Issue
I have followed a lot of tutorial and blog these days to create a VPN Service with wireguard on my raspi. Everything works fine but I am unsure if my connection is encrypted correctly.
I have followed this link https://nickb.dev/blog/viewing-wireguard-traffic-with-tcpdump to check if the everything works.
In the last step, to check if the connection is encrypted
I have done tcpdump -n -X -i eth0 host 100.100.100.100
and in the link above you can see that the first row should start with 0400 0000.
This should come out correct output
But this is my output and I don't know if this is correctly. I mean it's seems to be encrypted right?
Any help is appreciated, thank you.
Solution
Unlike some other VPN technologies, you can't misconfigure WireGuard such that you have a working VPN connection, but the connection is not encrypted. So unless you're a security researcher, inspecting the raw content of WireGuard packets is not interesting or necessary.
Rather than checking to see if your VPN connection is properly encrypted, I think what you actually want to check is whether or not you're using it? If so, try running the following tcpdump command (change eth0 to the name of your ethernet interface, and 51820 to the port number of the WireGuard endpoint to which you're connected):
sudo tcpdump -ni eth0 'udp port 51820'
This will show you a list of all the packets that are being sent or received over your VPN connection, something like this:
20:45:15.830338 IP 192.168.178.65.48428 > 203.0.113.2.51820: UDP, length 148
20:45:15.831375 IP 203.0.113.2.48428 > 192.168.178.65.51820: UDP, length 92
20:45:15.831457 IP 192.168.178.65.48428 > 203.0.113.2.51820: UDP, length 96
In the above example, 192.168.178.65 would be the IP address of your computer on its local network, and 203.0.113.2 would be the IP address of the remote WireGuard endpoint. You should see a spurt of entries printed out every time you do something that generates network traffic (like open a web page or send a chat message, etc).
If you want to see the list of all packets not being sent over your VPN connection, try this instead:
sudo tcpdump -ni eth0 'not udp port 51820'
This will list all the packets using your ethernet interface without going through your VPN connection. If everything is going through the VPN, you'll only see some occasional ARP packets (or ICMPv6 packets if you're using IPv6 on your local network), like this:
20:46:05.942423 ARP, Request who-has 192.168.178.65 tell 192.168.178.32, length 46
20:46:05.942454 ARP, Reply 192.168.178.65 is-at 02:e1:b9:53:31:94, length 28
But frequently you don't want to send absolutely everything over a VPN connection -- often you want to avoid sending traffic directed to other hosts on your local network through the VPN. Most WireGuard clients, in fact, will set up your VPN connection so that local network traffic is not routed through it by default. If that's the case, you'll still see local network traffic in tcpdump, like this:
20:47:16.549206 IP 192.168.178.65.54716 > 192.168.178.32.80: Flags [S], seq 2123353395, win 65495, options [mss 65495,sackOK,TS val 2779840495 ecr 0,nop,wscale 7], length 0
20:47:16.549241 IP 192.168.178.32.80 > 192.168.178.65.54716: Flags [S.], seq 3323484409, ack 2123353396, win 65483, options [mss 65495,sackOK,TS val 2779840495 ecr 2779840495,nop,wscale 7], length 0
20:47:16.549282 IP 192.168.178.65.54716 > 192.168.178.32.80: Flags [.], ack 1, win 512, options [nop,nop,TS val 2779840495 ecr 2779840495], length 0
Many WireGuard clients, however, also have a "kill switch" option that will force even local traffic through your VPN, for cases where that's what you do want.
Answered By - Justin Ludwig