
WireGuard: fast, modern, secure VPN tunnel - jermaustin1
https://www.wireguard.com/
======
balnaphone
Note for users in China: you'll still need Shadowsocks in your stack (e.g.
shadowsocks + CN2 + dns crypt/mask + IPv6 tunneling), since WireGuard is
vulnerable to "deep packet inspection" and this is not a priority for
WireGuard, as the author makes clear here:

[https://lists.zx2c4.com/pipermail/wireguard/2016-July/000184...](https://lists.zx2c4.com/pipermail/wireguard/2016-July/000184.html)

If anyone has more recent information on dealing with the Great Firewall, I'd
love to hear it.

~~~
Godel_unicode
I can't imagine shadowsocks will continue to work for long. There's not much
traffic like that on the Internet, meaning it is extremely susceptible to
identification via machine learning. Add on all the opsec problems associated
with point-to-point VPN tunnels and you're going to have a bad time.

See also:
[https://github.com/madeye/sssniff](https://github.com/madeye/sssniff)

~~~
yjftsjthsd-h
It looks like sssniff just checks whether a handful of packets are smaller
size than expected; isn't that completely trivial to fix? Granted, it's one
step in a long game of cat-and-mouse.

~~~
Godel_unicode
Not really, it's actually measuring entropy of the first few payloads. This is
one example of the larger problem; typical wire protocols, even privacy
focused ones like TLS/IPsec, tend to have some red content before the black
starts.

If your goal is to hide in the noise, the best way is to find a source of
noise and sound like it. Just being quiet doesn't do it.

Edit: nvm, can't get the code to paste. Look at the if elif elif elif block at
the end.

------
cocacola1
There was a recent FLOSS Weekly episode with the developer. I thought it was
an interesting listen.

[https://twit.tv/shows/floss-weekly/episodes/468](https://twit.tv/shows/floss-
weekly/episodes/468)

------
atonse
I can't wait for WireGuard to take over the VPN world :-)

The whole solution just seems so elegant. It's just not at the point where I
can download a GUI app and press one button to just connect. Waiting for that
to happen.

~~~
vbezhenar
I think that it would be hard for WireGuard to take over the VPN world. IPsec
works virtually everywhere without any additional software. OpenVPN is easier
to setup and have many mature clients for every platform, so if you require
custom software, why would anyone choose something new, when you have proven
and popular OpenVPN. I'm sure that WireGuard has some advantages, but I'm
still skeptical.

That said, IPsec is astonishingly hard to setup and diagnose. Recently I
installed strongswan on my server and Windows 10 is my client. I didn't figure
out how to send intermediate letsencrypt certificate to Windows 10, it wasn't
accepting connections without installing intermediate certificate as trusted
and I tried very hard, I'm sure that strongswan configuration is correct (I
put intermediate certificates into cacerts and it works on macOS). It's
especially fun with very little and cryptic information from Windows 10. Now
when connection was finally established, routes were not set properly. It
turned out that configuring connection via GUI was not enough, I had to change
some connection property via powershell script, so client would receive routes
from server. Yes, VPN isn't very easy to setup, at least for casual use. But
in the end it worked and I don't see any reason to switch.

~~~
atonse
OpenVPN is easier to setup than what exactly?

I found OpenVPN to just feel VERY VERY clunky. The clients look ugly and
unpolished. Before anyone says that's superficial, I do think it shows a lack
of attention to detail. Setting up the server also wasn't terribly easy (it
wasn't too hard either for someone like me who's used Linux for many years).

I think most of OpenVPN's value has come from the fact that it's the last
difficult of solutions to implement.

For the record, I wasn't claiming that WireGuard was this easy to setup. But I
think the mentality of WireGuard is simplicity. I think it's only a matter of
time before someone DOES implement a single click client/server with it.

Right now I use Algo, which is just an excellent set of scripts used to setup
VPN servers. This way I don't have to use OpenVPN, and I can actually use
IPSec with built-in OS clients.

Update: Also I'd like to add that WireGuard just feels like the kind of thing
Apple would've implemented in their OS 10 years ago. But Apple today wouldn't.
They just seem to be barely treading water in their MacOS group.

~~~
ComputerGuru
> The clients look ugly and unpolished.

Check out Viscosity. I've been a user for a few years now, it’s great stuff.

~~~
subliminalpanda
Seconded, it's a great client and the support from the devs is good.

------
tptacek
Also discussed here:

[https://news.ycombinator.com/item?id=16326236](https://news.ycombinator.com/item?id=16326236)

(presumably that's why it's on the front page today)

------
DyslexicAtheist
the WireGuard protocol has recently been formerly verified and findings are
worth checking:

\-
[https://www.reddit.com/r/linux/comments/7sh3k7/analysis_of_t...](https://www.reddit.com/r/linux/comments/7sh3k7/analysis_of_the_wireguard_vpn_protocol_is_now/)

has anyone done MFA with it yet?

~~~
yjftsjthsd-h
Multi-factor Authentication? How would you do that with a system that is
explicitly designed to use asymmetric keys?

~~~
DyslexicAtheist
see discussion
[https://lists.zx2c4.com/pipermail/wireguard/2017-September/0...](https://lists.zx2c4.com/pipermail/wireguard/2017-September/001753.html)

~~~
yjftsjthsd-h
Ah, clever. Thanks for link

------
locusm
If you're using Ubiquiti Edgemax routers there are Wireguard packages that
work very well for site to site VPN's.

~~~
zx2c4
Found here: [https://github.com/Lochnair/vyatta-wireguard#vyatta-
wireguar...](https://github.com/Lochnair/vyatta-wireguard#vyatta-wireguard)
and [https://community.ubnt.com/t5/EdgeMAX/Release-WireGuard-
for-...](https://community.ubnt.com/t5/EdgeMAX/Release-WireGuard-for-
EdgeRouter/td-p/1904764)

~~~
atmosx
This should work with USG routers too right?

------
pvg
Previously:

[https://hn.algolia.com/?query=wireguard&sort=byDate&prefix=f...](https://hn.algolia.com/?query=wireguard&sort=byDate&prefix=false&page=0&dateRange=all&type=story)

~~~
emmelaich
In particular, the first, which seems to have the most comments.

[https://news.ycombinator.com/item?id=11994265](https://news.ycombinator.com/item?id=11994265)

------
OrwellianChild
At risk of thread-jacking, may I ask: Why, when, and where should I be using a
VPN to practice good, secure use of online content/resources?

I learned a lot from running through 2FA and security practices as explained
at Tech Solidarity [1], but I'm still not clear on where VPNs should fit into
my workflow on desktop, laptop, and mobile.

[1]
[https://techsolidarity.org/resources/basic_security.htm](https://techsolidarity.org/resources/basic_security.htm)

~~~
tptacek
I would be careful about using VPNs ever. For the most part, the truism about
VPN services is accurate: VPN services give you all the security of coffee
shop wifi, but in the cloud.

If you're going to use a VPN, you need to set up your own server. This will
probably mean picking a cloud provider to trust, which isn't a fun problem
(although it has a simple answer: use AWS). You'll need to set up the
serverside to whatever VPN you choose to use on that cloud server.

For this problem, the gold standard is still Trail of Bits's Algo. Hopefully
sometime this year we'll get to the point where Algo sets up WireGuard for
people on Macbooks and Windows machines.

In the meantime, if you don't know what you're doing or how to set up a VPN,
I'd use Algo's strongSwan rather than a shared WireGuard provider.

~~~
OrwellianChild
Great advice on technical implementation - thanks for this!

I guess the takeaway I'm getting is that using this AWS-backed, encrypted
tunnel will let me:

    
    
        Mask my traffic destination (via AWS routing)
        Hide my traffic content (via encryption to AWS)
        Minimize/eliminate tracking (assuming I don't accept cookies)
    

Are those the benefits I'm looking for out of this? Or am I missing benefits
here?

~~~
ktta
The important part is knowing what you're looking for.

Using a VPN isn't inherently going to make you more secure. It is advised to
do so when you are in networks where you don't trust someone to not monitor
your traffic or inject stuff into unsecured traffic.

If you trust your ISP, then you really don't need a VPN. Unfortunately, most
can't be trusted if you're in the US, especially since there was a recent
senate action[1] that lets them collect and sell your history.

If you do use a VPN, then the trust problems with ISP will shift towards trust
in AWS. There's nothing stopping AWS from doing the same things that your ISP
does. It is just that most people trust AWS to not do that.

So to be clear, AWS can still see all your traffic and inject things into
unsecured webpages. The VPN will just won't let your local ISP see what you're
doing. All they see is encrypted traffic going to your AWS instance.

Also your traffic is not anymore tracking proof when you use a VPN since
instead of people storing your home IP address, they can store your AWS VPN's
address (which no one really does anymore. They just use cookies and tracking
elements).

PS: Note that AWS charges for bandwidth. There are 'lightsail' instances where
first 1TB egress is free.

[1]: [https://arstechnica.com/information-
technology/2017/03/how-i...](https://arstechnica.com/information-
technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them/)

------
arcaster
Is there an equivalent to WireGaurd that can be used on Android or IOS?

~~~
solnyshok
kernel module needs to be integrated into custom Android ROM

------
minicoolva
Softether can use in China

------
johnklos
...for one specific OS...

Or a userspace implementation written in difficult to bootstrap languages...

