not familiar with WireGuard yet, here are some starting points to get yourself familiar with it:
- Official Website
- Whitepaper by the project's author Jason A. Donenfeld
- A formal research paper presenting the first mechanised cryptographic proof of the protocol underlying WireGuard
To sum the above in a few words - WireGuard is a layer 3 network tunnel. It uses Curve25519 points as pre-shared static keys to achieve mutual authentication, drawing it's inspiration from OpenSSH. The most attractive features of the protocol are:
- Simplicity
- Security
- Speed
Secure and speedy transport is accomplished by encapsulating packets sent over UDP using ChaCha20Poly1305 authenticated-encryption. To compare with OpenVPN - using Amazon EC2 to host an OpenVPN server, my clients were achieving a maximum of ~80 Mbps of down/uplink. Similar EC2 setup hosting Wireguard server allows > 200 Mbps of down/uplink for clients. The performance increase is self explanatory.
Since the protocol is fairly new and in active development - it's purpose is not yet to replace other tunnelling solutions in an enterprise high-risk / high-stakes environment. IPSEC remains the de facto golden standard for the enterprise. However, the simplicity of the setup combined with high default security / performance makes WireGuard an attractive solution for personal VPN servers.
The entire project consists of bash scripts designed to speed up and to simplify tedious manual tasks involved in lifting a tunnel. Originally, Ansible was considered as an alternative to bash, however it was decided to implement the scripts in bash only. The reasons for choosing bash are:
- Bash is a default shell in most Linux distributions. Unlike Ansible - which needs to be installed - bash is available out of the box.
- A lot of people are somewhat familiar with bash. The author hopes this will make it easier for more people to mod the scripts for their own needs.
- Finally - in a selfish way - this is a good platform for the author / anyone else to learn bash scripting while contributing to the community.