Wireguard
Wireguard is the best VPN choice for most situations. It’s faster and simpler than its predecessors and what you should be using on the internet.
Key Concepts
- Wireguard is works at the IP level and is designed for the Internet/WAN. It doesn’t include DHCP, bridging, or other low-level features
- Participants authenticate using public-key cryptography, use UDP as a transport and do not respond to unauthenticated connection attempts.
- Peer to Peer by default.
By the last point, we mean there is no central authority required. Each peer defines their own IP address, routing rules, and decides from whom they will accept traffic. Every peer must exchange public keys with every other other peer. Traffic is sent directly between configured peers. You can create that design, but it’s not baked-in.
Design
The way you deploy depends on what you’re doing, but in general you’ll either connect directly point-to-point or create a central server for remote access or management.
- Hub and Spoke
- Point to Point
Hub and Spoke
This is the classic setup where clients initiate a connection. Configure a wireguard server and tell your clients about it. This is also useful for remote management when devices are behind NAT. Perfrom the steps in:
And then choose based on if your goal is to:
- Provide Remote Access - i.e. allow clients to access to your central network and/or the Internet.
or
- Provide Remote Management - i.e. allow the server (or an admin console) to connect to the clients.
Point to Point
You can also have peers talk directly to each other. This is often used with routers to connect networks across the internet.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.