
WireGuard is submitted for Linux kernel inclusion - dochtman
https://marc.info/?l=linux-netdev&m=153306429108040&w=2
======
StavrosK
I started using Wireguard two days ago to access my home LAN and love it, I
can access everything with one command, as if I'm home. The only problem I
have with it is the complete lack of documentation. The tutorial refers to a
configuration file, but nowhere on the site does it tell you how to write one.

It also took me days to set up what I think is a common use case, logging in
to a server/router at home and accessing the rest of the computers in the LAN.
I I couldn't find how to forward/masquerade traffic, and it took some help
from the good people at #linux to get it set up. I think it would be a great
help if they had a configuration file on their site detailing how to set that
up.

Lacking that, I'll write an article with my config so the info is at least out
there, but I believe Wireguard is held back by its lack of documentation.

~~~
alias_neo
I agree. I've been using Wireguard for about 6 months now. The quick start is
great for getting a quick overview but it doesn't really document properly how
a configuration file should be made.

There is no real detail about how a wg-quick config differs from a wg one, and
they're not compatible; it'll complain about unknown keys/values or something
if you use a wg-quick config with extra firewall rules and the like with plain
wg.

I also saw nothing anywhere about how if you modify your config file and
down/up with wg-quick it'll delete anything you entered in your config as the
'down' will write back the current state of the interface. It's not a big
deal, but it messes with the usual workflow of editing the config file of a
service (you don't want to down it while updating your config, which could
take time).

otherwise, wg has been great, it is generally quite reliable on Android but
I'd like to see an easier way of doing the exclusions, inverse CIDRs are not
my forte.

~~~
StavrosK
> it'll complain about unknown keys/values or something if you use a wg-quick
> config with extra firewall rules and the like with plain wg.

Really? I didn't even know that, thanks.

> if you modify your config file and down/up with wg-quick it'll delete
> anything you entered in your config

Ouch. Yeah, these things definitely need to be documented, I had no idea about
this either. I would also like to see an easier way to configure
authentications, having them in the same file as the config means I can't
version control it, share it easily, etc.

~~~
Hello71
> I would also like to see an easier way to configure authentications, having
> them in the same file as the config means I can't version control it, share
> it easily, etc.

The config file is designed to be very straightforward and contain only the
bare minimum required configuration stanzas. If you want to separate the keys,
or use a higher level key negotiation protocol (e.g. TLS), you can write your
own script that calls the lower level "wg" command instead of "wg-quick".
Alternatively, you can write a script that generates a wg-quick configuration
file.

~~~
chasil
What I am wondering is why they chose 25519.

It would seem to me that offering NTRU Prime or one of the other NIST
finalists would be a prudent future protection.

[https://csrc.nist.gov/Projects/Post-Quantum-
Cryptography/Rou...](https://csrc.nist.gov/Projects/Post-Quantum-
Cryptography/Round-1-Submissions)

~~~
tialaramex
Doing DH with Curve25519 is a broadly understood conventional public key based
key agreement scheme. We have good reason to think these are an excellent,
fast, secure way to do things, unless your adversary has a working large
Quantum Computer so that they can use Shor's algorithm.

NTRU Prime is for a post-quantum KEM. This does, yes, solve the same piece of
the puzzle in a sense. But it's essentially one enormous experiment. Huge
breakthroughs in cryptanalysis for this stuff happen all the time, by next
week you might believe NTRU Prime is a joke and nobody should ever have used
that, which makes requiring it at the core of a new "secure" service in Linux
seem like maybe a bad idea. Bernstein and co. caution, in their submission of
NTRU itself, that "the security of lattice-based cryptography is not well
understood. There are serious risks of further advances".

~~~
chasil
The docs do say: "Finally, WireGuard is cryptographically opinionated. It
intentionally lacks cipher and protocol agility. If holes are found in the
underlying primitives, all endpoints will be required to update."

ECDH 25519 will fall like a house of cards to a capable quantum computer.
Since Wireguard is already entirely DJB, the introduction of a tiny bit of
agility with one of Bernstein's submissions (Classic McEliece, NTRU Prime,
Post-quantum RSA-Encryption/Signature, and SPHINCS+) seems far from
unreasonable.

On the other hand, I'm on Oracle Linux, so I get a new kernel about once a
week anyway. Swapping out might not be that traumatic for me, since I can
ksplice it into critical systems.

Android, however, cannot do that.

p.s. ...after further reading, Wireguard does have optional, pre-shared
symmetric keys. This isn't an ideal solution, but it's something anyway.

"In order to mitigate any future advances in quantum computing, WireGuard also
supports a mode in which any pair of peers might additionally pre-share a
single 256-bit symmetric encryption key between themselves, in order to add an
additional layer of symmetric encryption."

~~~
zx2c4
You can use WireGuard with rather expensive but conservative PQ primitives
like Classic McEliece using the PSK feature of WireGuard, giving you hybrid PQ
secrecy. The PSK feature was explicitly designed for this. The idea is that
first you create a normal WireGuard tunnel. Then _through it_, so that it's
authenticated, maybe even over boring old TCP, you negotiate your potpourri of
experimental post quantum exchanges, maybe several of them if you don't want
to trust a first round NIST submission right off the bat. Then you put the
resultant key from this into WireGuard's PSK slot, and voila, now you have
post quantum forward secrecy.

The Noise protocol framework (on which WireGuard is based) is now looking into
doing PQ authentication, so that will be interesting. But until we actually
have a clue which PQ primitives to use and have spent some time working out PQ
handshakes, I think it's best to keep this all separate and ad-hoc, making it
possible with the simple PSK feature.

~~~
tialaramex
Does this hold up though?

The PQ algorithms are only adding anything in scenarios where real adversaries
can run quantum algorithms to break public key crypto. In those scenarios you
don't have worthwhile authentication in WireGuard itself because your
adversary broke that with their quantum computer.

The claim of "forward secrecy" seems particularly dubious when resorting to
PSKs. Forward secrecy relies upon keys being ephemeral. The PSKs a TLS 1.3 web
server remembers for minutes or hours automatically to support fast session
resumption maybe count; some semi-detached manual PQ key agreement procedure
sounds like it'll get done once and then left in place, no forward secrecy
there.

------
arctux
I've been using Wireguard on both my laptop and my Android phone for about two
months. I've been using the wg-quick systemd units, and everything has worked
amazingly well. The only downside I've notice is slightly increased battery
consumption on my phone, but that's to be expected (it uses approximately 5%
of the battery per day).

I use dnsmasq to resolve DNS queries on the server side. Dnsmasq's
configuration file includes entries to block connections to ad networks, based
on Steven Black's host file [0]. It's a great to achieve ad blocking on
Android, since Google has banned ad blockers from the Play Store.

Jason Donenfeld, Wireguard's author, has a Patreon page:
[https://www.patreon.com/zx2c4](https://www.patreon.com/zx2c4)

[0]
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

~~~
moviuro
> it uses approximately 5% of the battery per day

OpenVPN uses about 20% of mine, so I guess it really is a step forward.

Also, for your DNS lying file, you might be interested in:
[https://gitlab.com/moviuro/moviuro.bin/blob/master/lie-to-
me](https://gitlab.com/moviuro/moviuro.bin/blob/master/lie-to-me) (which
sources multiple domain lists)

~~~
move-on-by
Steven Black's list sources from multiple lists as well. Checking out your
lie-to-me project, there is actually a lot of overlap between what Steven is
already pulling in and what you are getting. Looks like one of your sources
'palevotracker.abuse.ch' is discontinued and responds with a 500.

------
zaarn
I can't wait until pfSense supports it. That'll be the moment I'll set the
OpenVPN config on fire, because honestly, OpenVPN configs are magic and if
it's not generated by some UI wizard, it's probably broken in some scenario.
And even if you do the wizard, it's probably broken.

Atm I have that funny bug where my laptop drops connection after 3 seconds but
my desktop does fine. With the same configuration! Thank OVPN for that
annoyance!

~~~
moviuro
> Thank OVPN for that annoyance!

Certainly, you reported that issue through proper channels, and attached
detailled information regarding your hardware, software, as well as packet
logs?

~~~
zaarn
It's a configuration error, not a OVPN bug itself. OVPN's configs are just so
obfuscated that it's difficult to find the error.

------
robotmay
I've been using WireGuard on my router for the last 6 months, and it's
fantastic. I get the full speed of my line through it, when OpenVPN was only
giving me 20%. Because of the great plugin they have for Vyatta I'm going to
be looking at using it for some stuff at work now too.

~~~
exhilaration
How did you install it on your router? I'm assuming this isn't a throwaway $30
consumer router?

~~~
rhblake
I use it on an EdgeRouter Lite 3 which is about $99. See:

[https://github.com/Lochnair/vyatta-
wireguard](https://github.com/Lochnair/vyatta-wireguard)

[https://community.ubnt.com/t5/EdgeRouter/Release-
WireGuard-f...](https://community.ubnt.com/t5/EdgeRouter/Release-WireGuard-
for-EdgeRouter/td-p/1904764) (discussion)

~~~
poizan42
The EdgeRouter Lite 3 also happens to be one of the few generally available
Mips64 platforms (Cavium OCTEON CN5020). Actually I have just ordered its big
brother EdgeRouter Lite 4. It costs double as much, but it also packs a quad-
core 1GHz OCTEON CN7130.

------
ofrzeta
Great news. I started using Wireguard instead of OpenVPN and won't look back.
Actually it was easy to set up even with DKMS kernel modules but having it in
mainline will be great.

~~~
simias
Can you explain what makes it better than venerable old OpenVPN?

~~~
phaer
Mostly speed, a more minimal configuration syntax, more modern crypto.

OpenVPN works fine, is quite portable and runs in user space. It's quite a lot
slower, but is well-tested and can be managed with a Certificate Authority in
organisation where that's desired.

~~~
cm2187
I presume speed on linux? Otherwise doesn't wireguard suffer from the same
peformance drawback than OpenVPN on windows (running in user mode)?

~~~
Hello71
OpenVPN is quite configurable, not as much as IPsec, but still a lot, and
(from what I hear) has quite a bit of code bloat. I believe that userspace
WireGuard has better performance than OpenVPN.

~~~
cm2187
My understanding (and experience) is that OpenVPN on windows is structurally
capped at about 5-10 MB/s. I was curious of how that compares to WireGuard.

~~~
neilalexander
Performance issues with OpenVPN on Windows arise out of the inefficiencies of
the TUN/TAP driver, not the OpenVPN software itself.

~~~
cm2187
I am sure that's true, but unless there is an alternative driver I am not sure
why that makes a difference.

------
nialv7
They are trying to get a completely new crypto interface into the kernel, and
they are posting the patches to linux-netdev mailing list.

This is not gonna fly.

~~~
porjo
> This is not gonna fly

This response on the 'linux-crypto' list seems to agree:
[https://marc.info/?l=linux-crypto-
vger&m=153310819905231](https://marc.info/?l=linux-crypto-
vger&m=153310819905231)

~~~
scott_s
"Not gonna fly" in the sense that this maintainer doesn't want the patch as-
is, but they lay out a clear set of steps the WireGuard authors can take to
get it in shape for an eventual commit.

------
xroche
You may want to check out the very nice presentation on WireGuard at Kernel
Recipes:
[https://www.youtube.com/watch?v=9Rk4doELmwM](https://www.youtube.com/watch?v=9Rk4doELmwM)

~~~
zx2c4
There are several other (and newer) presentations here as well:
[https://www.wireguard.com/presentations/](https://www.wireguard.com/presentations/)

~~~
lighttower
is there a presentation explaining some of the networking setup you need to
understand in order to get wireguard working properly? For example, a common
openVPN complaint is that the default setup hijacks all your network traffic
-- and on ubuntu since 16.04 the default config gives a dns leak (they changed
to systemd-resolved)

------
foobarbazetc
The biggest issue we’ve encountered with WireGuard is that it doesn’t (yet?)
support GRO, which means the kernel doesn’t combine multiple sequential TCP
frames inside the tunnel into one before presenting it to a program. This
increases RTT by a significant amount.

~~~
zx2c4
Actually, I turned on inner-packet GRO a few weeks ago with this one-line
change, resulting in surprisingly massive performance boosts for TCP:

[https://git.zx2c4.com/WireGuard/commit/?id=95951af7249912a43...](https://git.zx2c4.com/WireGuard/commit/?id=95951af7249912a4356b9a03cf3addc7e3f8f724)

~~~
foobarbazetc
Woohoo!

Well, that’s amazing. We built a whole massively scalable CDN on top of
WireGuard then hit that issue and had to shelve like 3 months of work.

Thanks for that!

------
jwilk
There's no next message in this thread? Huh?

This mail archive works:

[https://www.spinics.net/lists/netdev/msg516566.html](https://www.spinics.net/lists/netdev/msg516566.html)

~~~
zx2c4
[0/3] [https://marc.info/?l=linux-
netdev&m=153306429108040&w=2](https://marc.info/?l=linux-
netdev&m=153306429108040&w=2)

[1/3] [https://marc.info/?l=linux-
netdev&m=153306429908043&w=2](https://marc.info/?l=linux-
netdev&m=153306429908043&w=2)

[2/3] [https://marc.info/?l=linux-
netdev&m=153306437408074&w=2](https://marc.info/?l=linux-
netdev&m=153306437408074&w=2)

[3/3] [https://marc.info/?l=linux-
netdev&m=153306440208084&w=2](https://marc.info/?l=linux-
netdev&m=153306440208084&w=2)

------
nopcode
I had the pleasure to meet Jason at 34C3 past winter, he's incredibly capable
and I really hope this goes through somehow.

After using WireGuard you really don't want to go back to the horrible
IPSec/OpenVPN solutions.

~~~
auslander
IPSec IKEv2 is actually pretty good

~~~
neilalexander
It's pretty good if you have two devices that support the same proposed
ciphers and don't implement other non-standard behaviour (I'm looking at you,
Juniper). It's eye-bleed otherwise.

~~~
auslander
Why Juniper? I would not trust proprietary stuff over Strongswan, even if it
worked correctly :) And Apple IKEv2 native clients work fine too.

~~~
tptacek
strongSwan is literally 2 orders of magnitude more code than WireGuard, and
for all that you get 1990s cryptography. Why would you trust it at all?

~~~
auslander
Trust must be earned. In crypto it is mostly by time, since it takes quite a
few research papers to arrive at scientific consensus.

Codebase size is good argument, but consider how many optional components are
in Strongswan, tens of RFCs supported. You can build it smaller omitting it in
make.

And what is the size of OpenBSD iked?

~~~
tptacek
Try again. strongSwan _hasn 't_ earned trust. It's had something like 30
vulnerabilities over the last 10 years, including 6 code execution
vulnerabilities. And strongSwan is considered one of the better IPSEC
implementations! What do I care whether it bought support for "tens of RFCs"
with those vulnerabilities? I don't want "tens of RFCs". I want a working VPN
and no vulnerabilities.

Bugs scale with C codebase size, full stop.

------
znpy
I can foresee a long, long and mostly pointless discussion/argument about code
line length.

~~~
zx2c4
Nah, if people freak out I'll just change it. I _prefer_ my insanely long
lines, and if Dave & co are alright with my preference, great, but if not,
Linux is a big project with many people, and I'm happy to accommodate for
different preferences.

~~~
gct
I'd kind of like to see a screen shot of this

------
1023bytes
Why does this need to be included in the kernel directly and not just as a
loadable module?

~~~
viraptor
When the API it relies on changes, the person doing the change will fix WG
rather than the WG maintainers. Also it enables you to update the kernel
without having to hunt for the matching release of WG separately.

~~~
tinus_hn
Like most device drivers it can be included in the mainline kernel but compile
as a module.

------
paulrd
How would this compare to ZeroTier? (zerotier.com)

~~~
emddudley
It seems that someone asks about ZeroTier on every thread about WireGuard.
According to tptacek:

[https://news.ycombinator.com/item?id=13601928](https://news.ycombinator.com/item?id=13601928)

 _ZeroTier is cryptographically inferior to Wireguard, but also isn 't really
a VPN: it has centralized configuration and rendezvous. If you're running VPNs
to get the US Netflix from your UK vacation, this is probably fine. If your
VPN is how remote employees access your prod network, it is way less fine._

 _I think it 's a bit unfair to judge ZeroTier in comparison to VPNs, because
that's not strictly speaking what it's trying to be. I like overlay networks!_

And here's some info from the ZeroTier developer:

[https://news.ycombinator.com/item?id=11996687](https://news.ycombinator.com/item?id=11996687)

 _You can think of ZeroTier as a virtual smart switch built on a P2P network_

 _..._

 _WireGuard does have some things in common with ZeroTier, such as the use of
cryptography to identify endpoints and eliminate the hard-coding of endpoint
addresses. ... I really like the WireGuard design in general and I think it
has a somewhat different use case from ZeroTier, namely fast long-lived
provisioned links across WANs and insecure LANs. You could use ZT for that but
this being in-kernel makes it likely faster._

------
pferde
The only downside with WireGuard for me is that it only works over UDP. I am
in a situation where I only have two or three TCP ports available for a VPN,
so I won't be moving off OpenVPN anytime soon.

I was following WG development for a while now and I think it's a great
project, but sadly not for my particular use case.

~~~
arghwhat
You really need to get that fixed, as you are severely handicapped without
UDP. Apart from existing UDP usecases, the general progression is away from
TCP and onto UDP. QUIC is an example of such progression.

The reason Wireguard doesn't do TCP is that it is only a handicap for
tunneling, and impedes Wireguard's connectionless features. Maybe Wireguard
could add it as a compat option, but the experience will be worse than over
UDP.

In the meantime, making a hacky UDP<->TCP<->UDP proxy isn't very hard. Less
than 100 lines of Go. It'll handicap Wireguard quite a bit (even more than a
built-in TCP compat feature), but it'll probably still be faster than OpenVPN.

~~~
pferde
Well, this is a network where only SSH and one or two more TCP ports are open,
and it's not something I can "get fixed".

Still, I do not have any practical reason for switching to Wireguard, as I do
not really see any reduced speed - it is possible that the bandwidth
limitation of this network's internet connection is low enough for that to be
the bottleneck, instead of OpenVPN. :)

~~~
arghwhat
> Well, this is a network where only SSH and one or two more TCP ports are
> open, and it's not something I can "get fixed".

Are the other TCP ports, as well as UDP blocked by a force of nature? :)

> Still, I do not have any practical reason for switching to Wireguard, as I
> do not really see any reduced speed - it is possible that the bandwidth
> limitation of this network's internet connection is low enough for that to
> be the bottleneck, instead of OpenVPN. :)

At lower throughput networks, you don't _need_ wireguard. It'll still mean
fewer CPU resources used, much simpler configuration, and things OpenVPN and
the likes just cannot do (such as maintain the connection despite both ends
changing IP, as long as it doesn't happen simultaneously).

~~~
phs2501
> Are the other TCP ports, as well as UDP blocked by a force of nature? :)

Yes; the force in question is usually spelled out as "auditors." :(

~~~
arghwhat
Ah, _that_ force. Does this force allow VPNs, or are you just reusing existing
open ports for... alternative purposes? :)

In case of the former, then Wireguard will likely be permitted some day as the
status quo of VPNs. OpenVPN and IPSec appear as dead ends, so it's just a
matter of time. If Wireguard is successfully upstreamed soon, I wouldn't be
surprised if it rose to the throne of VPN monopoly sooner rather than later.

In case of the latter, you're out of luck without a compat mode or a bridge
tool... :/

~~~
pferde
Unfortunately, it's the latter. :)

------
swsieber
So, since lots of people here have experience with VPN, I'd like to ask
theoretical project question:

I have distant family memebers, and it'd be nice to have a simple way to get
devices on the same network easily.

My initial thought would be to setup a VPN server somewhere central and fast,
and then distribute wireless routers with custom firmware that they could
plugin to their network. Then anything they connect to that router would be
connected to the VPN (because the router is pre-setup to connect to the VPN).

Is that doable? Is it a good idea? I know just enough about networking to be
dangerous...

~~~
zzzcpan
Unless you are ok living with pwned routers, printers, you don't want devices
with javascript-enabled web browsers and other random 3rd party software, like
apps, to have access to anything on local network or at least not when they
have access to the internet.

~~~
ubercow13
Wait what? Are you saying for example at home you would not allow your PC
access to anything else on your LAN?

~~~
forapurpose
Home equipment often is relatively poorly secured. The reality is that intra-
LAN communication causes contagion to spread easily, that blocking intra-LAN
communication can be very inconvenient, and that often there is no good
solution.

At least restrict it as much as possible. For example, allow connections only
to the printer, if that is needed, and maybe only in one direction - and lock
down that printer. But consider walk-up printing via USB cable: People print
much less often these days and they have to walk over to the printer to pickup
the document anyway.

------
Osiris
I have a VPS I use for VPN, which means, unfortunately, no custom kernels or
kernel modules. So, I'm stuck with OpenVPN. It would be awesome to have
WireGuard included in the kernel by default.

~~~
brewrwe
Based on what you stated, I assume this VPS is running on OpenVZ? If so, I
doubt it will ever see newer kernel features, in part due to OpenVZ hosts
relying on ancient LTS kernel branches and also due to OpenVZ "optimizations",
whereby kernel features that use extra resources to enable just get disabled.
Or, if your lucky they'll give you a button to re-enable them for youe
container on an ad-hoc basis.

Heads up, $20 yearly and similar KVM deals are becoming more common, and you
can run any kernel you want in KVM :P

~~~
jwilk
Where do you get these $20/y deals?

~~~
esistgut
arubacloud.com has KVM based VPSes starting at 1€/month.

~~~
jwilk
[https://www.arubacloud.com/vps/virtual-private-server-
range....](https://www.arubacloud.com/vps/virtual-private-server-range.aspx)
says "based on VMware technology". Doesn't sound like KVM.

------
newman314
I'd love to see this included as part of the next macOS / iOS.

~~~
jwandborg
I'm sorry.

~~~
yjftsjthsd-h
It probably won't happen for other reasons, but there is a userspace port, so
it should be usable from Darwin.

~~~
tptacek
It works well from macOS.

------
rurban
The only thing I don;t like about current WireGuard is that the single config
file contains both the private key in clear, and all the public keys.

IMHO the private keys should be in a separate file.

~~~
wahern
Private keys should be in secure hardware. Short of that it's all hand-waving.

That's one benefit that IPSec+IKE has over Wireguard at the moment. With IPSec
authentication can occur in userspace and the private key never needs to be
exposed to the kernel or to userspace. By the time you implement this for
Wireguard, if ever, the Wireguard "stack" (inside the kernel and, hopefully,
outside the kernel) code size will have gotten considerably larger.

It's largely theoretical at the moment because few IPSec setups actually make
use of this capability. But it will become more common over time.

------
megous
It's super easy to configure overall. But I know how to configure networing
under Linux. The only thing I struggled with was AllowedIps concept, because
that was the most unfamiliar thing to me.

I use WireGuard to give my IPv4 only home computers fixed IPv6 addresses and
connectivity via my VPS. It also serves as a sort of overlay network, where my
devices despite not having a fixed IP address, are still reachable on a
WireGuard network via my VPS.

------
Hnewswg1
Great to hear that.

What's the status with the official Windows client?

------
gigatexal
So I can use this as a secure proxy to get around region restrictions? In the
same way I do ssh -D? And then configure the proxy on my browser?

~~~
AstralStorm
It is more low level than that and closer to OpenVPN in terms of setup. Which
means not bad.

The main gain is in efficiency. It is much less resource intensive and thus
sometimes faster.

------
amaccuish
Really recommend if your systemd is up to date, describing your wg interfaces
in .netdev files. Really clean, starting to really like systemd with things
like this...

------
lighttower
is there a way for linux desktop to have some apps go through wireguard
tunnel, and other apps to go through regular network interface?

------
akerro
Is there any paid VPN provider that supports it?

~~~
pedro2
AzireVPN. Another one was mentioned in the thread. Mullvad?

------
cleanyourroom
This is great News!

------
lighttower
Which of the popular VPN offer wireguard? Pia doesn't.

~~~
ktta
Mullvad

------
omakoma
this news is lit! i remember using wireguard seems decent.

