
Virtual private networks with WireGuard - johnramsden
https://lwn.net/SubscriberLink/748582/75c743d0eb3aae0f/
======
pstadler
Good to see WireGuard getting some coverage. I‘ve been embracing it from the
very beginning for small scale Kubernetes clusters running on virtually any
cloud provider lacking isolated private networking[1]. It‘s been running
stable in different environments for more than a year; set up and forget.
Unlike similar software it‘s also dead simple to configure.

Apparently, Linus wants it in the Kernel[2].

[1] [https://github.com/hobby-
kube/guide/blob/master/README.md](https://github.com/hobby-
kube/guide/blob/master/README.md) [2]
[https://lkml.org/lkml/2018/2/13/752](https://lkml.org/lkml/2018/2/13/752)

------
rasengan
WireGuard is doing good things. PIA will be rolling out support shortly.

~~~
DavidNielsen
And a citation.

[https://www.privateinternetaccess.com/blog/2018/01/private-i...](https://www.privateinternetaccess.com/blog/2018/01/private-
internet-access-proud-supporting-wireguard-project/)

No timeline yet though but given the early state of WireGuard and the platform
support that is understandable.

------
adynatos
can wireguard work over tcp? many captive portals i encounter daily block most
ports and almost always allow only tcp. so i set up openvpn on port 443 over
tcp, which got through everything so far.

~~~
minus7
Couldn't you theoretically run traffic over pseudo-TCP. I.e. you send packets
that look like TCP (IP packet type TCP + TCP header), but bypass the kernel's
TCP stack and put arbitrary, packet-based data in it, like UDP. Theoretically
speaking.

~~~
charleslmunger
Yes, but the same middle boxes would choke on that too, either corrupting it
or blocking it.

------
johnramsden
Includes a nice description of how WireGuard works on Linux, and how it's
different from other VPN implementations.

------
rhn_mk1
Is WireGuard working as an IPv4 tunnel or can it transport arbitrary packets,
like ipv6, becoming a tap interface?

Does it work as a link between two devices, or one-to-many? Does it support
peer-to-peer connections within the group?

~~~
helper
It is a layer 3 vpn that supports v4 and v6 payloads. It does not support any
layer 2 connection like you would get from a tap interface.

You can certainly make a mesh of connections between different hosts by adding
the remote peer's public key and ip address to each host's configuration.
There is nothing in wireguard that makes that automatic though.

~~~
StavrosK
Ah, so to connect N hosts together you need to configure N-1 connections in
each of the hosts?

That's a bit of a hassle, though not prohibitive. A VPN that's secure and easy
to configure would definitely be useful in getting all the components in our
infrastructure talking to each other. No need to worry about authentication or
encryption, it'd all be handled for you by the VPN.

~~~
benjaminl
If you want to connect all your hosts together in a mesh I suggest ZeroTier.
It is an easy to setup network designed for this use case.

~~~
StavrosK
That looks pretty slick, thank you. I wish I'd heard more about it, as I don't
know how secure it is, but I'll give it a try.

------
mycall
I've been an long time advocate of tinc. I'd love to see a comparison with
WireGuard.

~~~
zaarn
I've tried Tinc, Wireguard and OpenVPN. Currently I'm on OVPN via a pfSense
box (doesn't support WG yet).

Tinc is neat if you need a mesh network but it was an utter pain to properly
setup (half the time I wouldn't get any connection, the other I would not get
data over it).

OVPN and WG have been fairly pleasant in that regard, though OVPN still
suffers from some non-obvious failure cases when you stray away from a simple
VPN connection.

In my case, I only dial into a OVH instance to A) setup/config containers on
it and B) use OVH as VPN.

Tinc's mesh network is overkill, the clients are all behind X number of NATs
or firewalls and without the central server there is no use for the VPN.

I might think about Tinc again if I feel the urge to setup multiple boxes.

------
feelin_googley
I use one of the many non-OpenVPN "VPN" alternatives. The one I chose has
fewer lines/words/characters of code than Wireguard.

It does not require SSL/TLS, it can use Curve25519 and it is faster than
OpenVPN.

It is a userland daemon (using /dev/tap), so it may be slower than Wireguard.

However I think it is more portable than WireGuard. (That is an important
feature to me.)

How portable is WireGuard to BSD, Minix, Plan9, etc?

~~~
sigjuice
Do you mind sharing which “VPN” alternative this is? Thanks!

~~~
randywaterhouse
While I have no idea given the... oddity... of this subthread, I might posit
`tinc` is being referred to here: [https://www.tinc-
vpn.org/faq/](https://www.tinc-vpn.org/faq/)

ETA: this is based on the open source code which may be modified, userland
daemon status, /dev/tap usage... Portability... etc.

In any case - tinc is excellent

~~~
feelin_googley
FWIW, that is not what I use.

I should have not mentioned anything about other software. It is irrelevant to
the question.

The question was/is: How portable is WireGuard?

~~~
darklajid
[https://www.wireguard.com/xplatform/](https://www.wireguard.com/xplatform/)

There exist closed source third party clients for Windows/OS X, and wireguard
itself has currently two (unreleased) reference libraries in Go and Rust to
support future cross-platform clients.

So the answer to "how portable" is probably "portable" :-) (I don't know if
there are any plans for _kernel_ mode implementations for anything but Linux,
but cross-platform user mode clients are part of the project's goals)

~~~
feelin_googley
Thank you. It sounds like portability may come via a userspace program. I look
forward to it.

