WireGuard Listeners

WireGuard Listeners are specialized Listeners that implement the WireGuard encryption protocol, providing secure, authenticated communication channels between your clients and AWS resources. Unlike standard UDP Listeners that forward raw packets, WireGuard Listeners handle the WireGuard handshake and transport encryption, then deliver the unencapsulated payload data to your configured destinations.

Background: What is WireGuard?

WireGuard is a modern, high-performance encryption protocol that uses state-of-the-art cryptography. Originally developed for the Linux kernel and commonly used for VPN implementations, WireGuard is now available across all major platforms including Windows, macOS, iOS, and Android. It's designed to be simpler, faster, and more secure than traditional protocols like OpenVPN or IPSec.

Key advantages of WireGuard include:

Simplicity - Minimal codebase with fewer attack vectors
Performance - Significantly faster than other encryption protocols
Modern cryptography - Uses ChaCha20, Poly1305, Curve25519, and BLAKE2s
Battery efficiency - Optimal for mobile and IoT devices
Stateless design - Resilient to network changes and interruptions

How WireGuard Listeners Work

When you create a WireGuard Listener, Proxylity provides the same infrastructure benefits as standard Listeners while adding WireGuard protocol support:

A domain name - One of Proxylity's ingress domains for your WireGuard endpoint
A port number - A dedicated UDP port for WireGuard traffic (typically UDP/51820)
Static anycast IP addresses - Global distribution for optimal connectivity
Public key - The Listener's WireGuard public key for client configuration
Private key management - Secure handling of cryptographic keys in AWS

WireGuard Listeners establish encrypted connections with authenticated clients and forward the decrypted payload data to your configured Destinations. This allows you to process the actual application data rather than encrypted WireGuard packets. Whether that payload is raw application data from custom clients or encapsulated IP packets from WireGuard VPN clients is entirely up to your implementation.

WireGuard vs UDP Listeners

Feature	UDP Listeners	WireGuard Listeners
Security	Transport-level (client must implement encryption)	End-to-end encrypted with authentication
Client Setup	Simple socket connection	WireGuard client configuration required
Protocol Support	UDP packets only	Any payload data (encrypted via WireGuard)
NAT Traversal	Client responsibility	Built-in NAT traversal and roaming
Use Cases	IoT telemetry, gaming, real-time data	Secure custom protocols, encrypted data channels

WireGuard Listener Configuration

WireGuard listeners in Proxylity UDP Gateway provide encrypted communication channels using the WireGuard protocol. The system automatically generates WireGuard keys and handles peer authentication.

Basic Configuration

WireGuardListener:
  Type: Custom::ProxylityUdpGatewayListener
  Properties:
    Name: my-wireguard-listener
    Description: "WireGuard encrypted endpoint"
    ...
    Protocols:
      - "wg"
    Peers:
      - PublicKey: "client1_base64_public_key_here"
        AllowedIPs: 
          - "10.0.0.2/32"
          - "10.0.1.0/24"
      - PublicKey: "client2_base64_public_key_here"
        AllowedIPs:
          - "10.0.0.3/32"
        SharedSecret: "optional_base64_shared_secret"
    ClientRestrictions:
      Networks:
        - "203.0.113.0/24"
        - "198.51.100.0/24"
    Destinations:
      - Name: wireguard-handler
        DestinationArn: !GetAtt WireGuardLambda.Arn
        Role:
          Arn: !GetAtt ProxylityRole.Arn
        Batching:
          Count: 10
          TimeoutInSeconds: 0.5

Key Properties

Protocol - Must be set to "wg" for WireGuard listeners
Peers - Array of WireGuard peer configurations
- PublicKey - Base64-encoded 32-byte WireGuard public key (required)
- AllowedIPs - Array of CIDR blocks allowed for this peer (optional)
- SharedSecret - Base64-encoded 32-byte pre-shared key for additional security (optional)

Retrieving the Server Public Key

The listener automatically generates a WireGuard key pair. Access the public key using CloudFormation attributes:

Outputs:
  WireGuardServerPublicKey:
    Description: "WireGuard server public key for client configuration"
    Value: !GetAtt WireGuardListener.WireGuardPublicKey
    Export:
      Name: !Sub "${AWS::StackName}-WireGuardPublicKey"

Client Configuration Options

WireGuard Listeners can work with different types of clients:

Custom Applications

You can build custom applications that use the WireGuard encryption protocol to send arbitrary payload data securely. These applications would handle the WireGuard handshake and encryption, then send your custom data format through the encrypted channel.

WireGuard VPN Clients

Standard WireGuard VPN clients can also connect to WireGuard Listeners. In this case, the clients send encapsulated IP packets, and your destinations receive the inner IP packet data. You can then process these packets according to your application's needs - you might extract HTTP requests, DNS queries, or any other IP-based protocol.

Once your WireGuard Listener is configured, here's how to set up various types of clients:

WireGuard VPN Client Configuration File Format

If you're using standard WireGuard VPN clients, they use a simple INI-style configuration format:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY_HERE
Address = 10.0.0.2/32

[Peer]
PublicKey = LISTENER_PUBLIC_KEY_HERE
Endpoint = your-listener.proxylity.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Configuration Parameters Explained

PrivateKey - The client's private key (generate with wg genkey)
Address - The client's IP address for peer identification
PublicKey - Your WireGuard Listener's public key
Endpoint - Your Listener's domain name and port
AllowedIPs - Which traffic to send through WireGuard (0.0.0.0/0 for all traffic)
PersistentKeepalive - Keepalive interval for NAT traversal

Platform-Specific VPN Client Setup

Linux

# Install WireGuard
sudo apt update && sudo apt install wireguard

# Save configuration to /etc/wireguard/proxylity.conf
sudo wg-quick up proxylity

# Auto-start on boot
sudo systemctl enable wg-quick@proxylity

Windows/macOS/Mobile

Use the official WireGuard VPN applications:

Windows - WireGuard for Windows
macOS - WireGuard app from the Mac App Store
iOS - WireGuard app from the App Store
Android - WireGuard app from Google Play Store

Traffic Flow and Destinations

When a client sends data through a WireGuard connection:

Client encrypts and sends data to the WireGuard Listener
Listener authenticates and decrypts the traffic
Raw payload data is extracted and forwarded to your configured Destinations
Response traffic flows back through the encrypted connection to the client

WireGuard Listeners support the same Destinations as UDP Listeners, but with additional context:

Peer identification - Which WireGuard peer sent the data
Authentication status - Confirmation that data came from an authorized peer
Payload format - Raw application data or encapsulated IP packets, depending on your client

If you're using WireGuard VPN clients, your destinations will receive the inner IP packet data. You can then parse and process these packets according to your application's needs - extracting HTTP requests, DNS queries, or any other protocol data you need.

Security Considerations

WireGuard Listeners provide robust security, but proper configuration is essential:

Key Management

Generate strong private keys using wg genkey
Never share private keys between clients
Rotate keys periodically for maximum security
Store client private keys securely

Network Isolation

Use unique IP ranges for different environments
Configure AllowedIPs restrictively when possible
Implement proper routing controls in your AWS resources
Monitor traffic patterns for anomalies

Client Restrictions

WireGuard Listeners support the same Client Restrictions as other Listeners, applying to the outer WireGuard protocol traffic. Additional security is provided by:

Cryptographic authentication of all peers
Automatic rejection of unknown public keys
Perfect forward secrecy for all communications

Use Cases for WireGuard Listeners

Secure Custom Protocols

Build applications that need encrypted, authenticated communication:

Custom IoT protocols with built-in security
Proprietary data exchange formats
Secure API communication channels

Encrypted Data Channels

Leverage WireGuard's encryption for secure data transmission:

Financial data with compliance requirements
Healthcare information requiring HIPAA protection
Sensitive business intelligence data

VPN-like Functionality (When Needed)

If you do need VPN capabilities, you can implement them selectively:

Process only the IP protocols you need (HTTP, DNS, etc.)
Implement custom routing logic in your destinations
Apply fine-grained security policies per protocol
Log and analyze traffic patterns for specific use cases

Performance and Monitoring

WireGuard Listeners provide excellent performance characteristics:

Low latency - Minimal encryption overhead
High throughput - Efficient kernel-space implementation
Battery friendly - Optimized for mobile devices
Roaming support - Seamless handoffs between networks

Monitor your WireGuard Listeners through:

Connection metrics and peer statistics
Bandwidth utilization per peer
Authentication success/failure rates
Standard Destination metrics

Managing WireGuard Listeners

Like all Listeners, WireGuard Listeners can be managed through:

Infrastructure as Code (Recommended)

Use AWS CloudFormation with Proxylity's custom resource types. WireGuard-specific parameters include:

Network CIDR and IP assignments
Peer public key configurations
Routing and AllowedIPs settings
DNS and keepalive parameters

Dashboard

The Proxylity Dashboard provides WireGuard-specific management features:

Peer status and connection history
Configuration file generation for VPN clients
QR codes for mobile device setup (when using VPN clients)
Real-time traffic monitoring
Payload analysis tools

WireGuard vs Traditional VPN Solutions

WireGuard Listeners offer a different approach compared to traditional VPN solutions:

Advantages of WireGuard Listeners

Flexibility - Process only the data you need, not full network routing
Security granularity - Apply AWS security policies at the application level
Scalability - Leverage AWS's scalable infrastructure
Integration - Native integration with other AWS services
Custom processing - Build exactly the functionality you need

When to Use Each Approach

WireGuard Listeners - When you need encrypted data transport with custom processing
Traditional VPN - When you need full network-level routing and transparent client access
Hybrid - Use both: VPN clients sending data through WireGuard Listeners for the best of both worlds

Migration from UDP to WireGuard

If you're considering migrating from UDP Listeners to WireGuard Listeners:

Benefits of Migration

Enhanced security with encryption and authentication
Better NAT traversal and roaming capabilities
Authenticated peer identification
Protection against replay attacks and tampering

Migration Considerations

Client applications need modification to implement WireGuard protocol
Additional configuration complexity for peer management
Key management and distribution requirements
Potential performance differences (usually improved, but test for your use case)

Both approaches can coexist, allowing gradual migration or hybrid deployments. You might use UDP Listeners for high-frequency, low-latency data where encryption isn't critical, and WireGuard Listeners for sensitive or authenticated communication channels.