Table of contents:
- WireGuard (WG)
- History
- Protocol dependencies
- Wireshark
- Preference Settings
- Example capture file
- Display Filter
- Capture Filter
- Key Log Format
- Live capture with decryption support
- External links
WireGuard is a VPN protocol.
History
WireGuard was initially started by Jason A. Donenfield in 2015 as a Linux kernel module. As of January 2020, it has been accepted for Linux v5.6. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation.
Protocol dependencies
- UDP: WireGuard uses UDP as its transport protocol. There is no standard port and typically WireGuard is detected through heuristics.
Wireshark
WireGuard dissection and decryption support was added in Wireshark 3.0 (Bug 15011).
As of Wireshark 3.2, decryption secrets can be embedded in a pcapng file (Bug 15571).
Preference Settings
WireGuard static keys (wg.keys): A table of long-term static keys to enable WireGuard peer identification or partial decryption
Dissect transport data (wg.dissect_packet): Whether the IP dissector should dissect decrypted transport data.
Key log filename (wg.keylog_file): The path to the file which contains a list of secrets (see Key Log Format)
Example capture file
The test suite contains two capture samples:
Screenshot (with decryption keys configured): https://twitter.com/Lekensteyn/status/1027938328203669505
Display Filter
A complete list of WireGuard display filter fields can be found in the display filter reference.
The protocol name is wg.
Capture Filter
To filter WireGuard traffic while capturing, you can use:
udp[8:1] >= 1 and udp[8:1] <= 4 and udp[9:1] == 0 and udp[10:2] == 0
This filter works like the WireGuard heuristics. It tests the first byte for a valid message type (1, 2, 3, or 4) and checks that the next three reserved bytes are zero.
Alternatively if you know the UDP port number, you can filter it like this:
udpport51820
Key Log Format
Decryption can be enabled by supplying a key log file. This text file must follow the following format:
Every line consists of the key type, equals sign ('='), and the base64-encoded 32-byte key with optional spaces before and in between. The key type is one of LOCAL_STATIC_PRIVATE_KEY, REMOTE_STATIC_PUBLIC_KEY, LOCAL_EPHEMERAL_PRIVATE_KEY, or PRESHARED_KEY. This matches the output of extract-handshakes.sh
A PRESHARED_KEY line is linked to a session matched by a previous LOCAL_EPHEMERAL_PRIVATE_KEY line.
Warning: LOCAL_STATIC_PRIVATE_KEY and potentially PRESHARED_KEY are long-term secrets, users SHOULD only store non-production keys, or ensure proper protection of the pcapng file.
Live capture with decryption support
Wireshark can decrypt WireGuard traffic when appropriate keys are configured.
On Linux, one can use kprobes to tap into the WireGuard kernel module and extract keys for new sessions from memory.
Assuming that your WireGuard traffic goes over the wlan0 interface using port 51820:
sudo /path/to/extract-handshakes.sh > wg.keys &tshark -i wlan0 -owg.keylog_file:wg.keys -f 'udp port 51820'
Note that the extract-handshake.sh requires a special offsets file which is specific to a kernel configuration.
Step-by-step instructions for these are not yet available for the version merged in Linux v5.6. What you basically have to do is to build offset-finder.c with the headers from drivers/net/wireguard/ and kernel headers and config matching your current kernel.
External links
Imported from https://wiki.wireshark.org/WireGuard on 2020-08-11 23:27:32 UTC
FAQs
WireGuard is a VPN protocol.
Can WireGuard traffic be detected? ›
WireGuard has forward secrecy of data packets, thanks to its handshake, but the handshake itself encrypts the sender's public key using the static public key of the responder, which means that a compromise of the responder's private key and a traffic log of previous handshakes would enable an attacker to figure out who ...
Is WireGuard TCP or UDP? ›
Networking. WireGuard uses only UDP, due to the potential disadvantages of TCP-over-TCP. Tunneling TCP over a TCP-based connection is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance (a problem known as "TCP meltdown").
Can WireGuard be trusted? ›
WireGuard is considered by many to be one of the safest, most secure VPN protocol options available today. Simplified design using less code equals fewer bugs and security vulnerabilities, while WireGuard's faster state-of-the-art cryptography employs superior default security settings.
Does WireGuard hide IP? ›
As explained above WireGuard is a highly secure protocol, but it is not designed with privacy in mind. WireGuard's most serious privacy flaw is the way it assigns IP addresses. Instead of assigning a different IP address to the user, it gives the same IP address each time.
What is the point of WireGuard? ›
WireGuard is a new-generation VPN protocol that radically streamlines secure communication for its end users and network administrators.
Can ISP detect WireGuard? ›
Your ISP can see, or at least guess, that you are using a VPN based on the port number. Different VPN protocols like OpenVPN (UDP or TCP), IKEv2, or WireGuard® use specific port numbers.
Can police track VPN traffic? ›
Whether police can track VPN traffic is a common concern among users seeking online privacy. The truth is: the police can't monitor encrypted VPN traffic. However, they can ask your Internet Service Provider (ISP) to provide connection or usage logs through a court order, which can lead them to your VPN provider.
Can WireGuard be hacked? ›
Protocols such as OpenVPN, WireGuard, or IKEv2 have no known vulnerabilities and are considered secure.
How to obfuscate WireGuard traffic? ›
Option 1 – Windows Wireguard App
- Step1 – Register an account with StarVPN. ...
- Step 2 – Download Wireguard Configuration. ...
- Step 3 – Download the Windows Installer from the Wireguard Website. ...
- Step 4 – Input Configuration. ...
- Step 5 – Additional Configuration. ...
- Step 6 – Install Shadowsocks. ...
- Step 7 – Connect with Wireguard.
The WireGuard protocol provides a secure OSI Layer 3 network tunnel between two endpoints. It uses a cryptographic handshake protocol based on the Noise Protocol Framework to provide mutual authentication, key agreement, and forward secrecy.
Does WireGuard route all traffic? ›
Like most other VPN systems, Wireguard doesn't make any such decisions on its own – it will route exactly those prefixes that you've configured to be routed through the connection, which may be anywhere from "all traffic" (/0 route) to "a single IP address" (/32 route).
Is WireGuard traffic encrypted? ›
The WireGuard protocol works by using encryption and network code in order to create an encrypted tunnel between your device and a VPN server. Most VPN protocols use AES-256 encryption but WireGuard uses ChaCha20 authenticated encryption by default.
Is anything better than WireGuard? ›
Verdict on Security
There are no known security flaws in either protocol. If security is your topmost priority, the conservative option is OpenVPN. It has simply been around much longer than WireGuard, gone through more third-party security audits, and has a far longer track record than WireGuard.
What are the security flaws of WireGuard? ›
Potential Risks of Using WireGuard
Despite its advantages, WireGuard has some downsides that you need to be aware of, including: Privacy trade-offs. By default, WireGuard stores user IP addresses on the VPN server, posing a risk to user anonymity and privacy.
What is the difference between VPN and WireGuard? ›
The biggest notable differences between WireGuard and OpenVPN are speed and security. While WireGuard is generally faster, OpenVPN provides heavier security. The differences between these two protocols are also what make up their defining features.
What is WireGuard on my computer? ›
WireGuard is a modern VPN Protocol used by many VPN companies because it provides a more secure and faster browsing experience.
What type of packet is the WireGuard? ›
All packets are sent over UDP.
How to decrypt WireGuard traffic? ›
Decoding WireGuard with WireShark
- setup WireGuard for a client-server system.
- configure and run nginx on the server.
- start tcpdump on the server.
- log the encryption keys on the server that is used in a wireguard session.
- send curl traffic from client->server.
- decrypt the WireGuard tcpdump session using WireShark.
