Understanding WireGuard

Despite WireGuard® being an extremely simple VPN, it can be difficult to understand how it works, what it gives you, and how to use it. This post offers an intuitive explanation of how WireGuard functions and an example setup with two Docker containers.

WireGuard Interfaces

WireGuard facilitates communication between two peers. In order for you to communicate with a peer, you must have a virtual WireGuard interface. Your interface must be configured with your private key and your peer’s public key. The peer’s interface must be configured with your public key and their private key.

A WireGuard interface appears to your OS just like any other interface, as shown in this example:

# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.27.0.2/24 scope global wg0
       valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid
    inet 172.17.0.2/16 brd 172.17.255.255…