
WireGuard Gives Linux a Faster, More Secure VPN - axiomdata316
https://www.wired.com/story/wireguard-gives-linux-faster-secure-vpn/
======
lapinot
I really like wireguard, but one thing that bugs me is the fact that it's
layer 3 (an ip tunnel) and has no code to support layer 2 (ethernet MAC
tunnel). The downside for me is that you have to manage static ips in the
configurations (specifically it's not compatible with ipv6 slaac and NDP).
There is [https://git.zx2c4.com/wg-dynamic](https://git.zx2c4.com/wg-dynamic)
but it's very experimental at the moment.

The level 3-only tunnel is motivated as "the cleanest approach for ensuring
authenticity and attributability of the packets" (in the whitepaper), but in
fact every claim and routing algorithm described (needed since the tunnel is
many-to-one) would work equally well substituting "ip address" with "mac
address" (i may be missing something, but for sure it's not explicit
anywhere). And indeed imho it would be less surprising to have an "allowed mac
address" option in the configuration than an "allowed ip address": it's
already common practice to white-list mac address of physical endpoints (in
office). I'm toying with the idea of forking the driver code to adapt it to
ethernet frames as i don't think it would need any big rewrite but i'm
realizing my inexperience in writing kernel code.

~~~
cpach
Out of curiosity, what is the use case for doing VPN at layer 2?

~~~
linsomniac
Pretty much every time I do a migration from one data center or office
migration I set up an OpenVPN that bridges the network segments at the two
locations. It makes the move so much easier.

Once set up, I can shut down a machine at one location, move it, bring it back
up, and it's back in business. There are situations where we might want to
migrate to new machines during the move, which this makes no harder. But for
many things it makes them easier.

For example, the last move went something like this: Set up the VPN+bridge.
Move half the application servers. Set up new firewall/load balancer since we
were replacing the old ones. Test the new fw/lb. Physically move the primary
database server during a maintenance window and switch over to the new fw/lb.
If there were problems, just switch back to the old one via DNS record changes
(TTL was lowered weeks earlier). Move the remaining app servers. During the
bridging setup, the LBs preferred the local app servers.

~~~
Rapzid
It's been a while since I've worked with linux networking. I would have
thought it would give you a VIF in some form or fashion that you could attach
to a bridge. Is that not the case?

EDIT: *and proxy arp requests through

~~~
linsomniac
By "it" do you mean Wireguard? I haven't used it, but you need a special type
of virtual interface for bridging, a tap device can do it, a tun cannot. From
some searches, Wireguard doesn't support operating on a bridge. OpenVPN, which
is what I've used in the past, supports both tun and tap interfaces.

------
twentyloops
Check out Algo [0] if you're interested in setting up a personal WireGuard VPN
server. It's simple and hassle-free, especially if you are not familiar with
server administration and don't want to be bogged down by details.

I have one deployed on Digital Ocean ($5/mo droplet). All you need to do is
run the setup script, answer a few yes/no questions (optional features), paste
in your API key, and update the firewall setting on Digital Ocean's dashboard.

If anything goes wrong, deploying a new one only takes minutes.

[0] [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
cpach
I honestly had no idea that DigitalOcean has a ”built-in” firewall. That’s
awesome. Thank you!

~~~
wuunderbar
Don't all cloud providers have these for their compute VMs? (e.g,. AWS
security groups)

------
hectorm
In the case that someone has any trouble configuring WireGuard, I would like
to share my automatic deployment of WireGuard and Unbound with full IPv4 and
IPv6 support with Packer and Terraform in Hetzner Cloud (although it can be
easily adapted to other providers) [1].

In the case that no automatic deployment is necessary, it may also be useful
to look directly at the WireGuard configuration [2]. Since WireGuard supports
scripts in "PostUp" and "PostDown", I have automated the configuration of
iptables, including some useful rules to redirect 53/UDP port traffic from the
public interface to WireGuard, which helps in some cases to bypass some
firewalls.

[1]: [https://github.com/hectorm/wireguard-
setup](https://github.com/hectorm/wireguard-setup)

[2]: [https://github.com/hectorm/wireguard-
setup/blob/master/packe...](https://github.com/hectorm/wireguard-
setup/blob/master/packer/rootfs/etc/wireguard/wg0.conf)

~~~
LilBytes
This is awesome, I'll be giving it a go this week. Thanks!

------
fivesixzero
Increasingly it seems like heavily opinionated foundational tools and
frameworks are overtaking more highly configurable alternatives, at least in
terms of breadth of usage or popularity.

Could this be a positive change? Does this represent a healthy response
cognitive fatigue in a world with configuration options at every possible
layer?

Or does this shift to less readily configurable tools represent an overall
negative? Are we losing diversity in favor of a more vulnerable monoculture
crop?

Or both?

Asking for real, not sarcastically. As a developer I’m a huge proponent of
simpler, more opinionated frameworks for most projects but I’m also aware my
perspective is more limited than many HN commenters.

~~~
trey-jones
I think Opinionated can be good. I think configurable can be good too. I think
the best case is nearly always "Configurable, with smart defaults" meaning
defaults that work out of the box for most uses.

Definitely programming languages are on the periphery of this conversation,
but I think provide some good examples of why I like opinionated tools in
general.

My language of choice right now is Go, and has been for a while. One of the
things I like about it is that it's a bit opinionated. For example:

Braces around `if` statements aren't optional. I prefer this to other C-Like
languages that allow you to leave out braces for one-liners.

Also the document "Effective Go" exists, which lays out the canonical "best"
ways of doing a lot of things. The language doesn't force you to do these
things, but there is an authoritative source that makes good suggestions.

The Antithesis of opinionated languages in my opinion is Ruby. I personally
hate Ruby, but I know there are a lot of people that love it. I hate it
because there are too many ways to of accomplishing the same tax, and to me
this makes it harder to read. Go, on the other hand is the easiest language
for me to read, largely because of `gofmt`, another thing that doesn't force
you to do it a certain way, but strongly encourages a standard end result.

~~~
jerf
"My language of choice right now is Go, and has been for a while. One of the
things I like about it is that it's a bit opinionated."

I've frequently described Go as a very, very good 1990s language. Going
through the process of maturity takes time. You can't have a "very, very good"
2020s language right now, because at the frontier we're still feeling our way
through the issues.

(Remember, whatever you're about to hit reply with and try to contradict me
about it being a totally smooth and polished 2020s language that's already
here is _also_ an assertion that your example basically has no room for
improvement and will not improve in the next 10-20 years. Consider your
options carefully before you go too "language partisan" here.)

I believe probably >75% of the hatred Go engenders is from people afraid that
Go's success will erase or invalidate the 2010s/2020s languages they prefer,
because otherwise, the solution to most of these people's hate/anxiety would
be to just ignore Go. To which I can say to those people, you can stop
worrying. It won't. And if you stay in the industry long enough, maybe someday
you'll get to use the really good and polished 2010s or 2020s language. No
idea what it'll be called. And you can similarly assuage the fears of the day
that this new language will erase all the benefits of the 2040s languages in
development at the time.

But for "opinionated" to really work, I think you _intrinsically_ need to have
years of experience to make the right calls. There's no realistic chance that
we could have gone straight to the "correct" VPN choice in one shot. Too many
variables, too many dimensions, too much to learn and know about the security.
It's just not possible. We collectively need the decades.

------
dragonsh
I hope WireGuard can come to feature parity with TincVPN will be nice.
Especially automatic routing and mesh VPN formation, it can really help our
multi-cloud container clusters connected using TincVPN to be bit more
performant.

The difference is WireGuard is part of Linux kernel so speed of processing
packets is faster than TincVPN.

Still experimenting with WireGuard and manually creating peer to peer mesh.

~~~
ahnick
Tailscale looks promising. ([https://tailscale.com/](https://tailscale.com/))

~~~
nif2ee
I am sick of people shilling to this thing here. Stop exploiting HN for free
advertising. Every Wireguard post here has become a free ad for this company.

EDIT: Stop supporting parasites repackaging and rebranding open source and
selling it while leaving the author who single handedly made this entire thing
possible begging for donations on Patreon

~~~
dang
You've been breaking the site guidelines repeatedly, both in this thread and
unfortunately in others (and we've had to ask you about this before). We ban
accounts that do that. Would you mind reviewing
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)
and sticking to the rules when posting here? The intended spirit is curious
conversation.

~~~
nif2ee
Again, please do your job and delete astroturfing comments and ban these
users. This company has been exploiting HN for so long to promote itself
whenever a post about Wireguard go to the frontpage. They don't even have a
ready product. This website encourages really sneaky types of marketing if you
don't take action.

~~~
dang
I appreciate your concern for the integrity of this site, but if you really
care about that you should follow its rules, which say clearly what to do with
these insinuations, and it isn't posting them here.

I haven't seen any evidence of astroturfing in this case. The user you were
accusing above seems entirely legit.

You've posted such accusations to HN several times before. Given how little
data we have about each other online, it's easy to connect the dots in a way
that jumps to nefarious conclusions about others. If you come here and post
those, the odds get pretty high that you're accusing innocent people of bad
things. That's not cool, which is one reason the site guidelines ask everyone
not to do that. We'd be grateful if you'd stop doing that.

~~~
nif2ee
I will stop doing that. But HN should give the priority to FOSS projects and
commercial projects made by single developers and small companies that have no
money or other way of reaching out to users instead of helping big companies
and startups made by millionaires. As of Wireguard case, if you've been
following all popular threads about it throughout the last 2 months you will
know what I am talking about.

Don't let HN to become another ProductHunt.

------
tosh
I think Tailscale [1] can be to WireGuard what Github and Gitlab are to git.

If you haven’t checked them out yet: worth taking a look!

[1] [https://tailscale.com](https://tailscale.com)

~~~
cprecioso
What is the difference between this and ZeroTier?
[https://www.zerotier.com/](https://www.zerotier.com/)

~~~
perryh2
[https://twitter.com/perry_huang/status/1223393351845548032](https://twitter.com/perry_huang/status/1223393351845548032)

------
jhurliman
Is there a version of Ubuntu that has GUI NetworkManager support for
WireGuard? I’m missing the convenience of toggling the VPN on and off from the
system menu.

~~~
lbeltrame
Versions >= 1.20 have support for all the bits and pieces (including routing
all traffic). Initial support landed in 1.18.

~~~
zoonosis
If that is the case, it looks like Ubuntu 19.10 and later have support.

[https://packages.ubuntu.com/search?keywords=network-
manager&...](https://packages.ubuntu.com/search?keywords=network-
manager&searchon=names)

~~~
kova12
if it does, I don't see "how"

~~~
tsukurimashou
I don't know try to type "Wireguard NetworkManager Ubuntu" in your favorite
search engine?

[https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-
netw...](https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-
networkmanager/)

~~~
tsar9x
I don't know try to read parent's comment again and see it's about GUI?

~~~
kova12
this doesn't even work for me in CLI. I'm able to create a connection from a
wg0.conf file, but it's not coming up, while regular wireguard tools work just
fine

------
nikisweeting
In case anyone wants some user-facing Wireguard docs with examples and further
reading, I've compiled some here:

[https://github.com/pirate/wireguard-
docs](https://github.com/pirate/wireguard-docs)

------
danielneri
Been using this thru Streisand
[[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)]
and can honestly say it is an excellent experience. Would highly recommend
deploying through Streisand / Ubuntu 16 if you'd like to experiment (and run a
production setup!)

------
closeparen
What are the options right now for open source user/access management around
WireGuard? I don’t love the idea of manually writing down keys in a config
file.

I’m thinking of writing something to template out configs for short term keys
(and automatically reload) based on an OIDC authentication, but seems
inelegant.

~~~
Hikikomori
Could create something where you authenticate to vpn.yourdomain.com in your
browser using your preferred method that creates a temporary key and starts
your wg client for you.

~~~
closeparen
Yeah that’s what I’m thinking, creating the temporary key by manipulating the
config feels inelegant though.

------
sbradford26
While I don't believe WireGuard is a drop in replacement for IPsec tunnels or
OpenVPN I think it is a great solution to add a VPN tunnel back to your home
network. I am running a WireGuard server on an Unraid server and it was
trivial to setup and I can easily hit near gigabit speeds through it.

~~~
deepersprout
> While I don't believe WireGuard is a drop in replacement for IPsec tunnels
> or OpenVPN

Why?

~~~
Sesse__
There's no predefined way of setting up and sharing keypairs, for one. As a
company end user logging into a VPN, what you want is a place to input your
username and password (and potentially 2FA credentials), not “create a keypair
and give the public key to an admin”.

~~~
tptacek
It's true that the WireGuard ecosystem needs these features. But it's also
true that people believe VPN software needs lots of features because other
VPNs are complex; people do not generally believe these things about SSH, and
WireGuard makes VPN tunnels as easy to manage as SSH.

Another thing people might not realize if they haven't had to deal with lots
of different VPN configurations is that most of the "user management" and
"2FA" features of legacy VPNs are, as the kids say, janky "AF".

Ultimately, organizations should be tying their VPNs, like everything else,
into an IdP of some sort, and most of the "user management" and "MFA" stuff
belongs to the IdP, not the VPN. People will clearly get WireGuard integrated
into Okta.

~~~
rcxdude
> Ultimately, organizations should be tying their VPNs, like everything else,
> into an IdP of some sort, and most of the "user management" and "MFA" stuff
> belongs to the IdP, not the VPN. People will clearly get WireGuard
> integrated into Okta.

Right, but at the moment this integration does not exist.

~~~
tptacek
I'm not disputing that.

------
Vysero
So when they say it will be embedded into the Linux Kernel, what does that
mean exactly? Does that mean I will be able to open a terminal an type:
WireGuard and from then on my connection to the internet will be secure so
long as I don't close the terminal or what?

~~~
e12e
> Does that mean I will be able to open a terminal an type: WireGuard and from
> then on my connection to the internet will be secure

It's more like how iptables/nftables is part of the kernel. You need a recent
kernel along with user space tooling. But it will become part of virtually
every Linux distribution.

As for "my connection to the internet will be secure" \- that's possible, but
the main use case right now is "my connection to my vpn/server will be
secure".

Additional configuration is required to route all traffic through the
wireguard tunnel, and make sure all other traffic is dropped - and to make
sure all traffic is dropped, rather than sent in plaintext when the tunnel
goes down (a "kill switch").

I'm sure we'll see many tools and scripts that will help automate such setups.

But if you _just_ want a udp routed VPN - you might want to look at zerotier
or tinc.

~~~
Vysero
This may sound like a newb question but.. is my connection to my vpn/server
not already secure on Linux?

~~~
e12e
Wireguard is one way to secure your connection to another machine. That
machine could be a "VPN server" \- which typically mean one of two things:

1) By connecting to that server, you get access to private resources as if you
were on the same network. Say, access to a printer, a web camera or a file
server that aren't exposed to the Internet.

2) You gain access to the Internet through that server, so that your
publically visible IP changes. This prevents anyone between you and the server
to see the content of your traffic (eg: your isp, the hotel it staff that runs
your free wifi). It can also grant you access to resources that _are_ exposed
to the internet - but filter access based on IP. Such as a CRM system, or
webmail system.

If you are connecting to a VPN server, then, by definition (virtual _private_
network) - your connection should be secure. Wireguard is one way in which
that access can be secured - and it's new/modern, simple and widely regarded
as following best practices. Alternatives are ipsec via eg strongswan, OpenVPN
and a bunch of nasty proprietary solutions constructed out of mixes of libssl
and obscure hedge magic.

------
293984j29384
What makes Wireguard more secure? The article appears to make some weak claims
about a smaller codebase and less configuration options but I don't think that
translate directly into it being more secure?

~~~
Sesse__
The main idea (which has a fair amount of merit!) seems to be: If you give
people too many knobs, they will invariably get confused and turn them the
wrong way, creating an insecure configuration.

E.g., IPsec has a “none” cipher!

~~~
Hello71
the "none" cipher isn't even that bad... if you do a packet capture, you can
clearly see that the data is unencrypted. the worst part about IPsec is that
there are many modes which _look_ secure, but actually aren't secure at all.
examples: encrypted but unauthenticated packets, encrypted but unauthenticated
channel negotiation, encrypted by default but downgradable cipher
negotiation...

~~~
Avamander
This is why I abandoned using it, knowing the average quality of an online
article I couldn't trust that the configuration was secure and there were no
official very secure templates.

~~~
wahern
This is a problem with the IKE implementation. A secure IPSec configuration on
OpenBSD is a single line, and you can copy+paste it from the excellent man
page.

Part of what makes WireGuard "simple" is that it doesn't support any kind of
key management--i.e. PKI. Instead you're expected to copy keys around
manually. IKE is the most complex part of the IPSec software stack but in many
ways the most important part.

Ironically but entirely predictably, people are using homegrown scripts and
proprietary third-party services to replace the missing key management aspect
of WireGuard. When these turn out to be insecure, or at least the weakest link
in the chain, nobody will ever blame WireGuard, even though it will be a
predictable consequence of using WireGuard.

~~~
Avamander
> on OpenBSD is a single line

Nice, but it would be nice to know if that is the default or not on Linux as
well.

I don't agree with the claim that IPSec somehow automates PKI, it's still very
disgusting compared to things like (LetsEncrypt's) ACME. I really hated the
PKI on Linux, especially when trying to revoke old keys than on Wireguard. The
fact that clients also differed heavily in what they supported was also very
annoying.

~~~
wahern
> Nice, but it would be nice to know if that is the default or not on Linux as
> well.

It's because OpenBSD uses a much nicer, more declarative configuration file
syntax, whereas the options on Linux, like Openswan, use a less expressive
key-value syntax. To be fair, AFAIU Openswan supports more IKE extensions, and
is an older project with more baggage than OpenIKEd or OpenBSD's ipsecctl
configuration compiler front-end for isakmpd. But that only highlights the
fact that much of the complexity of IPSec is due to history, not because IPSec
is intrinsically too complex to make it useable. The SLoC of IPSec kernel code
are comparable to the SLoC for WireGuard kernel code. There are smarter ways
to implement IPSec and IKE, especially when you have the benefit of hindsight.

> I don't agree with the claim that IPSec somehow automates PKI, it's still
> very disgusting compared to things like (LetsEncrypt's) ACME

It doesn't automate CA renewal, but you can't even do any kind of PKI using
WireGuard as WireGuard doesn't support key signing or key authorities.

FWIW, OpenBSD provides a utility for generating and manipulating X.509
certificates for use with IKE.[1] I've never used it as I'm unfortunately
quite familiar with PKIX infrastructure and have my own tools, but AFAIU it's
what most people use.

None of this is to say that, when comparing apples to apples, WireGuard isn't
a better protocol than IPSec. But SSH also has warts and it would be trivial
to come up with a better replacement protocol. We don't need to because we
have OpenSSH, a smart implementation that continually discards as much baggage
as it can, while still interoperating with a wider ecosystem of alternative
implementations.

The fundamental problem is that 1) key management is hard, 2) key management
is critical to overall safety and usability. WireGuard sidesteps all of this.
It looks great on paper because it's only solving the easiest problem. And it
seems great in practice because the ugliness of the ancillary infrastructure
isn't counted against it, even though from a wholistic standpoint it should.

[1]
[https://man.openbsd.org/ikectl.8#PKI_AND_CERTIFICATE_AUTHORI...](https://man.openbsd.org/ikectl.8#PKI_AND_CERTIFICATE_AUTHORITY_COMMANDS)

~~~
Hello71
> The SLoC of IPSec kernel code are comparable to the SLoC for WireGuard
> kernel code.

I haven't checked whether this is true, but even if it is, that's a damning
indictment of IPsec, because on Linux, the entire connection establishment is
in userspace, and the kernel only handles per-packet encryption and
authentication. WireGuard has the entire negotiation sequence, authentication,
routing, timeouts, rekeying, etc in the kernel. With IPsec, you need to have a
userspace daemon to manage all of that, with _significantly_ more LoC than the
bare per-packet essentials. With WireGuard, you just load the keys into the
kernel and you're done. I bet that you're also counting Zinc against
WireGuard, but not counting the entire crypto API against IPsec (which, unlike
with WireGuard, you might end up actually using).

I suspect that it's not actually true though in the first place, once you add
in all of the other stuff like iptables -m policy that only exists to support
IPsec.

------
jandeboevrie
Freedombox makes wireguard so incredibly easy to deploy:
[https://raymii.org/s/tutorials/Wireguard_VPN_on_Freedombox.h...](https://raymii.org/s/tutorials/Wireguard_VPN_on_Freedombox.html)

------
CountVonGuetzli
Can't wait to not have to faff about with configuring strongswan/ipsec for
roadwarrior configurations anymore. Setting up WireGuard server and clients on
notebooks and phones was a breeze. Really a huge leap for me in terms of
usability.

------
smush
TL;DR: Should I keep fussing with PiVPN or try something like TincVPN?

Semi-OT: So I just installed PiVPN to use with this protocol to try and do a
small vpn at home (all I want is to go to my domain, auth, and be on my LAN so
I can RDP / VNC) and the wireguard bits worked great, and the install process
was buttery smooth, even on a Raspbery Pi Zero W.

But - my network lack of knowledge is probably hamstringing me. I opened the
WG port on my router and confirmed the dns hostname I'm using corresponds to
the public IP, but I'm not able to get the wireguard clients to connect. The
tcpdump doesn't show any incoming traffic on the port at all.

Should I keep fussing with PiVPN or try something like TincVPN or Tailscale? I
have not been able to get a VNC or RDP session going over tailscale even
though all my machines are able to connect to the Tailscale network.

I want to use wireguard, everyone says it is so good, and OpenVPN does seem a
bit boring, but ultimately I'm just hitting a wall when it comes to the use
case of 'auth, you are on your home lan, connect as if you are at home
connected to wifi'

~~~
bubersson
Make sure that the port is correct and it is UDP (not TCP).

(I just did the same setup with PiVPN. Somehow I got a wrong port number
first, but then it worked)

~~~
smush
OK it defaulted to UDP, got nothing, changed to TCP, got nothing. Will change
it back and try again.

I will also double check the port number.

~~~
Multicomp
While you're at it, check and double check your port forwarding settings. I
got bit by this recently.

My owned router had the right ports opened, but the AT&T bridged router did
not. Be sure you open ports on both sets of routers, otherwise your owned
router will never have a chance to allow the traffic in the first place.

------
sccxy
pivpn is easiest way to set it up.

Great tool for newbies like me.

QR setup for mobile also available.

[https://github.com/pivpn/pivpn](https://github.com/pivpn/pivpn)

------
Havoc
Will be great when this becomes mainstream & hopefully common place.

A ton of links are conceptually point to point but not encrypted as such
because existing means are a pain in the ass

------
josteink
WireGuard is nice and fast indeed, but unusable for me at work, because pretty
much all outbound UDP-traffic is filtered.

Having a TCP-based option sure would be nice.

~~~
xxpor
I'd be fairly confident your work doesn't want people making random VPN
tunnels from their work laptops.

~~~
zamadatix
Probably not but nobody said it was the work laptop just at work. It'd be
pretty hard to get WG installed on a work laptop in the first place.

My work does the same kind of thing on the guest SSID, drives me nuts.

------
aeyes
Are there any official plans for 2FA in Wireguard?

~~~
slim
there is no authentication that would need a second factor in wireguard. in
wireguard you authenticate the host, not a user

~~~
slim
actually there is no athentication in wireguard. only identification

~~~
megous
Each node has a list of public keys of nodes that it authorizes to communicate
with it. Those nodes authenticate (provide proof of their identity) themselves
via the exclusive ownership of their private keys.

So I don't see yout point.

------
z3t4
I reviewed vpn solutions on Linux a few weeks ago and Wireguard was the
easiest to setup among the secure protocols.

------
holmberd
I've used IVPN for years and it works flawlessly.

------
nif2ee
Don't forget to support Jason, WireGuard's author, on Patreon.
[https://www.patreon.com/zx2c4](https://www.patreon.com/zx2c4)

~~~
GekkePrutser
Wow, 10k$/month is a lot more than a 'sustainable full-time job' would pay :)
At least here in Europe.

But of course what he's getting now ($1212) is nowhere near that.

~~~
autarch
That's quite a bit less than someone with his skillset could earn in the US.
He could easily earn 2-3x that amount in Silicon Valley, and possibly quite a
bit more.

~~~
GekkePrutser
Ok I didn't know that. I heard IT wages in the US were good but I didn't think
they were _that_ good. Here in Spain you're doing well with $2200 and that's a
senior position at a big multinational.

------
app4soft

       $ systemd
       $ wired

------
upofadown
Recentish negative article about Wireguard:

* [https://blog.ipfire.org/post/why-not-wireguard](https://blog.ipfire.org/post/why-not-wireguard)

~~~
labawi
> Is WireGuard faster than other VPN solutions?

> ChaCha20 is a stream cipher which are easier to implement in software. They
> encrypt one bit at a time. Block ciphers like AES encrypt a block of 128
> bits at a time. ..

Wow. I'm avoiding wireguard for other reasons, but there is a lot of FUD in
that article.

------
Dirlewanger
They quote Mullvad in the article...aren't they now basically fucked with that
new invasive Swedish law that was passed recently? Sorry, don't have a source
but saw it the other day.

------
niczem
Not so sure, as lonng as you can not disable logging:

[https://www.perfect-privacy.com/en/blog/wireguard-vpn-
pros-a...](https://www.perfect-privacy.com/en/blog/wireguard-vpn-pros-and-
cons)

~~~
Hikikomori
Their use case may require it, not true for others.

~~~
blattimwind
What they want to do, cannot be done by Wireguard, because Wireguard does not
have the concept of "VPN sessions / connections". What they probably need to
do is to assign each customer a fixed private IP for use within their VPN,
e.g. from 10.0.0.0/8.

When those are not enough any more, they need to segment their VPN, so they
can re-use the private IP space in each segment.

w.r.t. to "NeuroRouting and TrackStop not possible", they could route their
stuff through a TUN interface to do whatever they want to do in user space.
With a performance cost.

~~~
Znafon
This is a common critic of WireGuard, but it looks like those service are
looking for excuses to explain why they don't propose WireGuard yet. As far as
I understang it:

> What they probably need to do is to assign each customer a fixed private IP
> for use within their VPN, e.g. from 10.0.0.0/8.

Actually, they can set a different IP for each session and rotate them by
given it to the client out of band, for example when it authenticates to the
service.

> When those are not enough any more, they need to segment their VPN

Like with all other VPNs right? They could also distribute IPv6 for the tunnel
and this would not be an issue.

~~~
blattimwind
> Actually, they can set a different IP for each session and rotate them by
> given it to the client out of band, for example when it authenticates to the
> service.

Like I said, Wireguard does not have the concept of sessions. You could add
your own proprietary "stuff" around Wireguard to add that concept, but then
you don't need anything extra from Wireguard. You add the keys of the users as
part of the session setup and remove them when the session is destroyed. Of
course, this means that clients have to use a client tool provided by you.

~~~
Znafon
There is a handshake at most every two minutes. Is it not possible to say e.g.
fetch a new key if the last handshake was an hour ago?

------
peterwwillis
What I don't like about WireGuard:

\- Basically no real user or admin-oriented docs. There's some example configs
and some getting started guides, and then some crypto-nerd look-how-secure-
our-algorithms-are docs, but no real guidance on how to set up a reasonably
simple network of hosts.

\- Authentication/authorization is just IP addresses and public keys? What
about users and service accounts that you want to rotate the credentials of?
What about SSO? What about fine-grained access control? What about <insert all
of the enterprise things>?

Big static keys and open-ended authorization by default are really not where
we should be going with modern security practices. If I just want a layer 3/4
tunnel with public keys, SSH already does that. Sure, WireGuard is basically
"SSH plus some easier routing", but I don't need an iteration on SSH, I need
an iteration on OpenVPN, which can actually support most enterprise needs. The
SSH (and WireGuard) model doesn't scale, due to a lack of functionality.

~~~
ecnahc515
If you want SSO, or fine grained access control, the idea is you would do that
at a level above wireguard. For example, I'm prototyping a small CLI that
talks to hashicorp vault via OIDC/OAuth2, and then creates a wireguard key
pair + configuration locally, submits the public key to vault, and then the
wireguard "server" is configured with a simple daemon that pulls all the
public keys from vault and generates a wireguard configuration allowing access
from those public keys.

This is a simple example, but much of what you need to do can be done with
layers on top. This is similar to iptables, in that you can use `firewalld`,
or `UFW` which all use iptables under the hood.

~~~
peterwwillis
It sounds cool, but it also extends the amount of components that have to be
made resilient to failure and attack. Your HA vault+consul clusters, HTTPS &
OAuth2, key generation, and automation pieces (inc. message passing & load
balancing) all need to be working correctly. Compare that to a single
stateless server which spits out an OAuth2 login url to a client, receives a
token once the client is authed, and opens a connection with that user's
specific network authorization.

~~~
ecnahc515
Agreed, but as OpenVPN has shown us, it's not a guarantee that security will
be any better if everything is contained within a single process.

It's also possible to use something other than Vault, you could use LDAP for
example, but Vault lets you use multiple authentication mechanisms, and can be
used for other purposes, so it's kinda a multi-tool. Additionally, I'm not
using consul, just Postgres on the same host as Vault.

