# WireGuard

[WireGuard](https://wireguard.io) is a modern VPN released for the Linux kernel that can replace IPSec.

We can use WireGuard in Moby to better secure container networking.
WireGuard transparently encrypts *and* authenticates traffic between all peers, and uses state-of-the-art cryptography
from the [Noise protocol](http://www.noiseprotocol.org/). Moreover, WireGuard is implemented in less than a few thousand
lines of code, making it auditable for security.

Moreover, WireGuard provides a `wg0` (`wg1`, `wg2`,... etc) network interface that can be passed directly to containers,
such that all intercontainer traffic would benefit from encrypted and authenticated networking.

A full technical paper from NDSS 2017 is available [here](https://www.wireguard.io/papers/wireguard.pdf).

## Contents

### Kernel Patches
This project keeps Linux kernel patches for WireGuard against a 4.9.x kernel.  
This kernel is built into the `mobylinux/kernel-wireguard` image that is generated by `cd kernel-wireguard && make`.

WireGuard can also be included as a kernel module.

### Userspace Tools
This project embeds the `wireguard-tools` package in the userspace image.
This is built into the `mobylinux/init-wireguard` image that is generated by `cd init-wireguard && make`.

## Quickstart
The quickest way to get started is to use the provided `examples/wireguard.yml` in this directory and use the prebuilt images.

To give WireGuard a spin, the [official quick start](https://www.wireguard.io/quickstart/) is a good way to get going.  For containers,
WireGuard has a [network namespace integration](https://www.wireguard.io/netns/) that we could use for Moby's containers.

## Roadmap

**Near-term:**
- moving `wireguard-tools` out of the init image (with any other tools, as well)
- decide between either carrying the WireGuard patches in our kernel tree or using a module

**Long-term:**

- We have yet to determine the best way to integrate WireGuard into Moby - at the node level or service level isolation.
  - Node level: it's plausible that Moby's provisioner could allocate keys per Moby node
  - Service level: swarmkit could set up WireGuard on a per-service basis, handing the container the wireguard interface

*Service Level*: one proposal is to use WireGuard between container network [`links`](https://docs.docker.com/compose/networking/#links).
This is a natural fit because WireGuard associates public keys to IP addresses: a docker-compose link would simply need
a reference to a key in addition to the existing IP address info for this to work.  However there are some open questions:
  - `containerd` does not intend to support networks from the roadmap
  - `links` are not currently supported on swarm stack deploys at present