
Linus Torvalds on Wireguard - rishabhd
http://lists.openwall.net/netdev/2018/08/02/124
======
viraptor
> compared to the horrors that are OpenVPN and IPSec, it's a work of art.

Not exactly the same thing as the title suggests. (FTR: the original title was
something like "Linus Torvalds: Wireguard is a work of art")

~~~
dang
We replaced the title with something more neutral.

This category of submissions is not very good for HN, unfortunately. There
isn't enough information there to slow down the gears, which is what allows
for reflective reactions. In fact, there almost isn't any information, just
'celebrity name' and 'thing mentioned'. That produces the instant reflexive
reactions that are associated with low-quality threads, and the celebrity
aspect is a fuel supplement.

~~~
dingo_bat
Agree. This barely fits the definition of "news".

~~~
mido22
but what if sparks a discussion about issues with OpenVPN and educates plebs
like me about what wireguard is.

~~~
pvg
What if you stepped on dog poop before crossing the street and it kept you
from getting run over by a car? Dog poop on the sidewalk is still bad.

------
Someone1234
So I know nothing at all about Wireguard; I was curious:

Impress performance:
[https://www.wireguard.com/performance/](https://www.wireguard.com/performance/)

But can it traverse a NAT. IPSec for all of its benefits is a huge PITA to
circumvent a NAT, often requiring either the NAT to have native support or for
IPSec to be configured to use UDP encapsulation. Seems like the Wireguard
people thought of this:

[https://www.wireguard.com/quickstart/#nat-and-firewall-
trave...](https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-
persistence)

Reading their web site in general has made me nothing but impressed, they seem
to be building a VPN tunneling protocol designed for the real world but with
several improvements over existing solutions. It is incomplete, but definitely
something I'm going to check in on.

~~~
pvg
[https://news.ycombinator.com/item?id=17659983](https://news.ycombinator.com/item?id=17659983)
is a decent thread from a couple of days ago which should tell you a bit more
about its current state, the experiences of people installing it and running
it and has a bunch of comments from the author.

------
quinthar
At Expensify we have been astonished by how easy it was to set up -- as simple
as ssh -- and its incredible performance relative to OpenVPN. It's night and
day due to it's multi threaded design, meaning it doesn't have the same single
cpu bottleneck as OpenVPN. It's clearly the future.

------
Slavius
Well, it seems FreeBSD/pfSense people are not very happy with it. At least the
benchmark results seems questionable. Read jwt's comment at the bottom:
[https://forum.netgate.com/topic/132375/installing-
wireguard-...](https://forum.netgate.com/topic/132375/installing-wireguard-
vpn/9)

~~~
nasalgoat
The comment in question only talks about theoretical top speeds and he doesn't
actually do any benchmarking. I'd like to see some actual tests before they
write it off.

~~~
Slavius
He does the math to prove that when you subtract all the mandatory protocol
and frame headers you end up with practical maximum of 949.28 Mbps on 1 Gbps
line. Providing charts with 1011 Mbps in favor of WireGuard makes all the
comparison at least dubious. Another thing he mentioned is the test compares
ChaCha20 cipher with AES256-GCM which is totally unfair. Why would you invest
so much in perfect code then to fake the benchmarks?

~~~
jlbribeiro
Regarding the 1011Mbps figure: the graph _suggests_ the measurements are
compared to powers of two (the axis is in powers of two and the line right
next to the bar _suggests_ the maximum would be 1024), so I would be more
inclined to believe there may have been a mix-up between mebibits/sec and
megabits/sec, or something IEC/SI units related somewhere in the measurements?
IMHO I don't think that the author would have any reason to fake the
benchmarks (because it actually is an amazing piece of software), but I admit
I like to err on the side of "assume good intentions".

(edit: rephrased for clarity)

------
rurban
Wonder why they still keep IPsec considering it being insecure for a long
time:
[https://www.forbes.com/sites/thomasbrewster/2016/08/19/cisco...](https://www.forbes.com/sites/thomasbrewster/2016/08/19/cisco-
nsa-vpn-hack-shadow-brokers-leak/amp/)

~~~
rstuart4133
geeze, a box made by Cisco that happens to implement IPSec has security flaws,
and that gets to translated into "IPSec is being considered insecure".

The box in question implemented AES, RSA and DH. Does that mean AES, RSA and
DH should be considered insecure too?

------
aritmo
No drama this time.

~~~
imron
No-one pushing rubbish code this time.

