
TunSafe WireGuard Client for OS X - ludde
https://tunsafe.com/osx
======
dminor
I've seen WireGuard recommended here pretty strongly, so I started looking
into it, but I couldn't see exactly how it could replace OpenVPN for us.

We have an OpenVPN bastion for access into our VPC, and each engineer has
their own key. When someone leaves, we can revoke their key.

But WireGuard seems to use a single key per network interface. Would we just
create an interface for every engineer (I have no idea what the limits are on
these - maybe they're cheap)? Or is this just not a good use case for
WireGuard?

~~~
dsacco
_> But WireGuard seems to use a single key per network interface._

Every interface is associated with a public/private key pair, but each
interface need not peer with a single client. That would be inefficient.
Instead, each peer (including clients and the server) generates a personal key
pair when they configure their local WireGuard (e.g. wg0) interface.
Afterwards they set up a local configuration file consisting of peers and
respective public keys.

Then in the context of a company VPN, one peer is a designated server, and
every other (client) peer lists the server’s remote IP as the only peer
interface in their local configuration. The server has the public key of every
client as respective entries in its local config file, which is used to
restrict access to whitelisted clients. Any client with the corresponding
private key locally can connect to the server’s interface using their local
interface.

To remove a client from the white list, you simply remove their peer entry
from the local config file on the server, much like how you remove an SSH
public key from authorized_keys. In fact, a decent mental model for WireGuard
is tuennling over SSH, but faster, leaner and with no option for a shell or
password login.

------
rumpelsepp
Here is some discussion about tunsafe.

[https://lists.zx2c4.com/pipermail/wireguard/2018-March/00244...](https://lists.zx2c4.com/pipermail/wireguard/2018-March/002448.html)

~~~
eps
That's not a "discussion", but a nasty spiteful post full of extreme, but
baseless allegations.

~~~
marten-de-vries
That's not the whole story. There are further responses in that thread,
including the opposing viewpoint from the TunSafe author.

* [https://lists.zx2c4.com/pipermail/wireguard/2018-March/00246...](https://lists.zx2c4.com/pipermail/wireguard/2018-March/002460.html)

* [https://lists.zx2c4.com/pipermail/wireguard/2018-March/00246...](https://lists.zx2c4.com/pipermail/wireguard/2018-March/002461.html)

are the most relevant ones. (There are more, but they go slightly offtopic.)

~~~
eps
Do I read it correctly that they banned @ludde from the wireguard IRC channel
because his software wasn't open source? Damn.

~~~
ludde
Yes - that's what the WireGuard author did. I didn't even discuss TunSafe.

------
miles
Previous HN discussion on TunSafe from earlier this week:
[https://news.ycombinator.com/item?id=16515637](https://news.ycombinator.com/item?id=16515637)

~~~
ascorbic
I don't know how reasonable it is, but the attitude of the WireGuard
maintainer in that thread really puts me off using it. Call it the de Raadt
effect.

~~~
nirv
Did it put you off using openssh/openvpn/libressl/etc? Is there the Torvalds
effect? Let maintainers express their discontent in the form they prefer.

I see how @zx2c4 might be _concerned_ about possible reputation risks due to
the release of this closed-source implementation at the earliest WireGuard
stage. Given that the author of TunSafe is not a security expert. Especially
if (suddenly) TunSafe turns out to have security flaws, right before the
WireGuard team releases an official open-sourced implementation. However, WG
is an open protocol, and @ludde has the right to develop and sell whatever he
wants on its basis.

~~~
namelost
I'd say the author comes across as immature, which is kind of a bad look if
you are making security software.

~~~
lvh
How, specifically? Are they immature for suggesting against using a closed-
source implementation of the WireGuard protocol? Is your concern their tone
about said implementation?

------
vbezhenar
Is it possible with wireguard to provide public IPv6 address for clients? My
server has /64 subnet assigned, and clients have only IPv4, but I'd like to
provide white IPv6 address for clients.

~~~
jbg_
yes, I've done this

------
hultner
Is there by any chance a speed comparison against IPSec (IKEv2) i.e.
strongSwan with AES-NI?

I haven’t used OpenVPN in many years, so such a comparison would be much more
interesting.

~~~
chrisper
From experience I can tell you that IPSec is much faster than OpenVPN.

I have no issues getting Gbit over IPSec (Strongswan), but with OpenVPN I
always maxed out around ~400Mbit.

EDIT: Looks like I misunderstood your comment and it seems like you want a
comparison to Wireguard... oops

~~~
hultner
Yeah that’s my experience as well. That’s why I wanted a comparison. My router
at home easily handles gigabit over IPSec even though the CPU is at least 8
years old.

