What is WireGuard? UDP-based, Running on many and Lightweight

Transcript

1. What is WireGuard? The modern UDP-based VPN running on ESP32

   May 4, 2023 #M5JPTour2023 Tokyo Welcome (back) Jimmy-san!! Kohei MATSUSHITA “Max” / @ma2shita Tech. Evangelist at SORACOM, INC.

2. Tech. Evangelist at SORACOM, INC. Kohei Matsushita "Max" Evangelizing IoT

   and SORACOM, with over 500 presentations. SORACOM provides the IoT platform. ➢ Global connectivity for IoT with SIM and Sigfox in 160+ countries and territories. ➢ Including IoT applications and device management.

3. Conclusion What is WireGuard? ➢ The modern UDP-based VPN. ➢

   Running on many environment, including ESP32. ➢ Lightweight footprint and load than TLS.

4. Oh! NOT enough flash memory? Raw MQTT MQTT + TLS

   A small code that just only MQTT Push (about 140 lines) including TLS. But… Only 402KB remains. Usage is 70%!! AWS IoT Core Modern SaaS/PaaS.

5. We DON’T want to use TLS. But we need to

   encrypt with Internet access. What do we do? 🤔

6. はやい、イケてる、安全なVPN https://www.wireguard.com/ ✓ UDP-based. ✓ Running on many. ✓ Lightweight.

7. Implementation for lwIP(Lightweight IP stack) https://github.com/smartalock/wireguard-lwip

8. I tweeted. Then… https://speakerdeck.com/ciniml/esp32desoracom-arctunaidemita?slide=4 After 5 days, implementation for Arduino

   core for the ESP32. @ciniml has the hand of GOD!!

9. WireGuard in 3 steps! #include <WireGuard-ESP32.h> static WireGuard wg; char

   private_key[] = "{[Interface] PrivateKey from server}"; IPAddress local_ip(192, 168, 200, 254); // [Interface] Address from server char public_key[] = "{[Peer] PublicKey} from server"; char endpoint_address[] = "{[Peer] Endpoint from server}"; int endpoint_port = 11010; configTime(9 * 60 * 60, 0, "ntp.jst.mfeed.ad.jp", "ntp.nict.jp", "time.google.com"); delay(3000); // Wait for adjust wg.begin(local_ip, private_key, endpoint_address, public_key, endpoint_port); Connecting in setup() / 3 lines Configure in header / 7 lines Import 1 2 3 Listed in the official repository Don't forget to set the time. Set value retrieved from WireGuard server https://github.com/ciniml/WireGuard-ESP32-Arduino

10. Reduce usage in Flash memory than TLS 0 100,000 200,000

    300,000 400,000 500,000 600,000 700,000 800,000 900,000 MQTT+TLS MQTT+WireGuard 【参考】MQTTのみ Flash memory usage MQTT+TLS MQTT+WireGuard 【参考】MQTTのみ It’s L3 VPN. So upper layer/protocol is free. ESP32(M5Stack Basic)上でWireGuardを使用したMQTT実装サンプル https://qiita.com/ma2shita/items/0f0dce8ff0e45cf9fbac Different angle: VPN can be added for only +30KB to Raw MQTT implementation -141KB +30KB +L3 VPN

11. Excellent portability Prepare: • Connection is Wi-Fi. • WireGuard connection

    established. Start: • Ping. Next: • Connection is changed to cellular. (Means the IP address changes.) Finally: • Continued ping success. (Packet loss during changing.) IP address independent VPN It’s modern!

12. How do we prepare the server? Build with Linux Box

    ➢ WireGuard merged on Linux kernel 5.6 ➢ Raspberry Pi is easy to set up with pivpn.io ➢ CM4Stack, too!! Full-managed WireGuard server “SORACOM Arc” ➢ Launched in 2021/6. It has free tier. ➢ Available via Wi-Fi access. ➢ Services for IoT on SORACOM are also available, too. ➢ e.g.) Remote access service for SSH, etc. on demand.

13. Have any concerns? ➢ Security? Cipher strength? ➢ Throughput? Latency?

    Load on MCU? ➢ UDP? Let see my blog! Don't worry, I'm writing “日本語”. https://blog.soracom.com/ja-jp/2023/02/16/what-is-wireguard

14. Conclusion What is WireGuard? ➢ The modern UDP-based VPN. ➢

    Running on many environment, including ESP32. ➢ Lightweight footprint and load than TLS. Let’s embed to your M5/ESP32, NOW!! And I looking for maintainers

15. Will WireGuard work with ? I’m not sure, maybe. Welcome

    challenger!!

16. ➢ ➢ ➢ Call for Paper 募集中！ M5 でのエントリーをお待ちしております 7/6夜には

    UG も！ https://soracom.com/ja-jp/news/soracom-discovery-2023-cfp/

17. IoTの「つなぐ」を簡単に You Create. We Connect.