- All packets are sent over UDP
- connection starts with a handshake where ephemeral keys are generated that are used to encrypt data packets
- these keys are rotated every few minutes to provide perfect forward secrecy
- Uses Noise handshake protocol
- WireGuard associates tunnel IP addresses with public keys and remote endpoints. When the interface sends a packet to a peer, it does the following:
- This packet is meant for 192.168.30.8. Which peer is that? Let me look… Okay, it’s for peer
ABCDEFGH. (Or if it’s not for any configured peer, drop the packet.)
- Encrypt entire IP packet using peer
ABCDEFGH’s public key.
- What is the remote endpoint of peer
ABCDEFGH? Let me look… Okay, the endpoint is UDP port 53133 on host 216.58.211.110.
- Send encrypted bytes from step 2 over the Internet to 216.58.211.110:53133 using UDP.
- When the interface receives a packet, this happens:
- I just got a packet from UDP port 7361 on host 98.139.183.24. Let’s decrypt it!
- It decrypted and authenticated properly for peer
LMNOPQRS. Okay, let’s remember that peer LMNOPQRS’s most recent Internet endpoint is 98.139.183.24:7361 using UDP.
- Once decrypted, the plain-text packet is from 192.168.43.89. Is peer
LMNOPQRS allowed to be sending us packets as 192.168.43.89?
- If so, accept the packet on the interface. If not, drop it.