For Everything Else, There's WireGuard!

all right i'm gonna go ahead and get started so this is actually maybe a good talk to follow collins um in the last talk colin was talking about privacy and you mentioned vpns fit really well under the uh the privacy enthusiast model so we'll talk a little bit about vpns awesome um so i'm kevin i work at servicenow on the red team and was that adobe on the red team for five years and i was in the intelligence community before that now i live in utah and work remotely and i like to be outside with the kids so hooray for that um who knows what a vpn is like knows the denotation knows what vpn means

yeah i'll get to that in a minute but uh yeah vpns are virtual private networks who uses who uses a vpn um for like tunneling their traffic through their isp or who uses it so they can watch netflix in another geo or who who uses it who uses it for work so that they can actually connect to a private network so that's how vpns you know got started that was the original intention was you have this private network and you're you're physically separate from it and so a vpn allows you to connect to a private network over a public network so the typical use case is to connect one of your devices to a private network

or connect and that's the case you know if you have your laptop and you're working at home and you need to be on the lan at work that's how you're going to use the vpn another use case is to connect two private networks together so you sort of have two gateways that tunnel traffic between two two geographically separated networks to make it look like they're on the same private land so that's kind of a typical use case for a vpn um as we talked about uh they're becoming super popular for just tunneling traffic um and so for whatever reason privacy security anonymity you can fire up a vpn on your laptop tunnel all your traffic through it and then

um and then things are great um also give you a source ip somewhere else you can watch a british comedy this talk is sponsored by all of these vpns so that's what i was getting to if you guys spend any time on youtube or like pay any attention to your favorite influencer vpn providers get a lot of their get a lot of their user base from affiliate driven marketing so you see a lot of that um and there are countless options these days you know there's vpn companies everywhere so um so this talk is kind of about vpns but more specifically about wire guard so wireguard is a specific implementation of vpn technology and uh talk a little bit more about the

technical details by the way like half of this is going to be demos so i'm going to kind of roll the dice here so uh yeah be patient with me but i'm going to get through slides and we'll do some demos so um so wireguard is an implementation of vpn technology at this point as of i think last year it's integrated into linux kernel it actually creates like a network interface and does all the things magically behind the scenes there for you so that's great and there's a speed advantage over userland vpns because you're not constantly copying data between the kernel and user space and although there are there are user land implementations of wireguard and so

you know obviously windows isn't running the linux kernel so there are implementations you can use on windows and darwin and your mobile phones and everything so so that's great um and the other thing that's cool about wireguard is it has a really small code base i think i'll i'll talk a little bit more about that later so oh and one other thing uh all those vpns i put up there earlier use wire guard that's the technology behind all those brands um so some technology specifics um those little bubbles on the right show kind of like the magnitude of the code base of other vpn options so ipsec specifically strong swan is about 420 000 lines of code which is

insane like if any of if any of you have ever done like code audits or um application pen testing like you don't you would not want to land on that gig right um so it's really hard to audit that like there's all kinds of all kinds of um risk there right and then openvpn uh 120 000 lines of code and that's just openvpn but like the the crypto libraries openvpn uses uh are just which is another 400-ish thousand lines of code and as a lot of you know it's also uh like getting pretty aged and there's a lot of tech debt in there so these some buzzwords cross that one off so um so yeah those are massive projects right

and then that little dot in the bottom is wire guarded it's like measly four thousand lines of code really easy to audit and just clean and and fresh lemony fresh so um another nice thing about wireguard is it's cryptographically opinionated so like a lot of these other technologies let you use whatever algorithms and they negotiate you know like a public key algorithm and then they negotiate a symmetric key and hashing algorithm and they have all these things built in it's just like this massive surface area and so what wireguard has done is they've said we're going to use these industry standards these industry favorites to use cha-cha poly for like authenticated cipher we use curve two five five one

nine for for any like asymmetric stuff we need and blake two for uh hashing and keyed hashing and then hkdf for key derivation so we're using these things and if you don't like these then you're not going to like us that's and that's a really really good way to keep the complexity low on the technology so that's really cool they have this notion of cryptokey routing so what you do when you set up your configuration and you'll see this in the demo is you take an ip address and you have a public key associated with that and anything that goes to that ip address gets encrypted with that public key and then anything that comes from that ip anything that comes

decryptable decryptable anything that anything that comes signed with that public key should have come from an ip address associated with it so anyway so it uses this notion of like pairing uh cryptographic primitives and um and tunnel ip addresses to sort of like authenticate users as well as like authenticate the data which is cool and then i didn't mention this earlier but it's implemented as a network interface so it's kind of cool and we're ready for our first demo just like that all right so this is going to go really smooth i can already tell all right so um can you guys see this okay this terminal is that big enough yeah okay thank you vocal person in the

middle of the room one more bigger why not is that good all right uh i could never tell when someone's being a heckler when they're just like trying to be helpful you know all right um and then does that look good i'm just kidding um okay so what i'm gonna do is uh here i'm connected to this um server in aws i'm gonna set up wireguard there as a wireguard server you can just see that process i'm going to copy and paste because i i seem brave but i'm not so first i'm going to be root for everything american people are angry about that and that's great um let me use tmux and then i'm going to install wireguard

have to install wireguard hooray ubuntu now i have wirecard that's cool okay now some interesting things let's start configuring it so what i've done is i've created this file so there are two sections this file there's an interface section and a peer section you see that so the interface this is my private key you guys can have it i'm just going to destroy all this very fast as soon as i'm done so this is the private key associated with my wireguard server so that has a public key and we'll see that in a minute the public key goes on the pier so the peer can encrypt traffic to the server i also tell it to listen on this port

that's the standard wireguard port so if you're a network person you like looking at pcapp use your photographic memory and then i'm going to set up a pier so this is going to be my laptop uh once i configure my laptop i'll be 10 10 10 2 um and the public key associated with my laptop is going to be this so this is just 32 bytes on a 32 byte integer on that 25519 curve so that's all that is super simple like small key to move around which is cool okay so we have a configuration file now we're going to do some system configuration so i'm just going to tell the kernel hey anything that comes to you that's

not for you just go ahead and route that through and then this nat rule is just going to not traffic in other words it's going to act as a route on netting router okay and now i'm going to add that wireguard interface that we talked about using ip route 2 and add the 10 10 10 1 ip address to it so remember the client will be 10 10 10 2 and the server will be 10 10 1. um and now i'm going to associate that config file with the interface and set the interface up so if we do like iplink iplink here's that interface cool and you can also use the the wireguard utility wg show

and it'll say yep this interface is associated with this public key i'm not going to show you that even though i already did and that's the port it's listening on it's udp and then sure enough the pier 10 10 10 2 with this public key is going to be my laptop we'll configure that next i don't know if you guys picked up on this little easter egg but you can actually make these vanity public keys so all you have to do is uh solve the discrete logarithm problem and then you can make any key you want i'm just kidding you just generate private keys and then generate the public key from that and you just forward generate those a

million times until you get the keys you want so so yeah if you solve the discrete logarithm problem come find me we'll do a talk okay then we're going to go to our client i downloaded the client the wireguard client on my laptop already so it's just called wire guard and unfortunately i can't make this bigger so if it's hard to see i apologize but you do add empty tunnel and you say b sides and paste configuration in so this is the private key on my laptop and that corresponds with the public key in the peer section on my server if that makes sense and then i set my address to 10 10 10 2

and you can set a dns server and then my peer is going to be the server in this case so if i go back to that terminal wg show kl tdup matches the public key that's in my in the peer section and then i'm going to say allowed ips so what the allowed ips section tells you is um if if traffic comes to this interface with this ip address send it to that peer if that makes sense um and so so what this zero zero zero slash zero tells you is that any traffic at all will go through the vpn tunnel great and then uh endpoint is that server in aws i'm gonna go ahead and

save that and i'm going to allow it to access my vpn configurations and activate and first good sign is that that turned green so i'm already happy happy man and then if i go ahead and on my laptop ping 10 10 1 that should be the server sure enough 60 60 milliseconds is pretty good and check my public ip address and that's not so good so i'm not sure why that's not working hey demo's over all right um yeah that's not good um did i turn off yeah i turned off proton

trust me it's easy

i'm not sure but i'm going to move on so um hopefully we fix it before the next one because it builds on that oh wait can't reach google because wirecard okay cool so this is interesting technology kevin thank you i agree but how how interesting exactly is it well there's this thing in linux called network name spaces and it's it's um separation in the kernel of different network objects um that's that's the idea and so when you create a socket in one name space it remains in that namespace even if you move whatever has handles to it around so that's a really interesting property because when you initialize your wireguard interface it creates it creates your wire guard interface in

a specific name space which means it builds that udp socket that it uses for the tunnel and so if you move that interface into a new namespace that tunnel socket stays behind so that's really interesting some of you who like deal with this technology are probably already know where i'm going with this but in docker one of the ways docker does isolation is with these kernel name spaces does process mount ipc and username spacing but also network name spacing and so what you can do is you can create a docker container and then you can create a wireguard interface in the host like the init namespace and configure it there and everything and then move it into the docker

container's namespace and now that docker container has a wireguard interface that can talk to the internet um magically without having any wireguard software or anything specifically installed on on the docker container so that's my next demo it's way more complex than that other one so hopefully it goes okay what we're going to do i still have this laptop terminal on the left and i have this server terminal on the right and i'm going to [Music] create a new tmux session there okay so um first thing i'm going to do is going to run a new docker container i'll explain this docker command so what this does is docker run starts a new container rm says delete this container when i'm done

i don't i don't can be ephemeral it says uh give me this interactive prompt um this interactive tty and then network none says don't attach me to any networks so all i want is a loopback interface and then i just called it secret because you know and then i'm running it in just vanilla alpine so there's nothing special about this container so if we do iplink iplink link you see all we have is the loopback interface so that's cool so what we're going to do is we're going to go ahead and build a new wireguard interface move it into this container um so to do that i'm going to create a new config file just like we did previously

[Music] and it looks very similar so you have a private key this time we don't have a listening port but that's okay and then uh public key this is the server's public key and i'm gonna send all traffic to it and that's the server's ip address so pretty straightforward configuration now i'm going to do some setup that's going to make working with namespaces a little easier so pay no attention to that just creating some sim links in bar run net name space directory okay so here we go we're going to create this new interface wg1 and we're going to put it in the container's namespace so container is a secret i could call it called it earlier

okay and then we're going to just paste all these we're running short on time in that namespace i'm going to add 10 10 10 3 to this containers interface and then i'm going to set the configuration file that we just created we associate that and then i'm gonna put the put the interface up and then i'm gonna make wg1 the default route for that container's namespace so um so try not to freak out but i'm gonna show you something cool so now if we go back in our container and we do ipadder there's a magical interface in here which is that wireguard interface that we created in the the init namespace and moved into the container's namespace um

so that's pretty cool and if we do iprout um all traffic except for uh 101010 traffic is going to go through wg-1 just so happens that's the subnet associated with that interface and so that's going to go through the tunnel also so any traffic to or from this container can only traverse that tunnel that's the implication it's pretty cool all right um now back on the server um we have a new pier which is this container so we go ahead and add that to its configuration file so now the server looks like this you have two peers my laptop and the container and then its own interface configuration section and we're just going to sync that

configuration now do wg show on the server two piers um this one is from the container and it hasn't had a handshake yet hasn't been hasn't been contacted by the container um and then i showed you this but if we look in the namespace of the container um that's that's the configuration and now i'm just gonna run tcp dump well my demo hopefully doesn't fail so if we're we're in the container now which is again this container is running in docker on us on an ubuntu server in the amazon cloud my laptop's here at b-sides so if i ping 10-10-10-2 which is my laptop i can't reach it which is fantastic oh wait i disconnected

from wire yards okay still can't dang it all right so on my laptop i can ping the server can i ping the container i can't i cannot let's see if we can diagnose that so here's tcp dump and we see from two two is pinging to three and three is responding to two so i have no idea why it's not working i'm gonna be totally honest with you but um i am on the wi-fi here

i think he might have saved me well but it's weird though because i can i can ping the server right

oh that's interesting i'm gonna go with that yeah it's the network guys demo solid it's the network i don't know all right thank you thank you for that brave audience member okay oh yeah see it's blocking my slides ah man network guys it's the worst okay so um there are also some bonus tricks i showed you the vanity public keys um so my initials were at the beginning of all the public keys that you saw up there um so that's cool hooray for that and then but another side note is you know that's just a 64 byte string no 64 bytes no i don't think that's right uh it's just a string of bytes right so

you can make that it doesn't have to be like some ascii it could be it could be binary data so what you could do is you could use that for good you could use you could make the first four bytes like the same as your ipv4 address which actually be pretty cool where our guard wouldn't enforce that like that ip and uh and and public key are the same match in that way but it would be cool to put software on top of it that does that um the crypto key routing is also similar to that but anyway this is a cool idea um that's it you guys have questions is the network the network's just

i do yeah i could probably try that uh we're out of time though [Laughter] cool well thank you guys [Applause]