Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What is WireGuard? UDP-based, Running on many and Lightweight

What is WireGuard? UDP-based, Running on many and Lightweight

2023年5月4日開催『M5 Japan Tour 2023 Spring 東京1』で、ソラコム松下(max)が発表した資料です。


May 04, 2023

More Decks by SORACOM

Other Decks in Technology


  1. What is WireGuard? The modern UDP-based VPN running on ESP32

    May 4, 2023 #M5JPTour2023 Tokyo Welcome (back) Jimmy-san!! Kohei MATSUSHITA “Max” / @ma2shita Tech. Evangelist at SORACOM, INC.
  2. Tech. Evangelist at SORACOM, INC. Kohei Matsushita "Max" Evangelizing IoT

    and SORACOM, with over 500 presentations. SORACOM provides the IoT platform. ➢ Global connectivity for IoT with SIM and Sigfox in 160+ countries and territories. ➢ Including IoT applications and device management.
  3. Conclusion What is WireGuard? ➢ The modern UDP-based VPN. ➢

    Running on many environment, including ESP32. ➢ Lightweight footprint and load than TLS.
  4. Oh! NOT enough flash memory? Raw MQTT MQTT + TLS

    A small code that just only MQTT Push (about 140 lines) including TLS. But… Only 402KB remains. Usage is 70%!! AWS IoT Core Modern SaaS/PaaS.
  5. We DON’T want to use TLS. But we need to

    encrypt with Internet access. What do we do? 🤔
  6. WireGuard in 3 steps! #include <WireGuard-ESP32.h> static WireGuard wg; char

    private_key[] = "{[Interface] PrivateKey from server}"; IPAddress local_ip(192, 168, 200, 254); // [Interface] Address from server char public_key[] = "{[Peer] PublicKey} from server"; char endpoint_address[] = "{[Peer] Endpoint from server}"; int endpoint_port = 11010; configTime(9 * 60 * 60, 0, "ntp.jst.mfeed.ad.jp", "ntp.nict.jp", "time.google.com"); delay(3000); // Wait for adjust wg.begin(local_ip, private_key, endpoint_address, public_key, endpoint_port); Connecting in setup() / 3 lines Configure in header / 7 lines Import 1 2 3 Listed in the official repository Don't forget to set the time. Set value retrieved from WireGuard server https://github.com/ciniml/WireGuard-ESP32-Arduino
  7. Reduce usage in Flash memory than TLS 0 100,000 200,000

    300,000 400,000 500,000 600,000 700,000 800,000 900,000 MQTT+TLS MQTT+WireGuard 【参考】MQTTのみ Flash memory usage MQTT+TLS MQTT+WireGuard 【参考】MQTTのみ It’s L3 VPN. So upper layer/protocol is free. ESP32(M5Stack Basic)上でWireGuardを使用したMQTT実装サンプル https://qiita.com/ma2shita/items/0f0dce8ff0e45cf9fbac Different angle: VPN can be added for only +30KB to Raw MQTT implementation -141KB +30KB +L3 VPN
  8. Excellent portability Prepare: • Connection is Wi-Fi. • WireGuard connection

    established. Start: • Ping. Next: • Connection is changed to cellular. (Means the IP address changes.) Finally: • Continued ping success. (Packet loss during changing.) IP address independent VPN It’s modern!
  9. How do we prepare the server? Build with Linux Box

    ➢ WireGuard merged on Linux kernel 5.6 ➢ Raspberry Pi is easy to set up with pivpn.io ➢ CM4Stack, too!! Full-managed WireGuard server “SORACOM Arc” ➢ Launched in 2021/6. It has free tier. ➢ Available via Wi-Fi access. ➢ Services for IoT on SORACOM are also available, too. ➢ e.g.) Remote access service for SSH, etc. on demand.
  10. Have any concerns? ➢ Security? Cipher strength? ➢ Throughput? Latency?

    Load on MCU? ➢ UDP? Let see my blog! Don't worry, I'm writing “日本語”. https://blog.soracom.com/ja-jp/2023/02/16/what-is-wireguard
  11. Conclusion What is WireGuard? ➢ The modern UDP-based VPN. ➢

    Running on many environment, including ESP32. ➢ Lightweight footprint and load than TLS. Let’s embed to your M5/ESP32, NOW!! And I looking for maintainers