What Is Cryptokey Routing in Wireguard?

published
August 17, 2024
TABLE OF CONTENTS
Build Your Dream Network Architecture
Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker.

Cryptokey routing is a unique approach to managing network traffic that works by associating public keys with a list of tunnel IP addresses allowed inside the tunnel. A core concept of the WireGuard VPN framework, it is a way to define who can send and receive data in an encrypted network. 

How cryptokey routing works

With cryptokey routing, each network interface has a private key and a list of peers. Each peer has a public key. The public keys are short, simple, and used to authenticate each other. You can pass them around in configuration files like you would with SSH keys.

For instance, on a server computer, the configuration might look like this:

‍

And a client computer might have this simpler configuration:

‍

In the server configuration, each peer (a client) can send packets to the network interface with a source IP matching their allowed IPs. 

For example, when a packet is received by the server from peer `gN65BkIK...`, it is decrypted and authenticated. If its source IP is `10.10.10.230`, it's allowed onto the interface; otherwise, it's dropped.

On the other hand, when the server wants to send a packet to a peer, it looks at the destination IP and compares it to each peer's list of allowed IPs. 

For instance, if the interface wants to send a packet with a destination IP of `10.10.10.230`, it encrypts it using the public key of peer `gN65BkIK...` and sends it to that peer's most recent Internet endpoint.

In the client configuration, its single peer (the server) can send packets to the network interface with any source IP since `0.0.0.0/0` is a wildcard. 

So, when a packet is received from peer `HIgo9xNz...`, it decrypts and authenticates it correctly with any source IP, then it's allowed onto the interface; otherwise, it's dropped.

Similarly, when the client wants to send a packet to its single peer (the server), it encrypts packets with any destination IP address using the public key of `HIgo9xNz...` and then sends it to the peer's most recent Internet endpoint.

In essence, when sending packets, the list of allowed IPs behaves like a routing table. When receiving packets, the list of allowed IPs acts as an access control list. This is what we call a cryptokey routing table - the simple association of public keys and allowed IPs.

Because all packets sent on the WireGuard interface are encrypted and authenticated, and because there's a tight coupling between the identity of a peer and the allowed IP address of the peer, system administrators don't need complicated firewall extensions. 

Administrators can match on "is it from this IP? on this interface?" and be assured it's a secure and authentic packet. This simplifies network management and access control, ensuring that your iptables rules do what you intend them to do.

What are the main benefits of cryptokey routing?

Cryptokey routing simplifies traffic management by embedding keys directly into the routing process. For instance, let's consider a scenario where you have several departments in a company, each needing different levels of access to resources. 

With cryptokey routing, you can assign unique cryptographic keys to each department. When a data packet is sent, it includes the appropriate key, which the receiving router checks before granting access. This way, only those with the correct key can access specific network segments.

Another example involves secure communication between remote offices. Traditional VPN solutions can be complex and slow. With cryptokey routing, the encryption keys become part of the routing protocol, streamlining the connection setup. 

If an office in New York needs to communicate with one in San Francisco, they can use keys that ensure their traffic routes securely over the internet without the cumbersome setup of a conventional VPN.

What's particularly appealing about cryptokey routing is its adaptability. Whether you're scaling up your network or integrating new technologies, this method adjusts without significant overhauls. 

For example, if a new department is added or a satellite office comes online, you just issue new cryptographic keys corresponding to their access needs. The network adapts without requiring fundamental changes to its infrastructure.

In practical applications, companies like Google have employed similar strategies in their BeyondCorp initiative, where access is based on user and device credentials rather than the traditional network perimeter.

This approach echoes the principles of cryptokey routing by ensuring that only authenticated devices with the correct keys can access resources.

Overall, cryptokey routing offers a robust, flexible solution for managing secure network access. It integrates encryption with routing, providing a seamless way to safeguard data and control access across complex networks.

Cryptokey generation and management

Each device, also known as a peer, in a WireGuard network has a pair of keys: a private key and a public key. You can think of these like a lock and key combination, but way more sophisticated. 

The private key is your secret. It's something that you keep to yourself and never share. The public key, on the other hand, is something you give out to other peers you want to communicate with.

Here’s a simple example. Imagine you have a server and a client. The server generates its own private key and public key. The same thing happens on the client side. 

Now, the server takes its public key and shares it with the client. Similarly, the client shares its public key with the server. This exchange is crucial because it sets up the foundation for an encrypted and secure communication channel.

But how do we generate these keys? It’s super easy with WireGuard. For instance, on a Linux machine you can generate a key pair with a simple command:

‍

Run that, and you’ve got yourself a private key and a public key. The private key is stored in the file `private key` and the public key in the file `public key`. It’s straightforward but powerful.

Once you have these keys, you configure your WireGuard interface. Here’s where the magic of cryptokey routing shows. Let’s use the server and client example again. On the server, you’d configure your WireGuard interface with something like:

‍

This snippet defines the server's interface and lays out rules for accepting traffic from a specific client. It specifies that only traffic from the IP `10.0.0.2`—which is associated with the client’s public key—will be accepted.

And on the client side, it would look like this:

‍

This defines the client's interface and its permissions for connecting to the server. It ensures that the client knows where to send its encrypted data, targeting only the specified server’s IP and port.

So, with these keypairs and the allowed IP configurations, WireGuard sets up secure, encrypted tunnels between peers. It’s like constructing a secret highway that only you and your trusted contacts can use.

Managing these keys is crucial to ensuring secure and seamless communication. Each peer holds onto its private key tightly while freely sharing the public key only with trusted peers. 

This system of cryptokey routing ensures that any data transmitted over the network can only be decrypted by the intended recipient, keeping your communications safe and private.

Types of cryptographic keys

Cryptographic keys can be divided into several categories, each serving a unique purpose. Let’s look at them individually:

Encryption keys

When you encrypt data, you’re essentially scrambling it so that it can’t be read without a special key. For symmetric encryption, this key is the same for both encrypting and decrypting. Common symmetric algorithms include 3DES and AES. These keys are typically shorter-lived and must be kept secret.

Asymmetric encryption keys

This one uses a pair of keys: one public and one private. The public key can be shared with anyone, but the private key must remain confidential. 

This is akin to a mailbox where anyone can drop a letter (using the public key), but only you can open it (with your private key). RSA is a well-known asymmetric encryption algorithm, using key lengths ranging from 1024 to 4096 bits.

Digital signature keys

These are used to sign data, ensuring its authenticity and integrity. Think of it as sealing a letter with a unique wax seal that only you possess. 

If someone opens the letter, they can see the seal and know it came from you. The signing process uses a private key, while verification uses a public key. Here too, RSA is commonly employed, alongside ECDSA.

Key Encryption Key (KEK)

Sometimes called a Key Wrapping Key or Key Transport Key, this key's job is to securely transfer other keys from one place to another. It’s like securely packing a smaller key in a lockbox, which you then send through the mail. 

Only the recipient with the right lockbox key can access the smaller key inside. KEKs usually have a long lifetime and are vital for updating keys without exposing them to threats.

Master keys

Used for encrypting multiple subordinate keys, master keys usually reside within a hardware security module (HSM) to offer added protection. 

Picture master keys as a secure vault that holds several smaller keys. These master keys need to be extremely secure because they grant access to many other keys.

Root key

This key sits at the very top of a Public Key Infrastructure (PKI) hierarchy. It’s like the head key for authenticating and signing digital certificates, ensuring the authenticity of other keys in the system. 

Root keys are usually highly protected and have a long lifespan, often secured by an HSM.

Cryptokey routing ensures that each key is used appropriately, whether it’s encrypting data, signing documents, or transporting other keys. This organized approach helps maintain security and efficiency in a cryptographic system.

How the encryption and decryption processes work with cryptokey routing

To better understand how cryptokey routing works, we need to start with encryption and decryption. Encryption is the process of converting a readable message into an unreadable format. 

This unreadable format, called ciphertext, ensures that unauthorized parties can't read the information. Conversely, decryption converts this ciphertext back into its original readable format, known as plaintext.

In the context of cryptokey routing, both encryption and decryption are achieved by using keys. Think of these keys as secret codes that only the sender and receiver know. 

The sender uses a public key to encrypt the data, which then travels securely over the network. The receiver, using a corresponding private key, decrypts this data to read the original message. 

For example, if you are sending someone a secure file, you would use your public key to encrypt it. When you receive the file, you'd use your private key to decrypt it and read its contents.

WireGuard employs both shared key and public key encryption to secure network traffic. Shared key encryption uses a single key for both encryption and decryption. 

If you have a secret key, which you share with someone, you use it to encode your messages. You also use the same key to decode the messages. However, this method requires you to keep the key secret from everyone else.

Public key encryption adds a layer of complexity and security by using two keys: a public key that anyone can know and a private key that remains secret. When you want to send someone a message, you use your public key to encrypt it. Only your private key can decrypt this message, ensuring that only you can read it.

WireGuard uses a technique called cryptokey routing to manage these keys and routes. Each device in the network has a private key and a list of public keys of other trusted devices. 

This setup ensures that data packets are encrypted and can only be decrypted by the intended recipient. For instance, if a packet arrives from a specific peer, WireGuard checks the source IP against a list of allowed IPs linked to that peer's public key. If there's a match, the packet is accepted; if not, it's dropped.

This system acts like a combination of a routing table and an access control list. It directs traffic securely between peers and blocks unauthorized access.

One of the standout features of cryptokey routing is its simplicity and efficiency. Traditional VPN technologies often require complex setups and numerous firewall rules. 

In contrast, WireGuard simplifies these tasks, making it easier to manage network security policies. This approach is not only secure but also user-friendly, making it suitable for both small and large networks.

In essence, cryptokey routing in WireGuard ensures that only authorized devices can communicate over encrypted channels. Each device authenticates the identity of others using cryptographic keys, maintaining the confidentiality and integrity of the data transmitted across the network. Using this method, WireGuard offers a straightforward yet robust solution for managing encrypted network traffic.

Data packet encryption

In the cryptokey routing approach, each data packet is encrypted using a cryptographic key that corresponds to a specific route or path within the network. The routing information, embedded within the packet, is also encrypted. 

As the packet travels through the network, only nodes or routers that possess the appropriate cryptographic key can decrypt the routing information and forward the packet to the next hop. This ensures that the packet is securely routed and protected from unauthorized access.

By using cryptokey routing, data packets are protected from eavesdropping and tampering at multiple levels. Even if an attacker intercepts the packet, they cannot access the routing information or the data without the correct cryptographic keys. 

This method also enhances network security by ensuring that only authorized devices can participate in the routing process, reducing the risk of malicious routing attacks. 

Additionally, cryptokey routing supports secure, end-to-end communication, making it an effective solution for sensitive or mission-critical data transmissions.

Decryption at the destination node

When data reaches the destination node in a WireGuard setup, decryption is straightforward but essential. Here’s how it works: 

Picture two devices, A and B. Device A sends an encrypted packet to Device B. Device B recognizes the packet because it's addressed to an IP in its “allowed IPs” list. This list is like a guest list for a party; only those on the list get in.

Device B uses its private key to decrypt the packet. For instance, if Device A's public key and the associated IP address match an entry in Device B's configuration, the packet is accepted. 

Device B then uses its private key to decrypt the packet and read the data. It’s like B opening that locked box with its private key to read the message inside.

If Device B tries to open a packet not meant for it, the decryption fails. The packet is discarded, much like a bouncer turning away someone not on the guest list.

Let’s say you have a server acting as Device B. It receives a packet from Device A. Before forwarding this packet to its final destination within the network, it checks the packet’s source against its list of allowed IP addresses. This list is paired with the public keys of trusted peers. If there’s a match, Device B decrypts the packet and sends it along.

Each packet in WireGuard is a securely locked box, and decoding it is like opening that box with a specific key. This ensures that only the intended recipient can access the data, maintaining the confidentiality and integrity of the communication.

Maintaining and updating routing tables

Maintaining and updating routing tables with cryptokey routing is like maintaining a really good to-do list—only the tasks (or data packets) that are on the list (or allowed IPs) get checked off (or routed).

Firstly, each peer in the WireGuard setup has a private key paired with a list of trusted public keys from other peers. These public keys are associated with specific IP addresses or networks. 

Picture it like a keychain where each key only opens specific doors. When a data packet is sent, it's encrypted with the recipient's public key. Only the corresponding private key can decrypt it, ensuring the right person accesses the data.

For instance, imagine you have a server that needs to communicate with several clients. Each client is identified by its unique public key, and you have a list of these keys along with their allowed IP ranges. 

When a packet arrives at your server, WireGuard checks the source IP against this list. If the source IP matches one linked to a known public key, the packet is accepted. If not, it's dropped.

Now, let's talk about updating this "VIP list" of routing tables. Whenever a new peer joins the network or an existing peer's IP range changes, we update the routing table. This ensures that only authorized peers can communicate through the tunnel, maintaining the network’s confidentiality and integrity.

To give a concrete example, suppose a new client needs access to the network. You'll obtain its public key and assign it an IP range. This key and IP range are then added to the routing tables of all relevant peers. This way, when the new client sends data, the pre-existing peers recognize it as legitimate and allow the packets to pass through.

Maintaining the routing tables frequently is key. For instance, if an IP range associated with a public key changes, updating the table ensures the peer can still communicate without interruption. Without updating, the old keys wouldn’t work, and essential communication could be cut off.

So, keeping these tables up-to-date means you regularly review and adjust the allowed IPs for each public key. This constant vigilance ensures that your network remains secure, and only trusted peers have access to your encrypted tunnels. This effortless yet robust security management is what makes cryptokey routing in WireGuard both practical and powerful.

The role of cryptographic keys in routing decisions

Imagine you and a colleague are both part of a network. Each of you has a unique pair of keys: a public key and a private key. Whenever you send a data packet to your colleague, you encrypt it using your public key. 

Only your private key can decrypt the data packet. This ensures that the packet remains confidential and its integrity is maintained during transit.

WireGuard takes this a step further. Each device in the network holds a list of public keys belonging to the peers it trusts. Alongside these keys, it has a predefined list of IP addresses associated with each key. This setup determines which traffic can travel through the encrypted tunnel.

One application of this is in remote access scenarios. If you're connecting to your office network from home, your device will have the office server's public key and vice versa. This ensures that only your authorized device can communicate with the office network securely.

The simplicity of this approach is a major advantage. Unlike traditional VPNs that rely on complex configurations and multiple firewall rules, WireGuard's use of cryptographic keys makes everything straightforward. You’re either on the list with the right key, or you’re not. This not only enhances security but also eases the management of network policies.

Build Your Dream Network Architecture
Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker.
More posts

GET STARTED

A WireGuard® VPN that connects machines securely, wherever they are.
Star us on GitHub
Can we use Cookies?  (see  Privacy Policy).