Home / Definitions / Cryptokey Routing

Cryptokey Routing

Abby Braden
Last Updated May 24, 2021 8:02 am

Cryptokey routing is a process that associates public keys with a list of tunnel IP addresses that are allowed inside the tunnel. A unique private key and a list of peers is associated with each network interface. Each peer has a short and simple public key to authenticate it with other peers. The public keys can be distributed for use in configuration files by any out-of-band method and is similar to key-based authentication in OpenSSH.

WireGuard cryptokey routing

The cryptokey routing process is used by WireGuard, a free and open source Virtual Private Network (VPN) software application and communication protocol that uses VPN techniques to create secure point-to-point connections in routed or bridged configurations.

With cryptokey routing, administrators can rely on simple firewall rules. Any packet arriving on a WireGuard interface will have a reliably authentic source IP. This is possible because the VPN is 3-layer based, meaning that authenticating identification of peers enforces a much cleaner network design.

While cryptokey routing has many advantages, it does come with drawbacks. No two peers may have overlapping IP ranges, meaning that routing through two different peers to another peer on a single connection cannot be accomplished using WireGuard.