Posts
Background story (skippable)
So I've been maintaining a set of OpenVPN tunnels into various NAT-routed networks for several years now and every now and then a software update will declare some of the keys too old and insecure to be used. This means I have to dust-off the TLS PKI files and remember how to use it so I can press-out a new set of keys and distribute these to all the places they need to be. PKI is generally a drag and I decided it was finally time to learn how to set-up the new and hip WireGuard tunnelling solution.
Unfortunately it took me a couple of hours to set it up just the way I wanted as there are a few large differences between the two systems:
- Wireguard does not use TLS/PKI, it just uses pre-shared public/private key pairs
- Wireguard uses a peer-to-peer setup, not client-server like OpenVPN
- Wireguard ignores NAT by default and is fairly "quiet" so you may need keep-alive messages to keep UDP ports open trhough NAT routers
