# WireGuard [**WireGuard**](https://www.wireguard.com/) connections have the same features as an [**OpenVPN**](https://openvpn.net/) connection, this includes: * Client automatic failover (approximately 13 seconds after server failure) * Replicated servers * Client to client traffic across replicated servers * Static client IP addresses * NAT and non-NAT routing configurations * All secondary authentication methods * Client port forwarding * Client DNS mapping * Automatic client DNS configuration * Routed client network links also know as an iroute * IPv6 support * Client access to linked servers (site-to-site link connections will continue to use [**OpenVPN**](https://openvpn.net/)) ### Authentication [**WireGuard**](https://www.wireguard.com/) authentication in Pritunl utilizes keys already in the client profile. This allows transitioning to [**WireGuard**](https://www.wireguard.com/) without requiring users to re-import their profile. Many administrators do not configure a valid HTTPS certificate and HTTPS is not relied on or required to provide secure authentication. Authentication is done with three keys providing multiple layers of encryption and authorization. * **Client SHA512-HMAC Key (Authorization)**\ The client will use a SHA512-HMAC secret to sign each connection request. The server will also use this secret to sign the response allowing the client to verify the connection response. This is the same authentication system used to authorize the client configuration sync which syncs profile configuration changes such as host addresses and server port changes (private keys are never synced). * **Client/Server NaCl Asymmetric Key (Authorization + Encryption)**\ The client utilizes a [**NaCl**](https://en.wikipedia.org/wiki/NaCl_\(software\)) public key for the server that is included in the client profile. This provides asymmetric encryption of the connection request from the client to the server. The server will encrypt the response with the clients [**NaCl**](https://en.wikipedia.org/wiki/NaCl_\(software\)) public key providing encryption of the response. The client will also verify the server response using the server [**NaCl**](https://en.wikipedia.org/wiki/NaCl_\(software\)) public key. This is the same authentication system used to provide the additional layer of encryption and authorization available in [**OpenVPN**](https://openvpn.net/) connections with passwords and two-factor codes. * **Client RSA-4096 Asymmetric Key (Authorization)**\ The clients RSA certificate and key is used to sign each connection request. The server will use this verify the client connection request. This is the same certificate used to verify [**OpenVPN**](https://openvpn.net/) connections. Each [**WireGuard**](https://www.wireguard.com/) connection uses a new [**WireGuard**](https://www.wireguard.com/) key. This is done to provide the highest level of security but it will delay network connectivity when the user returns to a computer that has been asleep. The [**WireGuard**](https://www.wireguard.com/) private key is stored in the memory of the Pritunl client background service and also in the [**WireGuard**](https://www.wireguard.com/) configuration file. [**WireGuard**](https://www.wireguard.com/) uses a connection-less design and this private key could be used by an attacker to hijack the connection even if multi-factor authentication is used. In high security environments it is important to consider that [**OpenVPN**](https://openvpn.net/) connections with multi-factor authentication will not have these weaknesses. For this reason the server will quickly revoke [**WireGuard**](https://www.wireguard.com/) keys of inactive clients to limit the possibility of this occurring. The server will also validate that keys are not reused. Once the client has connected it will send a ping request to the server every 10 seconds. This request allows the client to quickly detect a down link and failover in approximately 13 seconds. If the server does not receive a ping request in 6 minutes it will disconnect the user and revoke the public key. ### Configuration To allow [**WireGuard**](https://www.wireguard.com/install/) connections the WireGuard packages must be installed on the server. The [**WireGuard installation documentation**](https://www.wireguard.com/install/) has information on how to install the packages for each Linux distribution. In the server settings enable [**WireGuard**](https://www.wireguard.com/). Configure the *Virtual WG Network* with a network that has the same CIDR as the *VIrtual Network*. Then configure the *WG Port* to select the UDP port for [**WireGuard**](https://www.wireguard.com/) connections. Clients will have the same static address from the *Virtual Network* on the *Virtual WG Network*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FEflk9kd7pBuTKwgElSH8%2Fwg_server.png?alt=media\&token=39232a05-3dc0-4939-b4cf-03858ac2bb80) The clients must also be configured using the [**WireGuard Client**](https://docs.pritunl.com/kb/vpn/client/wireguard) documentation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pritunl.com/kb/vpn/getting-started/wireguard.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.