
WireGuard for iOS - bonyt
https://lists.zx2c4.com/pipermail/wireguard/2018-December/003694.html
======
graystevens
I’ve been using the TestFlight beta for a while now - since it was first
announced - and it’s been a great experience so far. The recently added option
to activate on-demand is great, as it means I can now force VPN for any WiFi
and/or mobile data connections.

The primary niggle I came across was transferring the keys between my host and
the client, however after a bit of tweaking I found it far easier to just
utilise the QR codes option. For those interested, I wrote about my
experiences on my blog[0]

[0] [https://grh.am/2018/wireguard-setup-guide-for-
ios/](https://grh.am/2018/wireguard-setup-guide-for-ios/)

~~~
kortilla
Is your threat model that you trust your ISP for your wireguard server more
than the mobile ISPs? WiFi I completely understand but 4g providers seem to be
on par if not better than cable companies in the us when it comes to molesting
your traffic.

~~~
graystevens
Depends on the country I am in as to whether or not I want to VPN whilst on a
mobile connection (whether that is for just having an IP in my home country or
don’t fancy my traffic going over their wires).

It is primarily for public and/or untrusted WiFi connections, or so that I can
take packet captures of iOS applications easily without a jailbreak or
connecting the phone via USB to a Mac.

------
zx2c4
It might still take some time to show up in search, but if you visit
[https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&...](https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8)
on iOS, it should take you to the right place in the App Store.

~~~
yardstick
Any plans for 2FA/MFA? A lot of businesses these days prefer or even require
it for remote access. That would then make WireGuard a good alternative to
OpenVPN in those environments.

~~~
cyphar
That is something that would be built on top of WireGuard. I think some people
are working on such projects, but the whole point of WireGuard "core" is that
it's incredibly minimal in what it does.

~~~
mbreese
I could see the server side effectively operating like a public wifi hotspot
and force all routing to a disclaimer type page.

Then you could implement the 2FA there (or even proper username/password
logins, which seems weird for WireGuard). If you enter the correct 2FA code,
then your IP is no longer blocked.

I know phones (and computers) can handle this when connecting to a new WiFi
SSID, but do they also run their check when connecting over VPN? I might have
to try that.

~~~
ownagefool
You could write a web portal that generate the wireguard configs on the server
and offers the user the client config as a download.

The portal then can hook upto to SAML / OIDC endpoint, use claims / groups /
roles to offer specific profile configurations and you treat the keys in the
configs as temporary tokens, as you attach an empiry time to the profile such
as 8 hours, so your devs need to download a new configuration every day.

I have a portal that does this for openvpn:

[https://github.com/secureweb/openvpn-
portal](https://github.com/secureweb/openvpn-portal)

The code quality isn't great as it's my hello world golang project, but I
think the idea is fairly sound.

------
0xADEADBEE
I set up Wireguard with this script [0] and made the jump from OpenVPN earlier
this week (using Testflight). Has worked wonderfully throughout (once I added
a DNS server to my client config - that one bit me!) and I'm now a convert.

[0] - [https://github.com/l-n-s/wireguard-
install](https://github.com/l-n-s/wireguard-install)

~~~
singularity2001
just a reminder that for Linux you can use SSH connections to any server as
VPN via SSHuttle.

100% simple and easy

~~~
cyphar
Sure, but WireGuard has several other benefits (security-wise and operation-
wise to sshuttle). sshuttle is a "poor man's VPN", WireGuard is a next
generation VPN.

~~~
kortilla
That’s a nice sound bite but it isn’t really convincing for people that don’t
know what wireguard brings. Is there a short comparison article you could
point to that highlights the differences?

~~~
cyphar
[https://www.wireguard.com/](https://www.wireguard.com/) lists several of the
features, and
[https://lwn.net/Articles/748582/](https://lwn.net/Articles/748582/) is an LWN
article on WireGuard which lists some of the features.

One of the most obvious features is that you get roaming with WireGuard (like
Mosh) which I don't think you can get from sshuttle (it might be technically
possible to add, but I don't think it supported it last time I used it). It
also allows for management of the VPN interface like a regular interface (so
you can set iptables rules and other complicated network setups using it),
rather than relying purely on proxying. And you don't need to give people SSH
access in order to use it.

~~~
e12e
One major point over ssh is that: "WireGuard securely encapsulates IP packets
over UDP." \- so you avoid all the issues of tcp-over-tcp;wireguard is a
"real" VPN.

~~~
cyphar
sshuttle doesn't pass TCP over TCP, it does some work on the "local" side
before sending it over TCP so it's actually just "data-over-TCP"[1].

[1]: [https://sshuttle.readthedocs.io/en/stable/how-it-
works.html](https://sshuttle.readthedocs.io/en/stable/how-it-works.html)

~~~
beagle3
But still doesn’t do udp or ip, only let’s you connect out (not in, which is
often desirable but still a limitation).

Also, you lose information about where connections originate - to the
recipient, it all looks like it came from the sshuttle host.

------
Aissen
People using WireGuard: how well does it work in public networks that only
have a few select open ports (http/https/openvpn…) ? Does anyone have a
workaround (e.g a reverse tcp (+tls/sni?) proxy on port 443?)

~~~
vinay_ys
Wireguard packets on port 443 looks like malformed QUIC packets. Any firewall
that is doing protocol inspection (for L7 policy enforcement) would typically
be configured to drop malformed packets. Wireguard would get blocked by such
firewalls.

~~~
dcbadacd
Time to make the suggestion to either actually use QUIC or simulate QUIC?

------
tjoff
Apologies for being slightly OT, but I'm curious.

The windows version has been "coming soon" for what feels like a very long
time. Is progress being made on the windows version or has it stalled?

~~~
zx2c4
We're now working on that basically full time, sprinting ahead to the finish
line. The EV code signing certificate arrived a few days ago, even:
[https://twitter.com/EdgeSecurity/status/1073599888158535680](https://twitter.com/EdgeSecurity/status/1073599888158535680)

~~~
tjoff
Thank you, good to hear and that makes me happy :)

------
regecks
Been using it for some weeks via TestFlight, it's really solid and works
without a hitch. Great to see it on the actual store. It now has "on-demand
mode" and transitions seamlessly between Wi-Fi and cellular.

When setting up, use the QR method, makes it a breeze to setup a phone:

[https://wiki.debian.org/Wireguard#A3._Import_by_reading_a_QR...](https://wiki.debian.org/Wireguard#A3._Import_by_reading_a_QR_code_.28most_secure_method.29)

------
8fingerlouie
I've been meaning to try it out, but the lack of an iOS client has held me
back. Perhaps now is a good time to start :)

I wish there had been some progress with the EdgeOS port, specifically with
hardware offload. a Ubnt employee was looking into it a year ago, and then
nothing. The current (major release) beta of it doesn't mention anything about
it either.

~~~
JustSomeNobody
This (EdgeOS w/ hw offload) is what I'm waiting for before trying it.

------
y0ghur7_xxx
I hope pfSense implements this soon:
[https://redmine.pfsense.org/issues/8786](https://redmine.pfsense.org/issues/8786)

~~~
zamadatix
pfSense probably won't implement it natively until it's part of the FreeBSD
kernel. If you want to run it on pfSense now you could bundle the userspace Go
implementation as a pfSense package though.

------
Havoc
Nice. Recently tried setting up both openvpn and wireguard and was struck by
how much easier wireguard was.

------
dbcooper
Anyone used wireguard in China?

~~~
swordfeng
I know someone do use wireguard to bypass the GFW. It's not blocked at the
moment. However, a concern is that the UDP-based protocol is not hard to
detect.

~~~
0xADEADBEE
This HN comment might be worth a look: [0]

It details the steps to setup udptunnel to tunnel Wireguard traffic over TCP.
Hope it helps someone!

[0] -
[https://news.ycombinator.com/item?id=17847008](https://news.ycombinator.com/item?id=17847008)

~~~
daakus
Anyone have experience with making this work? I tried starting it on the
server I have WireGuard running on and it fails to start because it also wants
to bind to the UDP port WireGuard uses (even in server mode).

Additionally
[http://www.cs.columbia.edu/~lennox/udptunnel/](http://www.cs.columbia.edu/~lennox/udptunnel/)
has a note saying:

 _UDPTunnel is designed to tunnel RTP-style traffic, in which applications
send and receive UDP packets to and from the same port (or pair of ports). It
does not support request /response-style traffic, in which a client request is
sent from a transient port X to a well-known port Y, and the server's response
is returned from port Y to port X._

Which from what I understand is exactly what WireGuard does.

------
abc-xyz
You're doing God's work.. literally saving lives. I hope history books will
acknowledge your work and achievements.

~~~
kgraves
This. I don't know why this is receiving downvotes, but wireguard truly is a
life saver. Just needs a desktop GUI interface and it would make a difference
to thousands.

~~~
a012
HN will downvote comments those didn't contribute anything to the topic, for
specific their comment was looked very like from a spambot.

~~~
abc-xyz
I don't mind the downvotes, I just wanted to encourage the author (since I
know he'd be reading it) and everybody else who are fighting for people's
privacy. I realize this kind of encouragement is usually more welcome at Show
HN, but well, WireGuard are already so big and has achieved so much that this
is basically a Show HN for them.

Edit: hopefully it goes without saying that the downvotes are/were aimed at me
for stating the obvious (with little relevance to the topic), rather than
people actually disagreeing with the what I said.

------
bogomipz
Does anyone know if there are any commercial VPN providers that support
WireGuard yet? If so any recommendations?

~~~
easel
Mullvad does. I can say it works, but haven't compared to others enough to
"recommend" it, per se.

------
ulzeraj
Thank you and keep up the good work. WireGuard is so good that it made me drop
FreeBSD and go back to Linux!

------
vbezhenar
Is there any estimation how much battery would it cost on modern phone?

~~~
moviuro
Nokia 7 Plus, starting 7am, now 4pm, tells me wireguard ate 27% (1026mAh,
using 4G most of the time: 9am - 4pm).

Though I'm not sure how much data I actually used. My phone does persistent
keepalive so that I can use
[https://messages.android.com/](https://messages.android.com/) . Usage should
go down quite a bit if you don't need remote connection to the phone.

------
dcbadacd
Is there a way to get Wireguard on Android 4.4?

~~~
tatersolid
Umm... if you’re _still_ running Android 4.4, you have many _far_ more
significant security issues to address than your choice of VPN protocol.

~~~
dcbadacd
That doesn't mean I shouldn't be able to choose a VPN protocol.

------
hnauz
I want to try this out but... Why is WireGuard a module in the kernel??

~~~
pstch
The developers intend to merge it in the mainline kernel.

There are multiple advantages for having a VPN module be in-kernel, such as
closer access to network/crypto APIs and better performance.

~~~
hnauz
But that means that if there's a security bug in the module, the whole
computer is compromised, no?

~~~
xena
How is this better than a VPN software that runs as root?

~~~
hnauz
It isn't, but I don't see why you should run your VPN software as root at all.

~~~
cyphar
In order to listen (and forward) all network traffic you need privileges over
the network namespace that you want to forward packets for. In most cases this
ends up with you running as root. You can use proxies but that defeats the
point of a VPN -- that all traffic is forwarded.

But as I mentioned, WireGuard should really be the least of your problems (not
to mention that there are userspace WireGuard implementations).

