WireGuard (WG) WireGuard is a VPN protocol. WireGuard was initially started by Jason A. Donenfield in 2015 as a Linux kernel module. As of January 2020, it has been accepted for Linux v5.6. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation. Protocol dependencies. Erst wenn man die Sophos neu startet kommt der Tunnel sofort hoch. In unserem Fall erfolgt die Zwangstrennung um 3:00 Uhr Nachts, um 5:30 wird die Sophos neu gestartet und sofort ist der Tunnel da. Hast Du mal versucht die Sophos neu zu starten, vielleicht bringt's ja was. Als Workaround wird die Sophos jetzt jeden Tag um 5:30 neu gestartet.
Sophos Sandstorm uses next-gen sandbox technology, giving your organization an essential layer of protection against ransomware and targeted attacks. It integrates seamlessly with your UTM and is cloud-delivered, so there’s no additional hardware required. Easy to try, deploy and manage Effective at blocking evasive threats. Fast forward a few days and for various reasons I checked out Sophos XG and I believe I'm here to stay, thereby removing pfSense from the picture entirely. I added PiVPN as a custom 'service' with the Wireguard port entered within Sophos XG. I then walked through the DNAT steps to complete the NAT setup for PiVPN to work.
There is a lot of misinformation surrounding WireGuard, so we are continuing to dispel those myths as best we can. In this entry, we are looking at the idea that WireGuard actually supports many different encryption and authentication methods. When in reality, it is a lot more limited than that.
Which encryption does WireGuard support
Whilst the vast majority of other VPN protocols have support for a wide range of cryptosystems, WireGuard is a bit simpler. It only supports one key agreement scheme (Curve25519), and only one AEAD (authenticated encryption with associated data), ChaCha20-Poly1305. In contrast to WireGuard IPSec supports RSA, DSA, ECDSA, Curve25519 and a plethora of other algorithms.
How WireGuard differs from other protocols
Before we start explaining what’s exactly beneath the hood we need to emphasize an important distinction between WireGuard and other well-known protocols. WireGuard is a peer-to-peer protocol. It does not distinguish between server nodes and client nodes nor is there any special functionality assigned to a peer as a consequence of a peer’s role.
Roles, such as a server or a client, are a deployment detail and WireGuard does not care about such details. But, for easier understanding, we’ll address the hide.me peer as a “server” and the customer’s device as a “client”.
WireGuard authentication explained
As with any other asymmetric cryptosystem peers need to authenticate each other before a symmetric session key gets established. The only possible authentication mechanism that WireGuard supports is public key authentication. Other protocols, such as IKEv2 or OpenVPN support username and password authentication, but WireGuard doesn’t. With WireGuard the public keys serve as an authentication material, as a base for key agreement and as a crypto-key routing foundation.
In general, if a peer Alice wishes to prove its identity to some other peer Bob she’ll use her private key to digitally sign some sort of a message. Such a digital signature can be verified by Bob to be authentic, but only if Bob already possesses Alice’s public key. So, Bob needs to get hold of Alice’s public key somehow and in advance.
WireGuard does not provide a facility for such a key exchange, it is stealthy, the public keys need to be set up in advance. If the public key of a peer is not known WireGuard keeps silent. In contrast to WireGuard, TLS, the dominant security protocol, during its handshake provides the server’s public key to the client in the form of a certificate.
How hide.me’s WireGuard authentication works
On hide.me we combined the two. We use HTTPS to establish a short-lived, authenticated and highly secure channel in order to exchange public keys. The customer’s public key will be used then for the WireGuard session which is about to start. Our apps generate fresh private and public key pair on each connection attempt.
Once the server’s and customer’s public keys are in place WireGuard has all the tools it needs to establish a session key over a Curve25519 key agreement scheme. Such a session key is then used by the symmetric ChaCha20-Poly1305 AEAD for the data transfer between the peers.
ChaCha20-Poly1305 explained
Wireguard Vpn Sophos
ChaCha20-Poly1305 is an AEAD (authenticated encryption with associated data), basically a good combination of a cipher (ChaCha20) and a message authentication code (Poly1305). An AEAD not only encrypts the sensitive data, it authenticates it too (AE part). In addition to the sensitive data other, non-sensitive, data may be included in the final message which gets authenticated as well (AD part). AEADs provide all the three pillars of security:
Confidentiality, integrity and authenticity of the data. Nowadays the dominant AEAD is AES-GCM. It is a construction which consists of the AES-CTR (AES in counter mode) and a GHASH MAC. It is highly secure and has no known vulnerabilities, but it is computationally expensive on platforms other than recent Intel processors.
What’s the verdict
AES is cryptographically stronger than ChaCha20, but it is a lot more taxing. So, it is thought that ChaCha20 is a good “bang-for-your-buck” option when compared to AES, especially on mobile platforms. Before the advent of ChaCha20-Poly1305 there was no alternative to AES-GCM.
Depending on a single AEAD was not an option for large enterprises. What would have happened if a critical vulnerability were to be discovered in AES-GCM? The industry has an alternative now, even if it is not as strong or as fast as AES-GCM it is still a viable option if the AES-GCM fails.
Hi There,
Wire Guard Sophos Security
With SSL VPN in Sophos UTM, user will require any additional log-in in the client software and it does require a profile to be downloaded from the User portal for once or after any changes in the SSL VPN profile configuration. You may look into the possibility of using Sophos Connect Client VPN which uses IPSec. Refer to this KBA: https://community.sophos.com/kb/en-us/134050
Sophos Xg Wireguard
Regarding publishing MS SSTP server, you can do it by configuring relevant DNAT rules on Sophos UTM to point it to internal MS SSTP server.
Wireguard Vpn
Regards,
^JG