
Download WireGuard for Windows pre-alpha for testing - dtamhk
https://lists.zx2c4.com/pipermail/wireguard/2019-May/004126.html
======
zx2c4
Work is progressing steadily by the day on WireGuard for Windows and Wintun,
the TUN driver we're writing that this uses. Hopefully this won't be "pre-
alpha" for much longer.

You can get the former at
[https://www.wireguard.com/install/](https://www.wireguard.com/install/) and
learn about the latter at [https://www.wintun.net/](https://www.wintun.net/)

~~~
tialaramex
In the previous discussion thread linked below, somebody claims WireGuard is
subject to DPI. An examination of the White Paper and of real packet captures
does not reveal any obvious opportunity to "inspect" WireGuard if you aren't
in possession of the keys.

Most likely that poster uses DPI sloppily to include simple blocking
strategies, like hey, if we see two packets in a row between two (ip,port)
pairs starting 01 00 00 00 going on way and then 02 00 00 00 going the other
way, that could be WireGuard, let's block the rest of the data on that
(ip,port) pair for a while.

However, am I missing something and actually there is something meaningful to
inspect without having the keys?

If I'm not, what's your preferred way for people to sidestep that sort of
blocking? Tweaking WireGuard to use different values would obviously work but
it destroys the point of having a single specification.

~~~
akerl_
DPI doesn’t imply any ability to decrypt the traffic. It refers to networking
equipment fingerprinting the traffic to detect application/protocol
information (basically anything in the OSI model lower than layer3/4)

That aligns with the DPI-related comments in the linked prior comment thread,
which reference use of DPI for internet firewalling by various governments.

Also, as noted in that same comment thread, bypassing DPI is an un-goal of
Wireguard.

~~~
tialaramex
> It refers to networking equipment fingerprinting the traffic to detect
> application/protocol information (basically anything in the OSI model lower
> than layer3/4)

Right, so then is your claim that there _is_ such information revealed in
WireGuard? Because I don't see any.

If you do DPI for - say - TLS you get a strong fingerprint (JA3 is a popular
thing for this) that lets you distinguish Google from Twitter, Firefox from
Safari, or curl from Python's Requests, again without decrypting the traffic.

But where is the fingerprint in WireGuard? If I give you a tcpdump for 5
minutes of UDP traffic the most you can say is that some of it looks like
WireGuard traffic. You might remember when we used to get this sort of useless
diagnostic, "Over 4000 of these packets use port 80! This is web traffic". We
did not call that "Deep Packet Inspection" because it wasn't deep and didn't
in fact inspect the packets, just some metadata.

~~~
akerl_
I’m not sure what case you’re trying to make. Yes, network equipment can do
pattern-matching on Wireguard traffic and have reasonable confidence based on
the packet contents and flow patterns that the traffic is a Wireguard VPN.

For example: [https://ipoque.com/news-media/press-releases/2019/rohde-
schw...](https://ipoque.com/news-media/press-releases/2019/rohde-schwarz-adds-
emerging-wireguard-vpn-protocol-its-deep-packet)

Edit: also, to clarify the note you had about port 80, that’s why I pointed
out that DPI refers to layers beyond 3/4\. “Hey these are TCP packets to port
80” is not DPI. “Hey, the contents of these packets match my signature for
Wireguard traffic” is DPI.

------
trulyrandom
Previous discussion:
[https://news.ycombinator.com/item?id=20208169](https://news.ycombinator.com/item?id=20208169)

------
Copenjin
Doesn't add much to the discussion, I know, but let me just chime in to thank
the people of WireGuard for releasing this wonderful piece of software for
free.

------
hitchhiker999
We've needed a solution like this for almost a decade. Thank you, thank you.
Love the minimalist vibe to it, gets the job done, transparent + reduction in
complexity for user = safety.

Would you ever consider creating a mesh network manager (to replace horrors
like Hamachi)? It could allow people to generate the keys conveniently/safely
and connect servers/clients in a distributed, non-centralized manner easily.

------
rmm
Pre alpha my arse it works great! Been running it for over a week or so and no
issues. Saved me at least twice now whilst in incredibly remote locations.

Awesome work by the wireguard team

------
wiredfool
What I'd really like to see, and didn't as of a few months ago, is a userspace
docker/linux wireguard that doesn't require any special kernel privs or
capabilities.

~~~
tptacek
There's a Go WireGuard. It's the basis for macOS WireGuard.

~~~
wiredfool
Yes, and it's pretty adamant that it's not to be run on linux. (like, you have
to edit some source to add something like "yes I really mean to do this")

Once you blow past the warnings about compiling it on linux, it still failed
to actually work in my testing. Fair enough.

It doesn't seem like it should be an insurmountable problem, but I'm a level
or two from being able to make it work by sheer force of code.

~~~
tptacek
I'm pretty sure he's just trying to get you to run the more performant kernel
version on Linux, especially since the goal is to mainline it into the Linux
kernel. I can't see a substantive reason for it to be a bad idea there.

------
ape4
I know Wireguard is faster but I found OpenVPN much easier to set up.

~~~
tptacek
You are the first person I have ever seen say that. WireGuard setup is
approximately the same as SSH; the only thing it adds over SSH is IP
addresses. I've set up OpenVPN multiple times and I'd reserve a couple hours
of my time if a client demanded it, because that's how long it'd take me.
WireGuard would take me a couple minutes and I'd be doing it from memory.

~~~
tialaramex
As a sibling suggests, it's very easy to set up OpenVPN _badly_.

I have a config right now on my other PC labelled "Old staging KEEP" which is
this type of setup for OpenVPN, it's relying on a crappy out-of-box private CA
setup, no passwords, shared private keys, it's likely vulnerable to key
compromise attacks and a dozen other problems as configured.

Edited to add: Also, the reason I kept it, this config relies on hijacking
public addresses. Some... person... took an OpenVPN config example with
172.16.0.0/16 addresses and it conflicted with the stupid WiFi NAT in their
office, so they just changed the IP addresses to a public range nearby,
apparently not realising (certainly not caring) that this means it's now
randomly breaking other things too.

But for the typical end user this looks like it worked. Random drive-bys can't
get in, spinning it up for the new frontend dev is easy, what's not to like?
If it takes them five minutes to install & configure OpenVPN wrong, and an
hour to install & configure WireGuard right, they will conclude WireGuard is
harder, even if it might have taken them a week to get OpenVPN done right.

------
kuroguro
Finally! Have TunSafe on some 20+ windows machines. Time to see how this
compares :)

Overall TunSafe has been awesome apart from some minor annoyances - like
laptops not auto-reconnecting sometimes after hibernating.

------
antx
Question. Why the cute-bunnies-reminiscent-of-80s-cartoon "mascots" for
WinTun?

