$30 off During Our Annual Pro Sale. View Details »

What is WireGuard? UDP-based, Running on many a...

What is WireGuard? UDP-based, Running on many and Lightweight

2023年5月4日開催『M5 Japan Tour 2023 Spring 東京1』で、ソラコム松下(max)が発表した資料です。

SORACOM

May 04, 2023
Tweet

More Decks by SORACOM

Other Decks in Technology

Transcript

  1. What is WireGuard? The modern UDP-based VPN running on ESP32

    May 4, 2023 #M5JPTour2023 Tokyo Welcome (back) Jimmy-san!! Kohei MATSUSHITA “Max” / @ma2shita Tech. Evangelist at SORACOM, INC.
  2. Tech. Evangelist at SORACOM, INC. Kohei Matsushita "Max" Evangelizing IoT

    and SORACOM, with over 500 presentations. SORACOM provides the IoT platform. ➢ Global connectivity for IoT with SIM and Sigfox in 160+ countries and territories. ➢ Including IoT applications and device management.
  3. Conclusion What is WireGuard? ➢ The modern UDP-based VPN. ➢

    Running on many environment, including ESP32. ➢ Lightweight footprint and load than TLS.
  4. Oh! NOT enough flash memory? Raw MQTT MQTT + TLS

    A small code that just only MQTT Push (about 140 lines) including TLS. But… Only 402KB remains. Usage is 70%!! AWS IoT Core Modern SaaS/PaaS.
  5. We DON’T want to use TLS. But we need to

    encrypt with Internet access. What do we do? 🤔
  6. WireGuard in 3 steps! #include <WireGuard-ESP32.h> static WireGuard wg; char

    private_key[] = "{[Interface] PrivateKey from server}"; IPAddress local_ip(192, 168, 200, 254); // [Interface] Address from server char public_key[] = "{[Peer] PublicKey} from server"; char endpoint_address[] = "{[Peer] Endpoint from server}"; int endpoint_port = 11010; configTime(9 * 60 * 60, 0, "ntp.jst.mfeed.ad.jp", "ntp.nict.jp", "time.google.com"); delay(3000); // Wait for adjust wg.begin(local_ip, private_key, endpoint_address, public_key, endpoint_port); Connecting in setup() / 3 lines Configure in header / 7 lines Import 1 2 3 Listed in the official repository Don't forget to set the time. Set value retrieved from WireGuard server https://github.com/ciniml/WireGuard-ESP32-Arduino
  7. Reduce usage in Flash memory than TLS 0 100,000 200,000

    300,000 400,000 500,000 600,000 700,000 800,000 900,000 MQTT+TLS MQTT+WireGuard 【参考】MQTTのみ Flash memory usage MQTT+TLS MQTT+WireGuard 【参考】MQTTのみ It’s L3 VPN. So upper layer/protocol is free. ESP32(M5Stack Basic)上でWireGuardを使用したMQTT実装サンプル https://qiita.com/ma2shita/items/0f0dce8ff0e45cf9fbac Different angle: VPN can be added for only +30KB to Raw MQTT implementation -141KB +30KB +L3 VPN
  8. Excellent portability Prepare: • Connection is Wi-Fi. • WireGuard connection

    established. Start: • Ping. Next: • Connection is changed to cellular. (Means the IP address changes.) Finally: • Continued ping success. (Packet loss during changing.) IP address independent VPN It’s modern!
  9. How do we prepare the server? Build with Linux Box

    ➢ WireGuard merged on Linux kernel 5.6 ➢ Raspberry Pi is easy to set up with pivpn.io ➢ CM4Stack, too!! Full-managed WireGuard server “SORACOM Arc” ➢ Launched in 2021/6. It has free tier. ➢ Available via Wi-Fi access. ➢ Services for IoT on SORACOM are also available, too. ➢ e.g.) Remote access service for SSH, etc. on demand.
  10. Have any concerns? ➢ Security? Cipher strength? ➢ Throughput? Latency?

    Load on MCU? ➢ UDP? Let see my blog! Don't worry, I'm writing “日本語”. https://blog.soracom.com/ja-jp/2023/02/16/what-is-wireguard
  11. Conclusion What is WireGuard? ➢ The modern UDP-based VPN. ➢

    Running on many environment, including ESP32. ➢ Lightweight footprint and load than TLS. Let’s embed to your M5/ESP32, NOW!! And I looking for maintainers