
WireGuard is now in Linus' tree - axiomdata316
https://lists.zx2c4.com/pipermail/wireguard/2020-January/004906.html
======
numbsafari
As someone who regularly deals with IPSec in conservative network
environments, Wireguard can’t gain broad adoption soon enough, in my opinion.

Now that it’s merged into Linus’s tree, any word on it getting an official
release and the “this isn’t production ready, so no CVEs” disclaimer going
away?

EDIT:

Further back in the thread, Donenfeld says “Please note that until Linux 5.6
is released, this snapshot is a snapshot rather than a secure final release.”,
so perhaps real soon now?

[https://lists.zx2c4.com/pipermail/wireguard/2020-January/004...](https://lists.zx2c4.com/pipermail/wireguard/2020-January/004905.html)

This is definitely big news!

~~~
johnebgd
If you value WireGuard and can spare a few bucks the inventor/maintainer is
getting about 1/10th what they publicly ask for to maintain:

[https://www.patreon.com/zx2c4](https://www.patreon.com/zx2c4)

~~~
ZiiS
I do rely on Wireguard for some personal projects and I can spare a few bucks.
However the reality is I can't get to $15/month the minimum tier. I rely on
thousands of opensource projects. Upstreaming should help my arguments for
adoption at work; they wouldn't think twice.

~~~
Monory
You can support on Patreon for less than the minimum tier. It is just the cut-
off over which the rewards (such as stickers here) are given. Support for just
$1! He'll still get it!

~~~
ZiiS
Thank you, they could make this clearer.

~~~
sundarurfriend
I didn't know this either. I guess that's why many projects have a fake $1
tier with just "the pleasure of knowing you contributed" or something like
that as the "reward" for that tier. To let people know that that's still an
option.

~~~
lukevp
I agree, I would have signed up for a $1 tier or perhaps $2 but $15 is far too
high for the minimum tier. I support the Zig author for $1/mo and hope others
would do the same for my open source projects in the future.

------
jchw
I’m using WireGuard daily on Linux and iPhone. It’s hard to describe how much
better of an experience this is than OpenVPN. Connections are reliable and
durable, latency is pretty low, and you can actually understand the software.

~~~
Diederich
I've been using WireGuard on my Android phone for a good while now using a
free digital ocean droplet via
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

It's fast. It's easy. You never have to think about it. It just works.

~~~
TimTheTinker
> using a free digital ocean droplet

I can't seem to find any "free" option on their pricing page. Could you
elucidate?

~~~
dboreham
An engineering approximation to free?

~~~
nissarup
Assuming a spherical VPS in a vacuum...

------
adevx
Fantastic news. I deploy WireGuard to provide a private network (mesh) between
VPS servers. Each VPS instance has each other vps as peer. So no single source
of failure. I run PostgreSQL with Patroni and GlusterFS over this mesh with no
issues. When I add or destroy a VPS with Ansible all VPS nodes get an updated
config and reload. This way I don't rely on a single cloud provider because I
do not use their private network service.

~~~
ghthor
That's really interesting. So you essentially implemented a Virtual Private
Cloud(VPC) on top of the "PHY" network of your hosts?

Does that mean that all your nodes have to be accessible to the public
internet?

~~~
adevx
In my case yes and yes, but mostly because I spread out over two cloud
providers.

~~~
kevin_nisbet
But it only needs to be accessible on the port WireGuard uses for
communications, and WireGuard also has a nice property where it acts passively
for non-wireguard packets.

So someone on the internet doesn't necessarily know the node is reachable from
the internet if they try and scan it for example.

Edit: IIRC only one end of the connection needs a stable endpoint as well.
IIRC WireGuard supports mobility (changing IP addresses) for one end of the
connection.

~~~
monkeybutt
afaik, both ends can move, they just send packets to the latest IP they
received a valid packet from.

------
sdan
WireGuard is absolutely fabulous. I route all my traffic from a couple servers
at home to a small GCP instance (don’t want IP to be public) and I added my
laptop to this WireGuard network (although technically a peer) and I can ssh
into it remotely.

I’m serving a 1,000,000+ page views a month through WireGuard and can’t say
anything less about it it.

~~~
tcas
Do you set up nginx or haproxy as a reverse proxy to the wireguard network, or
something else? Been wondering if there's an easy way to expose an internal
service like that. TCP seems easy, but UDP seems much more problematic.

~~~
ignoramous
Check out [https://tailscale.com/](https://tailscale.com/) a mesh VPN built on
top of wireguard.

~~~
yash1th
I just learned about tailscale today on twitter. Here's the tweet from the
founder
[https://twitter.com/davidcrawshaw/status/1222203472461926401...](https://twitter.com/davidcrawshaw/status/1222203472461926401?s=20)

Looks really promising

~~~
oarsinsync
It does look very nice. It's a shame that it depends on third parties for
authentication, and that they have gems like this in their documentation:

> No app-level integration or reconfiguration is required, because security is
> built into the network itself. If you configure your network to require
> Tailscale, every one of your internal services will be subject to multi-
> factor authentication.

Which is simply not true. I've had 2FA for my Cisco AnyConnect VPN for years.
That does not mean my applications I access through the VPN are now magically
subject to MFA.

Maybe in time this may end up being viable for me, and maybe it already is for
other people. For now, I'd rather my VPN didn't depend on Google, Microsoft,
Okta, etc.

~~~
gowld
> That does not mean my applications I access through the VPN are now
> magically subject to MFA.

Why not? Doesn't the VPN authenticate you via VPN before you can access the
apps?

~~~
oarsinsync
Network authentication is not the same as application authentication.

If I plug a cable into your LAN, I am not subject to MFA to login to a server
on your LAN.

If you have a lock on the network port that requires me to type in a PIN code
and stick in a key to unlock, and expose the port, that then results in MFA to
connect to your network. Your applications behind your network remain without
MFA.

MFA VPN is essentially the same thing as the above, but for remote access to
the LAN. Applications should still be properly secured.

I suppose it could be argued that this provides a client-side agent to
authenticate the end user as well (mumble mumble 802.1x), and if so, then it's
arguable whether or not you need another layer of authentication on the
application, or if this qualifies as SSO to authenticate you to _everything_
you have access to in the network (so passwordless login to servers, desktops,
webapps, etc)

------
ronnier
I’ve been nothing but happy with WireGuard. Connecting from my iPhone to my
home and it works great, it’s fast and reliable. I’m never waiting to connect.
Switching between WiFi, mobile, and sleeping go unnoticed.

~~~
3xblah
Your home has publicly accessible^1 IP address

Or you are using a third party-controlled server with direct internet access
to make home IP accessible

1\. No ISP firewall blocking _unsolicited_ incoming traffic

Do you configure WG to use persistent keepalives

~~~
braindeath
In the US for home connections (cable, fiber, DSL) everybody gets an
accessible IP address pretty much -- the worst is that some ports are blocked
like port 80 or 25. Phones don't get a dedicated IPv4.

~~~
RL_Quine
For most people it's dynamic. Mine is dynamic with the PPPoE fibre session.

~~~
Polylactic_acid
I have a rpi set up with a minutely cron job to update my domain name to point
to home. Works pretty well. At the worst you lose connection for a minute but
usually the IP address only changes when the home connection fails which can
take more than a minute to reset anyway.

~~~
core-questions
Isn't this what the DynDNS protocol and various daemons are for? Why write
your own? :P

~~~
canofbars
Its not exactly "write your own" I have a single line in my crontab that just
uses curl to post to a url and the remote server takes the IP address it got
the request from and sets the dns to that.

~~~
cbzbc
Though usually on firmware like openwrt the request going out is tied to a
particular interface going up (and down) as it should be, so its somewhat more
robust and 'correct' than crontab would be.

------
ZoomZoomZoom
Does anyone know anything about Wireguard-p2p? It's a tool for automatic
management of endpoints and NAT-traversal for wireguard. It was announced on
FOSDEM 2018[0]. Main repo[1] is stale, unfortunately.

Some tool that would augment WG with more features a-la Tinc would be awesome.

[0]
[https://archive.fosdem.org/2018/schedule/event/bulletinboard...](https://archive.fosdem.org/2018/schedule/event/bulletinboard_dht/)
[1]
[https://github.com/manuels/wireguard-p2p](https://github.com/manuels/wireguard-p2p)

------
bitexploder
WireGuard is cool and we really like it at our company (a bunch of infosec
consultants). The management of it for an even small number (20) of users is a
no-go. OpenVPN is ultra reliable and provides legit 2FA options when set up
well. I look forward to legit management tools and improvements. For personal
use it has been great. Much simpler than OpenVPN for a few (3) users.

~~~
tptacek
The way you're managing WireGuard today is like directly configuring KAME
IPSEC. The Linux WireGuard implementation is low-level and, from a systems
perspective, unopinionated, which is as it should be.

Getting a secure transport integrated safely into the kernel shouldn't be
rocket surgery, but it is. That part is done. Getting IdP-managed WireGuard is
not rocket surgery, and lots of teams will presumably do it. Those teams, by
the way, stand to make a lot more money than Jason will off WireGuard, which
is a very good reason to donate.

Nobody who can reasonably avoid it should be using OpenVPN anymore. I get that
it's burrowed far into some organizations and am not OpenVPN-shaming anyone.
But WireGuard is leagues beyond OpenVPN in terms of nuts-and-bolts protocol
and implementation security.

~~~
pferde
I'm a big fan of Wireguard, and am using it in a few places, but OpenVPN still
has its place - namely if you need a VPN tunnel from behind a firewall that
only allows outgoing connections to small number of TCP ports, and no UDP
ports.

~~~
muldvarp
You're not wrong. OpenVPN can be useful in that case, but in general you
shouldn't use TCP as the underlying protocol for other TCP traffic, if you can
avoid it. The better solution in this case would be to open a UDP port in the
firewall.

~~~
pferde
My entire point was that in this case, I can not avoid it, it is my only
option. Beggars can't be choosers and all that.

------
kennu
If you're wondering what it is:

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-
of-the-art cryptography. It aims to be faster, simpler, leaner, and more
useful than IPsec, while avoiding the massive headache. It intends to be
considerably more performant than OpenVPN. WireGuard is designed as a general
purpose VPN for running on embedded interfaces and super computers alike, fit
for many different circumstances. Initially released for the Linux kernel, it
is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely
deployable.

[https://www.wireguard.com/](https://www.wireguard.com/)

~~~
Noumenon72
What does it mean to be "in Linus' tree" if it's already on Linux and
everywhere else? Like it will be built in somehow?

~~~
oarsinsync
Right now, it is not part of the Linux kernel. It is just some random external
software that you have you download and compile yourself against the source
headers of the kernel you're currently running.

It got merged into the net-next tree, which meant it has been approved by the
maintainer of the Linux kernel net branch to be included into the kernel.
Linus has now pulled it from net-next into his own tree, which means it'll be
included in the next release of the Linux kernel.

As far as that means as an end user, it means that you no longer need to
recompile your wireguard module every time there's a kernel update, as now it
will be handled by your distro.

That said, given that Wireguard is packaged nicely already for most distros,
the end effect for you is really pretty little, as you're probably unaware of
all of this complexity that's going on right now, as it mostly just works.

~~~
mekster
> As far as that means as an end user, it means that you no longer need to
> recompile your wireguard module every time there's a kernel update, as now
> it will be handled by your distro.

That's not the important point.

The point being, when merged as part of the kernel officially, you know it
will get more support and eyes for stability and development power as the
kernel wouldn't want to ship anything that's at some unstable state.

So you can expect long term usage and maybe RedHat might pick it up as its
official VPN solution instead of libreswan some day.

~~~
ryanlol
>you know it will get more support and eyes for stability and development
power as the kernel wouldn't want to ship anything that's at some unstable
state.

This is a rather idealistic view on kernel development.

But it is true that when wireguard is “ready” this could very well result in a
bit more support as larger orgs will be more willing to start using wireguard.

------
edoceo
Super cool. WG is a such a great tunnel tool. They've told me not to use in
production but I've been ignoring that advice for months. My first test was
using in as a replacement everywhere I still has stunnel. Then right after it
was proved I started using this hammer for everything.

AND! This part is critical: all of my interactions with the team and the
community around it have been positive.

Brilliant!

------
imiric
This is great news, and I'm looking forward to giving it a try once it's
released as part of the kernel.

I've been using tinc[1] for several years now, and it's been very simple to
configure and use. Similarly to WG, it can tunnel over UDP, but also over TCP,
supports router or switch modes, NAT traversal, etc. It's a great project, but
not very popular and I'm concerned about its maintenance and security issues
moving forward.

To someone who's used both projects: can WG today be a drop-in replacement for
tinc?

[1]: [https://tinc-vpn.org/](https://tinc-vpn.org/)

~~~
ZoomZoomZoom
As far as I understand, the killer feature of Tinc is automatic mesh routing.
You can add a node to one instance and the information spreads through the
network, wireguard doesn't do that.

Also, I heard maintainers were contemplating replacing the protocol with
Wireguard.

[https://www.tinc-
vpn.org/pipermail/tinc/2017-February/004755...](https://www.tinc-
vpn.org/pipermail/tinc/2017-February/004755.html)

~~~
fulafel
IPsec also supports this - give certs signed by a mutually tusted CA to all
nodes and they can all communicate host-to-host in a full mesh without needing
to reconfigure when adding a host etc.

~~~
hwh
Can you please elaborate? As far as I see it, IPsec is encrypting traffic. IKE
is for setup of security associations. What part of IPsec would do routing,
and in this case: potentially multi-hop mesh routing?

~~~
fulafel
IKE obviously does the key management part, it's part of IPsec in this
picture.

There is no separate mesh routing in this scenario, everyone just uses normal
internet routing and addressing.

------
Panino
I use WireGuard on OpenBSD and Linux and it is just simply beautiful.

THANK YOU Jason for writing it and to everyone else who has contributed code,
testing, money, whatever.

I believe WireGuard will become the most widely used VPN above IPsec and
OpenVPN. There will still be use cases for them (especially IPsec) but both
will lose marketshare dramatically.

~~~
yardstick
WireGuard is nice but needs 2FA support. Until then it can’t be used in
various corporate road warrior scenarios.

Also until Cisco, Juniper, etc add WireGuard support and enough devices are
deployed with it, IPsec will remain the corporate tool of choice when
connecting between different organisations. Within the same org, where you
have greater control of the equipment used, WireGuard is a bit more feasible.

~~~
treesknees
What you're describing (authentication/2FA) should be handled by a client
application. VPN client software should handle authentication/authorization
with the corporate VPN server. Once it's authenticated, it can
exchange/generate the public-private keys used for the WireGuard tunnel. The
VPN client then installs those keys and starts the tunnel. After that, it's up
to the client and server VPN software to handle session timeouts,
reconnections, host machine security policies, etc etc. None of that is the
job of WireGuard itself.

~~~
yardstick
That’s still just one factor on the tunnel itself, which is the problem. If
the keypair is discovered somehow, attackers could connect to your network
without 2FA. Or am I missing something?

So what software can I use now to make 2FA work with WireGuard that’s simple
to use - as simple as OpenVPN (cert+user/pass is trivial in OpenVPN and
supported in their clients).

------
place1
This is awesome news. I’ve been using my self written access server deployed
as a docker container at my home for ages now with no problems at all. Wg is a
pleasure to use and their apps for iOS and desktop are great. The QR code
feature in the mobile app is really good.

I can’t wait for better adoption amongst businesses for corporate VPNs.

[https://github.com/Place1/wg-access-server](https://github.com/Place1/wg-
access-server)

------
0xADEADBEE
Glad to see it finally officially accepted. I've been using it on all my
devices for over a year now and it's been rock solid. The ease of setup and
initial connection speed alone blow any of the alternatives (that I'm aware
of, at least) out of the water. Long may it continue!

~~~
m-p-3
The only place where it falls shorts is that it doesn't go through as easily
as SSL/IPSec on restrictive networks like corporate firewalls, but maybe that
will go away when it becomes more common (and hopefully adopted in
enterprises).

~~~
RL_Quine
I've honestly not had a lot of issues with that up until now. Real world it
doesn't seem to be blocked by a whole lot of things, except where you only
have port 80 and 443 anyway. I've actually seen it work in a lot of places I
wouldn't have expected it to, like hotel wifi.

~~~
big_chungus
I've seen the same, likely because the DPI boxes haven't yet caught up.

------
oxplot
Wrote a little post some time ago on how to set it up on linux and use it on
android. Super simple.

[https://blog.oxplot.com/wireguard-vpn-on-
android/](https://blog.oxplot.com/wireguard-vpn-on-android/)

~~~
wpietri
Nice! Any idea what the minimum system requirements are? I'm wondering how
cheaply I could run this.

~~~
RL_Quine
Basically nothing for wireguard itself. I've run it on some seriously
underpowered hardware and it seems to have basically no performance impact to
speak of. I probably have it set up on around 30 machines presently and have
used it in production environments.

------
DictumMortuum
Just yesterday I was looking at tinc [1] and wireguard was mentioned briefly.
I'd like a way to access my home computers via ssh to keep them updated via
ansible, even if they are on different networks (parents' laptops, my laptop,
my raspberry servers, etc).

Does anyone with more knowledge care to comment on security issues with tinc
vs wireguard?

Too bad that you need to use an external droplet for discovering the hosts
with this one :(

1 - [http://tinc-vpn.org/](http://tinc-vpn.org/)

~~~
QasimK
I cannot comment on tinc, but I use WireGuard to do the same thing as you, and
it works brilliantly. It was “easy” to set up and use.

I wrote up what I did for my Raspberry PI server that I have at home [0].

The only other component that may be necessary is Dynamic DNS if you have a
dynamic home IP address, or at the very least a way to find out your home IP
at any time.

[0]: [https://qasimk.gitbooks.io/piserver-book/content/personal-
vp...](https://qasimk.gitbooks.io/piserver-book/content/personal-vpn-
wireguard.html)

------
thrwaway69
That's good news.

I have been using wireguard via telegram and discord. Bot generates a config,
whip it up and send generated QR code/file/instructions. It changes the DNS to
the proxy pihole so whenever I connect to vpn, most ads stop bothering me.

It's been great because I can easily give access to others via the bot too.
They only need to scan the QR code or download the file, import it in the
official app and it works. :D

------
alibert
Is the Windows client offering better now? I'm still using the old alternative
Tunsafe client on Windows because it is more stable than the official client
on my laptop (got several bugs with sleep/resume/hibernation/long lived
session).

Well... I just tried to install the latest official Windows client and got an
error about Wintun missing when activating a tunnel :/

~~~
axiomdata316
I thought the Wintun driver was bundled with the WireGuard installation but if
you need to install it separately I believe you can do it from
[https://www.wintun.net/](https://www.wintun.net/)

Hope it helps. The Windows client is very stable now.

~~~
alibert
Thank you for your help. Unfortunately, the files available on wintun.net
can't be used.

------
badrabbit
So,curious here: I'v been reading about how the focus these days is to move
networking code to userspace because you can squeeze out more PPS
performance,does the fact that WC makes use of kernel code heavily give it a
performance disadvantage?

~~~
ahmedalsudani
I don’t know what PPS is, but that is an inaccurate sentiment. Running as a
kernel module allows you to achieve higher throughout and lower latency.

~~~
lern_too_spel
You're correct. I don't know why you're downvoted. Anything you can do to get
performance with kernel bypass techniques can be done inside the kernel as
well.

~~~
ahmedalsudani
¯\\_(ツ)_/¯ It’s alright. You sometimes get downvoted by the early two people
who are offended that I’d dare comment without knowing what PPS is (or
something equally offensive).

------
0ld
Since a couple of years I've been running iked [0] on my VPSed OpenBSD. It
took me around 5 minutes to setup and it "just works" since then with my
iPhone and MacOS clients out of the box, not requiring any additional
software.

But since WG is getting so high praise here, I'm now interested what are WG
advantages and what does WG have to justify the effort to move away from iked
and install/setup the client software everywhere?

I'm certainly going to find out and test it myself, but would really
appreciate just a quick answer/explanation

[0] [https://man.openbsd.org/iked.8](https://man.openbsd.org/iked.8)

~~~
hwh
For me it's just easier to get my head around having a new network interface
presented rather than this pile of security associations and transform
configurations. I can just re-use my firewalling and routing knowledge and do
not have to put my mind into IPsec mode to manage this. That aside, I think
it's still quite a lot easier to use IPsec tooling when you want something
that plays along with certificate based multi-level trust models.

------
zeveb
Wireguard is really, really awesome. I've been using it for a bit now and it
almost completely Just Works™. I've only had two issues, one of which is known
and the other of which I think is probably my fault somehow.

The first is that for some reason I sometimes need to ping machine B from A in
order to get to C via B (in my case B sits in a VPS, while A is a laptop and C
is a desktop).

The other is that I would love to be able to connect directly over the LAN
from A to C and vice versa, only going via B when A is mobile. I'm pretty sure
that I could fix this with more IPv6 addresses and routing tables, but so far
no joy.

------
jagger27
I just started looking into WireGuard and was disappointed to find out that
pfSense has no support for it. I don’t like messing around with packages
outside of the pfSense repo, even if it’s kinda supported in FreeBSD.

~~~
apearson
I run Wireguard on a freebsd server behind pfsense. Works well once you have a
nat setup. What is stopping you from going that route?

~~~
jagger27
That's the direction I was headed, yeah. I do like the convenience of managing
it all from the firewall web interface, however.

------
ss3000
Anyone aware of a VPN provider that offers WireGuard and supports more than 5
simultaneous connections? I've been using Mullvad but the 5 connections limit
is starting to feel really restrictive.

~~~
A_No_Name_Mouse
I set up a home router that I can connect to through Wireguard from all my
devices, and it forwards all traffic to Mullvad. Bonus: I use PiHole on the
same instance so all my devices get transparent ad- and tracker blocking

------
h4waii
Very glad to see WireGuard getting more adoption. I've been using it while
mobile and traveling and it's been absolutely rock solid.

OpenWrt router back at home, multiple Android devices and Fedora machines
connecting back that just work seamlessly between different networks. It's
been such a treat to use and watch and help it mature.

Just need more popular VPN providers to start supporting it -- NordVPN and PIA
have provided "support" for it, and Nord allows using it as "NordLynx" on
their Linux app.

~~~
rochacon
Mullvad supports WireGuard tunnels, been using it for a couple of months now,
pretty solid in any device, in all the regions I tried.

~~~
h4waii
I found the speeds to be lacking quite a bit and it was never completely
reliable with both the WireGuard app and the official Android app, which also
doesn't support split tunneling or allowing specific apps to bypass the
interface. I will revisit when my subscription with current provider expires.

------
rntksi
Great news! Definitely going to be changing the landscape of VPN.

------
terrywang
Good news (rare) in Jan 2020 ;-)

Using WireGuard to establish a mesh network seems good to start with but it
does not scale well (even with the help of subspace web UI). Nebula (from
Slack) seems to be a better option which is simple, secure and scales well so
far, docs are not that well at this stage but usable.

My main use case of WireGuard is to secure network traffic on
Laptop/Workstations, replacing old-school complicated IPsec (strongSwan) and
OpenVPN, can't be happier with its simplicity, user experience (seamless
switching networks like strongSwan client for Android, per network on-demand,
etc) and performance, battery life on mobile devices, etc. Anyway, non of the
traditional VPN solutions (including WireGuard) work inside the Chinese GFW
when travelling to China Mainland (won't go there until the 2019-nCoV is under
control or a vaccine is available). So I am exploring V2ray (TLS + WebSocket +
Web) and Trojan at this stage (working ones to my knowledge).

Gravitational folks even implemented a WireGuard based overlay network plugin
for k8s, super excited to replace flannel with wormhole (I have to admit it is
a bad name) in use cases where encryption is required for overlay networking,
which flannel does not offer.

Many thanks to the WireGuard development team for the good work! Jason and
many others, wow, I see the name of a long-time-no-see frined Herbert Xu
(crypto subsystem maintainer).

~~~
terrywang
Forgot to mention a potential problem with WireGuard, server keeps the list of
clients' virtual IPs (AllowedIPs used for routing/ACLs), not ideal for VPN
service providers in terms of privacy.

It's not a problem for overlay network (e.g. Nebula) though, as it is
considered a `requirement`.

------
freedomben
Apologies if I've missed it, but which kernel version will be first to ship
with Wireguard? Looks like 5.5-rc7 is already out, so will Wireguard be
included in 5.6?

------
MR4D
If there was ever a use case for a raspberry pi, this is it!

------
ycombinete
Nord VPN has added a Wireguard protocol-based option in their apps now. I'm
not sure what to make of that.

------
intc
This is really great news! Soon we can finally start to deploy our global
WG/IPv6 based management VPN.

------
mderazon
Does anyone know of a way to add Wireguard to Gnome NetworkManager gui ?

~~~
mqus
[https://aur.archlinux.org/packages/networkmanager-
wireguard-...](https://aur.archlinux.org/packages/networkmanager-wireguard-
git/) for archlinux, for other distros, you should probably look at the
upstream source linked there

------
samgranieri
This is fantastic!

------
the_resistence
heartbroken: doesn't work in mainland China

~~~
shanxS
Care to explain?

Unless underlying protocols (OSI layer) OR government policies don't stop WG
from working, there should be no other variable to technically stop WG from
working.

------
eteo96
glad to see wireguard improving!

------
tus88
Is this like WireShark?

~~~
kronholm
Not at all. Wireshark is for monitoring and analysis of network+hardware
stuff, and WireGuard is for VPN stuff.

------
ta999999171
Congratulations to Jason, super cool!

\- pHreak

------
chrisbrandow
Pedantic: Linus’s

~~~
pfundstein
More pedantic: _Linus '_ is correct because _Linus_ is a proper noun.

~~~
chrisbrandow
As far as I understand it, that's not the general rule.

This is hardly a authoritative citation, but it cites a number of authority
and comports with my understanding as someone whose name ends in `s`:

"Nearly all authorities agree that if you want to make a possessive out of a
singular noun like Kansas that ends in an s, you need to add ’s at the end.
Just call it “Ross’s Rule.”"

[https://www.legalwritingpro.com/articles/feeling-
possessive/](https://www.legalwritingpro.com/articles/feeling-possessive/)

~~~
daurnimator
Depends on your region and the name in question. e.g. macquarie
([https://www.macquariedictionary.com.au/resources/view/resour...](https://www.macquariedictionary.com.au/resources/view/resource/6/))
say:

> Personal names ending in s are these days often given the regular apostrophe
> s, whatever their number of syllables or their sound:

>

> Burns's poetry

> Dickens's novels

>

> Those who have occasion to refer to classical or biblical names of several
> syllables may still prefer the apostrophe alone, as with:

>

> Jesus' teachings

> Moses' law

> Euripides' plays

