
WireGuard 1.0 for Linux 5.6 - zx2c4
https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html
======
newscracker
For anyone wanting to try it, WireGuard with Algo VPN [1] to set it up on a
server is a great combination. I found it quite easy to setup and use.

Algo has built-in support for various cloud providers, where, when you run it
from, day, your desktop, it can setup the VPN server for you based on answers
to some questions (with sensible defaults) and some information on connecting
to the provider (like an API key, for example). You also get QR code images
that you can use to install a VPN profile on your phone.

You can also run Algo from within a server and have it setup the VPN for you.

[1]:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
rubenbe
Does the VPS have unencrypted access to the VPN? It's something I would want
to avoid. (A VPS is a prime candidate to be compromised)

~~~
tw04
If you're subject to state level actors attacking you, a VPS is probably the
least of your worries. If you're just trying to make sure some kiddiot in a
coffee shop isn't doing mass collections, a VPS is perfectly secure.

~~~
somehnguy
Linode has been compromised how many times now?

I don't think considering a VPS insecure is really that far fetched.

~~~
bawolff
That's kind of a tautology. If you assume the system is insecure, then yes its
going to be insecure with that assumption. This is going to be true of any VPN
system, so i think its an unfair criticism to level against this particular
VPN setup.

If you want to be secure against local adversaries, use TOR.

~~~
zeveb
> That's kind of a tautology.

More specifically, it's begging the question. The actual definition of begging
the question, not the mistaken usage.

To beg the question is to assume the thing which is to be proven.

~~~
kryogen1c
this is my favorite extremely annoying but massively useful "acktually..."

begging the question as a logical fallacy is prevalent in politics and media
representations, and is a differentiatior between reasoned debate and talking
head nonsense.

Polictician 1: UBI! P2: free market competition! P1: why do you want poor
people to suffer, P2?!

P2: 2nd amendment! P1: Ban firearms! P2: why do you want americans to be put
in danger, P1?!

both of these are begging the question

------
kaylynb
WireGuard is great, but I think it's really undersold when it's described as
being just a vpn. It's really an encrypted tunnel that is configured like a
network adapter in the Linux network stack.

This lets you configure it with stuff like systemd-networkd and unit files, or
easily spin up a tunnel with a few `ip` commands, and setup some simple
nftables rules to do all sorts of stuff.

I do use it as a vpn as well, but it's so much easier to setup than, say,
OpenVPN, where you need to create tun/br interfaces and then tie them together
with a service, etc. That said, OpenVPN and other actual VPN software does
more than just a tunnel (like pushing routes, config settings, etc), so
WireGuard cannot replace everything by itself.

The documentation is rather sparse, but there isn't much to it either. The
manpages have what you need to know and the rest is just general Linux network
stack knowledge.

~~~
DaniloDias
Is there an application for containers? E.g. a way to set up an encrypted
tunneling interface between containers that would allow you to avoid using TLS
between the containers?

~~~
nielsole
There is a wireguard network plugin for kubernetes

~~~
terrywang
Gravitational has built something called wormhole (clashes with magic
wormhole, bad naming, isn't? Some other hold can be better)
[https://github.com/gravitational/wormhole](https://github.com/gravitational/wormhole)

It can be used to replace flannel if encryption in transit is required.

------
exabrial
One thing I wish for wireguard: the ability to look up keys/ips in an external
system like LDAP. I moved an entire call center [50+ people] fully remote last
week. We're using wireguard. Key management stinks, and that is my only
complaint! It is an incredible piece of software and I'm very thankful for it.

~~~
dfcarney
(Tailscale co-founder here.)

Building on what katnegermis said, this is what we're trying to help with. We
integrate with identity management systems and handle the key management (and
NAT traversal) on top of WireGuard, making it easier to deploy and manage.

If you're interested, a colleague of mine wrote up a blog post on how things
work: [https://tailscale.com/blog/how-tailscale-
works/](https://tailscale.com/blog/how-tailscale-works/)

~~~
kalaracey
Tailscale looks awesome but I would love a tier between “free single user with
gmail” and “$10/user/month + GSuite/etc” (GSuite itself is $5/user/month I
think?). Something like 1Password’s family plan, with the ability to use gmail
accounts.

Then I would use it for my family, e.g. I could replace DynDNS + port
forwarding I set up so my dad can control his home automation software
(Hass.io) from his iPhone app, even off the WiFi. I’m unfortunately just not
willing to set up/shell out for GSuite/Active Directory/Office365 for my
family.

What really hooked me was your story about the medical practice a little while
back.

~~~
jbverschoor
Zerotier has a free plan

------
twic
I'm a bit baffled by WireGuard. From 10 000 feet, the protocol is similar to
IPSec - encrypt packets, and send them over the internet using a
connectionless protocol.

So why is it so much better?

Is it because it's a new and simpler _implementation_ than what we have for
IPSec?

Is it because the protocol, being newer, is simpler and cleaner than IPSec?

Is it because, being newer, it can use a modern ciphersuite?

Are there fundamental advances in the design?

One of the nice things about IPSec is that it's a standard. There's a
reasonable chance that two endpoints written by separate parties will be able
to communicate. Introducing a whole new protocol whose main implementation is
its definition seems like a step backwards.

~~~
benjojo12
> One of the nice things about IPSec is that it's a standard. There's a
> reasonable chance that two endpoints written by separate parties will be
> able to communicate.

Having deployed IPSec between vendors, this is only "sorta" true. IPSec can be
an immense fiddle to actually get running between two vendors for the first
time.

One of the other issues when using IPSec between vendors (or even just be
default) is that the actual overlapping ciphers/hashes that are supported or
even just work are normally the lowest possible.

> Are there fundamental advances in the design?

First party roaming makes dealing with mobile and CGNAT much nicer, anyone
behind a IPSec VPN on a home CGNAT network will have a bad time (often it
won't connect at all)

Finally. It's code base is actually pretty small, allowing sane audits to take
place. In my eyes thats a huge win. People who have seen the sheer size of
strongswan or openvpn might appreciate wireguard in comparison.

------
xal
Given the occasion, could someone write a paragraph about what downstream
effects are expected by wireguard existing? So far I’ve seen mostly technical
arguments for it. VPNs have become a more important piece of infrastructure
now. The most significant approachability increase really came from mobile
based solutions and auto pilot systems like Google’s Outline.

Will WG make a marked difference in stability, speed, approachability for
normal users, or what can we expect?

~~~
myu701
Someone else can give a much better comparison than me, this is just to get
you started.

Compared to the 80% use case of OpenVPN, Wireguard is:

1\. Much less code. A few thousand lines of code vs lots more for OpenVPN

2\. Speedier. WG does UDP traffic so there is less overhead on the protocol
level for syncs acks etc.

3\. Easier on mobile battery life due to decreased complexity

For one example use case comparing them side by side, see PiVPN, which I use
to setup a Raspberry Pi Zero W on my home network, create a client key for my
phone, open a single port forward to the pivpn server, download the wireguard
app, scan the qr code the pivpn key generated, and poof, I can check a box and
'be' on my home network, behind my pihole, and with access to my LAN
resources.

OpenVPN can do that usecase with pivpn as well but its more processor
intensive and a little more setup vs wireguard.

~~~
middleclick
On that note, I wish and hope Wireguard did TCP as well. Some countries block
UDP traffic or at least throttle it.

~~~
kertis
As I know WireGuard team have no plans and desire for that.

~~~
djsumdog
huh .. OpenVPN is UDP by default but you can force it to TCP (we had to do
that at one University site that would only open limited tcp ports for us).

I also discovered Wireguard cannot bind to a specific adapter or IP address if
you have multiple address on a server. That might not seem like as a big a
deal since it only responds to fully authenticated packets, but it does mean
that outgoing packets could be leaving from a different IP address than
incoming packets.

It's weird that something that's now making it into mainline can't do this
very simple kind of bind that almost every other userlevel service, and
OpenVPN, can do.

~~~
RcrdBrt
[https://github.com/wangyu-/udp2raw-
tunnel](https://github.com/wangyu-/udp2raw-tunnel)

------
lifty
I really hope WireGuard becomes a standard and get's included in the macOS/iOS
and Windows kernels as well. Key management and and other fancy features could
be left to userspace applications but having the basic wg capability in the
kernel would be great.

~~~
kitotik
Seems like a very long shot to make it into Apple products both because of the
license and the fact it wasn’t invented in Cupertino.

FWIW the userspace implementations are quite good, and still out performs
IPSec.

~~~
felipelemos
I don't think there license would be a problem, as it's GPLv2, not v3.

But the 'not invented here' syndrome is very real.

~~~
stock_toaster
Boringtun is bsd licensed. clean room implementations and all that...

[https://github.com/cloudflare/boringtun](https://github.com/cloudflare/boringtun)

~~~
kitotik
Good point, but that’s still a userspace implementation.

Apple would need to do the XNU work since their open source model is so
broken, and they seemed to have deprioritized Unix nerds awhile back so…

------
place1
I'm a big fan of Wireguard. I wrote wg-access-server [1] as an all-in-one
wireguard VPN solution. I recently added some docs [2] and support for
deploying with Helm. I'd love some feedback on here or on github. Give it a
try.

[1] [https://github.com/place1/wg-access-server](https://github.com/place1/wg-
access-server) [2] [https://place1.github.io/wg-access-
server/](https://place1.github.io/wg-access-server/)

~~~
terrywang
Thank you place1.

I was looking for something like wg-access-server web UI when moving away from
strongSwan. Found Subspace but id didn't work the way I wanted, settled pretty
well with some shell scripting for my own use cases and happy lol

I think wg-access-server makes a lot of sense to people who want to self-host
VPN on cheap VPS like Vultr or DigitalOcean, Lightsail, etc., it is simple,
easy to deploy and use, flexible and scalable (if deployed to k8s).

------
djsumdog
I recently setup WireGuard on my new dedicated server and it is amazingly
easier compared to OpenVPN. I've setup several site-to-site and client-to-site
VPNs on OpenVPN so maybe I'm just use to all the iptables/route gotchas, but
not needing to do the whole CA/easyrsa stuff is a huge bonus.

I like how their official tutorial video shows all the raw ip commands and
then shows their wg-quick configuration script. That way you understand what
the script is doing and what commands its running.

One big limitation is that it cannot bind to a specific IP address. The author
states it shouldn't matter because it won't respond without the right auth key
(and it doesn't support TCP so people can't tell if it's sitting there
listening) but I found I did get into weird routing loops where packets will
come in on one IP and go out on another one. The primary outgoing IP is what
shows up when you run `wg show`.

It is super weird to implement a brand new service and have a config option
for the port, but not the IP address(es) to listen on.

~~~
Florin_Andrei
> _not needing to do the whole CA /easyrsa stuff is a huge bonus_

That's good to hear, but how does it handle authentication / authorization?

~~~
PureParadigm
Before connecting each client needs to be set up with (1) its own private key
and (2) the server's public key. The server also needs to have each client's
public key. Once you have securely shared this information out-of-band, there
cannot be a man-in-the-middle attack because both sides know the expected
public key of the other side, and can prove ownership of their own public key.

~~~
Godel_unicode
And no, out of the box there's no equivalent to "trust any cert issued by this
CA and lookup the username in ldap based off of the cn". Enterprisey auth is
left as an exercise for the reader.

------
peterwwillis
I like the idea of WireGuard as a simple tunnel, but I wish people would stop
comparing it with VPNs. VPNs have lots of extra functionality that is
necessary to support a variety of use cases, both functionally (like pushing
routes or scripts to clients) and security-wise (like real key management and
SSO).

I literally can't replace any VPN I currently use with Wireguard because I
would lose needed functionality. I could maybe replace the tunnel to a bastion
host, but even then I would actually be worse off security wise, because I'd
be losing cert-based key management. (ex. [https://smallstep.com/blog/use-ssh-
certificates/](https://smallstep.com/blog/use-ssh-certificates/))

~~~
yencabulator
An an ex-OpenVPN user, I consider the ability of the server to push arbitrary
scripts to the client an antifeature and a security problem that needs to be
carefully mitigated every time.

------
rasengan
We have all been waiting for this. Congratulations to Jason and the whole
WireGuard team and community! And, thank you Linus!

------
willis936
Now I really want to know when raspbian will get linux kernel 5.6. The most
recent version of raspbian came out in February 2020 and uses linux kernel
4.19, which came out in late 2018.

[https://en.wikipedia.org/wiki/Linux_kernel_version_history](https://en.wikipedia.org/wiki/Linux_kernel_version_history)

~~~
nick2k3
it can actually work with 4.19 and the unstable repo. I'm using 4.19.105-v7+
(to solve a macvlan bug in the default .97 and it works. It's a pain to
install the headers on raspbian though

~~~
willis936
That's what I've been doing, but I would like more official support for
something as critical as VPN. I don't forward many ports across my NAT, so I
really rely on the VPN to be rock solid. I am considering getting a second
raspberry pi and running wireguard on two ports on two pis for redundancy (the
ability to fix stuff after a bad update or me breaking something).

------
terrywang
Very exciting news, indeed! Finally WireGuard is in the Linux kernel 5.6
onwoards (will arrive soon in the next few days for those who are on rolling
releases).

I've been using WireGuard to replace IPsec (strongSwan - the whole stack is
way too complex, plus client configuration issues, outweighs the benefits) and
OpenVPN (latency, bandwidth / performance is the biggest complaint) for remote
access and mainly encrypting traffic from/to terminal devices when accessing
the Internet via unknown hops/routes/path.

On the other hand, WireGuard is simple (cryptokey routing), modern, elegant,
easy to configure & use, fast, and most importantly, reliable over the past
2.5 years, now even better without DKMS headaches ;-)

WireGuard clients for iOS (works as good as strongSwan for Android - which I
missed a while ago) in terms of 1. on-demand 2. roaming between networks 3.
power consumption / overhead. macOS and Windows ones also work very well.

Problems: WireGuard does not scale well when used for global overlay network
use cases (nebula does a much better job for this purpose). Another issue for
VPN providers: each client has a static IP configuration, which contradicts
with privacy and surveillance, curious to see how Cloudflare's 1.1.1.1 solves
the problem.

Last but not least: WireGuard protocol is easy to block. Therefore, I look
forward to seeing obfuscation plugins / extensions for WireGuard, it will
serve a much bigger purpose for people who live under censorship/surveillance
(e.g. inside GFW) so as to protect privacy and get back their rights to access
the `real` Internet.

Many thanks to Jason and the WireGuard team behind the scene!

~~~
zx2c4
Your first point: There's no part of WireGuard that inherently demands the use
of a static IP address. You can run whatever dynamic IP protocol you want
inside of it or outside of it. The entire interface configuration is
dynamically configurable at runtime. We're working on one called wg-dynamic,
but others have done others.

Your second point: Obfuscation protocols can encapsulate WireGuard just fine.

~~~
terrywang
Really appreciate your input (and congrats!), Jason ;-)

I have been running 2 simple standalone WireGuard VPN servers for remote
access and encrypting traffic (2 EC2 instances inside a VPC, scripted
configuration). Admittedly I didn't dig deep enough to think about or leverage
VPC's DHCP and/or DHCP servers running on other EC2 instances in the same VPC
over the last 2+ years (facepalm), which also means, WireGuard has been set &
forget (reliably working ;-)

Will dive into obfuscation and compare with (known to work) solution V2Ray
(WebSocket + TLS + Web) / Trojan for next battle with the GFW.

BTW: Gravitational has built a WireGuard based overlay network CNI for k8s
called wormhole [1] which can be used to replace flannel when encryption is
required for in-cluster traffic across the overlay.

[1]:
[https://github.com/gravitational/wormhole](https://github.com/gravitational/wormhole)

------
GolDDranks
Any ideas how to get a client-server style VPN setup with WireGuard working
with IPv6 so that it keeps working even if the public IP address of your VPN
server changes? The configurations I've seen assign a statically configured IP
address to a client. This works fine with NATted IPv4, but with IPv6,
addresses are "public", so the client must basically know the prefix of the
server to be able to configure a sane address, and if that changes, the
configuration must be changed by hand.

~~~
Znafon
You could use a domain name with an appropriate TTL.

------
kertis
My congratulations to Jason and team! I am very happy that your 6 years effort
led to merging in mainline.

------
tjoff
Does anyone know of a decent bash-script (or even self-hosted page) that one
could use to administer wireguard?

Could go very far with trivial functionality, such as listing, adding,
removing users and download a config file/qr-code.

~~~
BrandoElFollito
Please have a look at [https://github.com/vx3r/wg-gen-
web](https://github.com/vx3r/wg-gen-web). It is great and the dev is very
responsive.

It was featured on Show HN but did not get enough traction.

------
laktak
I use WireGuard and it works perfectly fine as it is.

Can someone explain why we need/want to put it into the Linux kernel?

~~~
cyphar
WireGuard on Linux has always been implemented as a kernel module (a very
small one at that). If you've used it on Linux, you've used the code that has
been included in Linux 5.6.

This is about the code being merged upstream into the main kernel repository
which means that it'll likely be built-in to lots of distribution kernels and
will no longer have the second-class status that most out-of-tree kernel
modules have.

~~~
yjftsjthsd-h
Well, strictly you _could_ use the userspace implementations on Linux (which I
looked at because I wanted to try running it in a Docker container, which
_does_ work with openconnect).

~~~
cyphar
You could, and that's how the Android version works (at least, until Android
has wireguard.ko built-in -- the WireGuard app supports both versions). But if
you're using it on Linux you're almost certainly using the kernel module.

------
borplk
Could WireGuard be a good choice for server-to-server encryption instead of
TLS? (for example between a TLS terminating load balancer to the application
servers)

~~~
jblwps
What net benefits would you see that having? If I'm allowed to assume that you
wouldn't use TLS because of PKI management concerns, I have a hard time seeing
how using WireGuard in the large wouldn't have the same problems--you still
have to build some kind of management platform on top that verifies host
authenticity (ultimately including revocations and more). That is to say,
WireGuard in the large will surely (right?) need supporting PKI.

~~~
borplk
Yes mainly because of proper PKI management overhead.

Wouldn't Wireguard work with a simple shared secret on both ends?

------
pkrumins
Very exciting! Does anyone know a good howto or a tutorial about it?

~~~
hectormalot
I used the Stavros one: [https://www.stavros.io/posts/how-to-configure-
wireguard/](https://www.stavros.io/posts/how-to-configure-wireguard/)

Great to see 1.0.0 released. I’ve been using it for a VPN to my home network
and have been really impressed with how fast it is (and how fast it
connects!). The corporate VPNs I’ve used in the past we’re so much slower that
it feels like a completely different league, although they support many more
features of course.

------
ur-whale
This is _really_ good news.

I've used a ton of VPN over the years, even some I wrote myself, and I've
never seen anything that comes close to wireguard in terms of: ease of use,
speed, cleanliness of code.

The world just got a whole lot secure and flexible.

------
samgranieri
Congratulations Jason! Wireguard is a joy to use.

------
huijzer
For anyone wanting to set up WireGuard with the Pi-hole DNS blocker: I would
advise [https://github.com/racbart/wireguard-
pihole](https://github.com/racbart/wireguard-pihole). Just a simple shell
script. No Docker or Kubernetes required. I installed it on the cheapest
DigitalOcean VPS, and it has been running without issues for over a month now.
(About 6 phones of me and my friends, and a few desktops are using it.)

------
dang
[https://arstechnica.com/gadgets/2020/03/wireguard-vpn-
makes-...](https://arstechnica.com/gadgets/2020/03/wireguard-vpn-makes-it-
to-1-0-0-and-into-the-next-linux-kernel/) is a related article.

(Via
[https://news.ycombinator.com/item?id=22731279](https://news.ycombinator.com/item?id=22731279),
but no comments there.)

------
tomcooks
Should you want to try it on a cheap VPS and fail at it, make sure that your
shared host has tun-tap and wireguard modules installed (open a ticket)

~~~
jeltz
Yeah, I noticed that it failed on Hetzner when I tried it about a year ago.
What I did instead was use boringtun from Cloudflare. Did not open any ticket
though. I might want to try again and see if it works.

------
sirtoffski
Congratulations and big thanks to all of the project developers and
contributors!

------
2OEH8eoCRo0
This is good to hear. There is a lot of trendy junk that people seem to want
in the linux kernel. I've been waiting for WireGuard to prove itself before I
give it a shot.

------
jannes
Unfortunately not in time for Ubuntu 20.04 which will be shipping with a 5.4
kernel. Can't wait for Ubuntu to have this builtin!

~~~
jabl
Ubuntu 20.04 will have wireguard backported to their version of 5.4.

------
tandav
still no good tutorial for complete beginners

~~~
ac29
Yeah, the documentation on the webpage isn't great - there isn't actually an
example that you can follow step by step to get a usable tunnel. That's
unfortunate, because it isn't actually that hard.

Much better documentation is here: [https://github.com/pirate/wireguard-
docs](https://github.com/pirate/wireguard-docs)

------
pierreprinetti
Congratulations!

------
Hamuko
Has the codebase been audited now?

~~~
tptacek
Multiple organizations have done both formal and semi-formal WireGuard audits.

------
Glosster
Do I understand correctly? You use WireGuard to set up your own VPN servers?
Doing this is a lot more expensive than buying a VPN subscription, but it can
be more secure if you know what you're doing, right?

~~~
outworlder
'Buying a VPN subscription' is just one use-case. Usually, those VPN services
are intended to be used to circumvent geo restrictions.

WireGuard is not only about that. Sure you could do it. But it is applicable
for any use-case where you have two or more machines that need to talk over a
secure tunnel, over an otherwise not proven to be secure network(which is
usually, but not always, the Internet). This ranges from connecting to a
machine you have at home, to exchanging data between two office branches, and
so on.

