My study on VPN, WireGuard and TUN device
Table of Contents
I was reading tutorial to setup a VPN to securely connect to my private server a detail catch my attention - WireGuard uses UDP. Up until that time, I didn’t know much of VPN and even more, what does it mean by using UDP, how would application using TCP still work with that VPN.
So I set sail to study about VPN,…
Disclaimer: Please don’t take any of these thing as source of truth as I’m not expert in computer networking.
Understand Virtual Private Network
Foremost, it’s a network where devices are interconnected, like your LAN network, there is not much here to say bout.
Then come the “Private” part. VPN achieves privacy by encrypting traffic routing through it. By that even when your VPN have to go out to the wild Internet, “Trudy the intruder” still can’t eavesdrop what is going on your network.
And last is the “Virtual” part. Which I want to know the most. It’s called virtual since it is built using software so that it has a different topology from the physical ones. For example, your company have servers in multi data center, but VPN make all appear as if they are in the same network.
How to build the Virtual Network
Keep in mind that this is a non-exhaustive write-up about what the component making virtual network.
I started by reading WireGuard whitepaper. In short, WireGuard create a virtual network interface. What’s a network interface anyway.
“A network interface is the point of interconnection between a computer and a private or public network. A network interface is generally a network interface card (NIC), but does not have to have a physical form. Instead, the network interface can be implemented in software. For example, the loopback interface (127.0.0.1 for IPv4 and ::1 for IPv6) is not a physical device but a piece of software simulating a network interface. The loopback interface is commonly used in test environments.”
That is still vague and not to the point what is its role in the VPN puzzle. There is a pretty good blog by Julia Evans about network interface that you can read. The take away is:
When you send a packet to an IP address, your route table decides which network interface that packet goes through. This is one of the first things that happens in the network stack. That means when you send something to an IP address in your private network, it will be forward to your VPN’s network interface. In case of WireGuard, it’s the default wg0 interface. Of course not every VPN will use this approach.
Reading this far, I believe you have enough information so that I can start to briefly explain how WireGuard works.
- Application Level: An application (e.g., a web browser) generates data and creates TCP packets.
- Networking Stack: The operating system’s network stack processes these TCP packets. If the destination IP address is one of the VPN then it should be routed through the WireGuard interface, the networking stack sends these packets to the WireGuard virtual network interface.
- WireGuard Interface: WireGuard captures the TCP packets from the networking stack. WireGuard encrypts the entire TCP packet (including its headers and payload) using its cryptographic algorithms.
- The encrypted TCP packet is then encapsulated within a new UDP packet. This encapsulated packet includes a new UDP header and a WireGuard-specific header.
- Internet/Network: The UDP packets travel across the internet or other networks, passing through various routers and switches. Intermediate network devices treat these packets as regular UDP packets.
At the receiving side the step are just reverse of what I described.
So now you got the answer of What does it means to send TCP request over UDP and a small part of how to do it.
One more thing I learnt in this journey is TCP meltdown, that is when use send TCP-over-TCP. And that’s why UDP is the best choice in case of Wireguard.