
WireGuard: Next Generation Secure Kernel Network Tunnel - psiconaut
https://fosdem.org/2017/schedule/event/wireguard/
======
AlyssaRowan
One comment I'll make because it's kind of buried in the first paragraph and
not really called out: this project is one of the very early adopters of
Trevor Perrin's state-of-the-art Noise protocol framework design
[https://noiseprotocol.org/](https://noiseprotocol.org/), so you're looking at
something _dramatically_ more modern, auditable and (potentially) secure than
older, hairier protocols like IPsec, TLSv1.2, OpenVPN, etc.

Best of luck, Jason!

------
dguido
If you want a reliable VPN you can use today on nearly every platform, try
Algo VPN. It uses simplifies using IPSEC so that anyone who can run a few
command line scripts can use it.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

It's great that someone is working on what comes next after IPSEC, but the
platform support for everyone won't come any time soon. If you need a VPN
today, Algo is your best answer.

~~~
tptacek
I like Algo a lot, but find it approximately as hard to recommend an IPSEC
head-end to a sensitive network as I do recommending OpenVPN, and OpenVPN has
better clients. Algo makes sense to me as the kind of VPN I set up to run
traffic through when I travel, but not for protecting networks.

I'm not convinced that the problem of replacing VPN protocols is so difficult
that we should get comfortable with IPSEC. We're really just an OSX client
away from WireGuard in the mainstream. And unlike IPSEC vs. OpenVPN, WG is
clearly better than the alternative.

~~~
dguido
I'll add WireGuard when it gets better client support. I'm not tied to IPSEC.

The core values of Algo are making self-hosting and initial setup easy and
reliable.

------
XorNot
It's not clear to me that this really solves any of the UI and management
problems associated with VPNs. I'm sure the new crypto-design is interesting,
but exchanging SSH public keys is actually a huge logistical hassle which
scales very poorly.

The other thing is "container-ready" ... well it just isn't. I can use OpenVPN
to do the same interface migration trick with a container today. That's not
the challenge - the challenge is things like managing what happens when the
VPN interface goes down and I need to recycle and reconfigure that interface
(at which point you end up back at "allocate a private address space, stick
the VPN container in a new address space, play with IPTables there to make
sure losing the VPN routes doesn't mean you start routing over the regular
NIC".

~~~
baby
> but exchanging SSH public keys is actually a huge logistical hassle which
> scales very poorly.

How do current solutions tackle this? It seems that at some point, if you want
something to be two-way authenticated then you need to exchange some public
keys.

~~~
XorNot
Well that's the thing: SSH has recently gained support for signed public keys
- i.e. x.509 style certificate authorities. Outside of that you have things
like monkeysphere doing the same with GPG, or simpler things like LDAP scripts
which just check the key against LDAP (Hashicorp Vault does something
similar).

But it's why I'm skeptical the UI is substantially improved: the _simplest_ UI
for VPN tends to be pre-shared keys - because everything more complicated
simplifies to that interface "somehow everyone needs to agree who's allowed
in" \- and differs to SSH because SSH has more of a one-way contract "let this
connection in, but I can't make the same connection back".

~~~
baby
> the simplest UI for VPN tends to be pre-shared keys

that's what wireguard is doing.

~~~
aseipp
I believe they meant to say "symmetric key without any public key exchange
protocol", e.g. like spiped, more than SSH. ("Pre-shared" is a bit more
confusing in this particular context, admittedly.)

~~~
baby
Oh ok. Yeah sure it makes the protocol simpler. You lose a bunch of security
properties though (forward secrecy on the top of my head).

------
nl
Speaking of VPNs....

Is there a guide somewhere on how to partition applications on Linux so
different apps use different VPNs?

Obviously the easier way is SSH SOCKS tunnels if the app supports it, but I'd
like a more general method.

I believe it is possible by namespacing the apps (or I guess going all the way
and containerizing them) and then setting the routing on a per-namespace
basis.

Is there anywhere this is written down so I don't have to spent 6 hours trying
to work out how to do it?

~~~
kijiki
Namespacing would work, but it might be simpler to use multiple routing tables
and "ip rule" to match each app and direct it to the right routing table. You
can use iptables to match on the process and set a mark on the packet that "ip
rule" will match on.

~~~
nl
Nice..

So:

 _> Is there anywhere this is written down so I don't have to spent 6 hours
trying to work out how to do it?_

Edit, I found [https://freeaqingme.tweakblogs.net/blog/9340/netflix-
using-a...](https://freeaqingme.tweakblogs.net/blog/9340/netflix-using-a-vpn-
for-just-one-application.html) which seems to cover at least some. It is done
on a per-user basis though.

------
dohqu8Zi
I hope to see a mainline submission for public review of this soon.

------
sargun
It seems worrying to me to put something so complicated in the kernel.
Perhaps, not even that, but it feels to me as though the fact that this
requires in tree changes seems wrong, given the way that networking is going
is to enable these network functions via mechanisms such as BPF.

~~~
lgierth
I'm less worried about that because it's so small. WireGuard is ~4k LOC --
thus measurably less complicated than OpenVPN (~100k LOC + OpenSSL),
StrongSwan (~410k), or SoftEther (~330k).

Numbers taken from slide 5 of
[https://www.wireguard.io/talks/codeblue2016-slides-
en.pdf](https://www.wireguard.io/talks/codeblue2016-slides-en.pdf)

Moving to kernelspace brings it up to par with plain IP networking, minus a
bit of overhead for the cryptographic operations. Userspace networking has
overhead which is hard to overcome: context switching and CPU cache
invalidation, copying packets between kernelspace and userspace, etc.

~~~
sargun
Yeah, but BPF can operate in kernel space directly on SKBs. If you look at the
XDP work, there's a lot of promise. In fact I've implemented ECC in BPF --
other than the state, and negotiation components, I don't see why this can't
adapt BPF.

~~~
tptacek
You implemented an elliptic curve scalar multiplication in BPF bytecode? Why?
Which curve?

~~~
sargun
So, for one of the implementations, yes, we implemented Curve25519 inside of
the Kernel. Basically, every node was pushed into a map with the association
of IP/Port to key data.

At the reception of a packet, if we didn't have a key, we'd punt the packet to
userspace, asking it to do an exchange.

For some reason -- That I forget, we ended up putting the entire key into each
packet. I think that when the "exchange" happened in userspace, we didn't
actually store the entire box and key, instead we just generated an
association specific key, and we wanted to be able to rotate this quickly. I
think we just came up with the fact that doing the derivation was cheap enough
that it'd be better to do it on every message.

What would then happen is that if we didn't have a box cached, we would
calculate it, and this code was implemented as a helper function outside of
the BPF itself. Then we did Poly1305 + XSalsa20 with a random nonce.

Why? Because IPSec is fucking complicated, and because I can?

~~~
wolf550e
Has a cryptographer ever looked at the protocol you invented? Maybe doing the
asymmetric crypto on every packet is just a harmless performance problem that,
but maybe you invented something insecure. Or is the protocol strictly from
the spec (NaCl?) and just the implementation strange?

~~~
sargun
No, the project never got that far. I did discuss with a security researcher
though, and it was secure, but it lacked features like PFS, and the handshake
protocol could leak information.

In addition, using "pure" random nonces has all sorts of interesting problems.

------
nul_byte
Can anyone open the slides or video? Using firefox on Fedora and its saying
both file types are corrupt.

~~~
kreetx
Same here (both Firefox and Chrome download a 0 byte pdf; on Firefox the video
errors, on Chrome it plays).

