
Ubuntu 20.04 LTS Adds WireGuard Support - Bella-Xiang
https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-20.04-Adds-WireGuard
======
DCKing
Great. This will mean wonders for the short-term adoption of Wireguard, as
it's now in a "stable" Linux distro. After Ubuntu 20.04 there's a big gap in
new "stable/enterprise" releases.

Debian 11 - Mid 2021, probably

OpenSUSE Leap/SLES 16 - Mid 2021, probably

Ubuntu 22.04 LTS - April 2022

Red Hat 9 - probably 2024 ?

So if Ubuntu hadn't included this, we would have to wait more than a year to
have it in the kernel of a "server-grade" Linux system by default. Most people
don't like running more cutting edge distros or fiddling with the kernel on
their servers. Defaults matter, so this will be great for Wireguard adoption.

~~~
curt15
Red Hat is known to backport features into RHEL kernels. Could Wireguard
conceivably make it into RHEL 8.x?

~~~
CiPHPerCoder
Red Hat still ships ancient versions of PHP in their official packages.

I wouldn't bet on a backport unless you have a lot of clout (a.k.a. purchasing
power) behind you.

~~~
jagger27
I can understand why RHEL would still ship ancient PHP versions to keep legacy
apps running, but I think WireGuard would be an easier sell considering it's
so unobtrusive and has no legacy software to worry about breaking.

~~~
CiPHPerCoder
The problem isn't "RHEL ships ancient PHP for legacy apps".

The problem is "RHEL doesn't also ship newer PHP as an alternative and you
need to instead rely on third-party repositories".

~~~
chucky_z
RHEL themselves vendor RHSCL --
[https://developers.redhat.com/products/softwarecollections/o...](https://developers.redhat.com/products/softwarecollections/overview)

For CentOS and friends there is
[https://www.softwarecollections.org/en/](https://www.softwarecollections.org/en/)

[https://access.redhat.com/products/Red_Hat_Enterprise_Linux/...](https://access.redhat.com/products/Red_Hat_Enterprise_Linux/Developer/#rhscl=&dev-
page=5) are maintained by RedHat directly.

------
GABeech
Wireguard needs to put actual logging into the product before anyone should
consider using it in production.

I have to deal with it via a vendors product and have spend about 4 weeks in
the past 6 months trying to fix a flaky connection by guessing and restarting
a lot. Just like anything things will go wrong. But, with wireguard you have
no idea what it could even be if it's not an obvious thing that you can
diagnose with ping.

~~~
big_chungus
Wireguard also needs a better auth mechanism. I really like the simple secure
key-based auth for small-scale stuff, but it's not viable for scaling at
production levels. Things like user/pass auth (even if as an additional layer
of security rather than displacing existing keys), 2FA, etc. will be important
to get adoption at scale. I hope wireguard creates a module interface of sorts
so people can extend the protocol as needed.

~~~
XMPPwocky
No, I don't think it does.

The thing about simple, key-based authentication is that it's very extensible,
without changing the actual protocol.

What?

Well, what Wireguard's auth actually means is that you can use whatever
authentication you want _to communicate a shared secret to both ends_.

Want to authenticate with, say, SSH keys? Sure- SSH into a server, run a
command that generates a new Wireguard key, connect in with that key.

LDAP? Same situation. Whatever SSO you want- as long as you can stick up
authentication in front of a service that's able to pull bits from
/dev/urandom. Multifactor? Sure.

Wireguard does one thing well. What's missing is not features in Wireguard-
it's _the ecosystem around it_ to actually handle key management. For
enterprises, Hashicorp Vault or something should probably look into supporting
Wireguard; for smaller situations, some SSH-based key exchange, like the way
Mosh handles things, seems reasonable.

Complex, pluggable authentication is sometimes necessary...but you want as few
implementations of it as possible, and you sure don't want it in the kernel if
you can help it.

~~~
yardstick
The problem is lots of organisations in the financial and medical worlds need
2FA. WireGuard needs a 2FA solution - It doesn’t have to be kernel based - but
it does need to protect against someone grabbing a copy of the single factor
auth in WireGuard (keypair). A solution that rotates/manages/provisions/etc
these keypairs is still fundamentally single factor auth of the tunnel.

~~~
XMPPwocky
> WireGuard needs a 2FA solution - It doesn’t have to be kernel based - but it
> does need to protect against someone grabbing a copy of the single factor
> auth in WireGuard (keypair).

By this standard, no website supports 2FA- ultimately it's just a cookie
that's used to authenticate requests, even though to _get that cookie_ you may
have to go through 2FA. Nothing prevents an attacker from just grabbing the
session cookies.

In fact, I doubt any VPN supports 2FA by this definition- it would mean
requiring authentication _on every packet_. Instead, of course, what you do is
do authentication once, when setting up a tunnel, and then use bearer tokens
from then on.

~~~
yardstick
The session info in a browser is not persisted on disk as a long term config
file that’s easy to copy and duplicate. Having a session key only ever exist
in memory is completely different to storing WireGuard keys on a filesystem.

Edit: Also OpenVPN, which is the tool I’m comparing it with, only ever has
session keys in memory. The 2FA part (password+OTP) isn’t saved by OpenVPN.

------
psoots
Wireguard still has this warning on their site:

> WireGuard is currently working toward a stable 1.0 release. Current
> snapshots are generally versioned "0.0.YYYYMMDD" or "0.0.V", but these
> should not be considered real releases and they may contain security quirks
> (which would not be eligible for CVEs, since this is pre-release snapshot
> software). This text will be removed after a thorough audit.

~~~
cjbprime
It looks like they're saying that they'll switch to 1.0 when Linux 5.6 is
released in a few weeks.

~~~
zx2c4
Right, that's the plan.

~~~
labawi
When can we expect interface and/or ip binding, and possibility to disable
roaming?

IMHO roaming should be opt-in iif you specify the remote endpoint.

------
rainworld
With that, Ubuntu Core 20 should be a brilliant fire-and-forget VPN server.

~~~
kube-system
I'm excited for wireguard, but I'm not going to use it in production until the
authors advise that it's ready for production.

~~~
rainworld
Only out of abundant caution, it seems. I mean, _Cloudflare_ is using it.

~~~
ComputerGuru
Cloudflare is not the golden standard for security.

~~~
vsareto
Who is?

~~~
all_blue_chucks
OpenBSD

~~~
tptacek
I don't know a lot of serious systems security people who actually believe
that. OpenBSD is fine, and smart people work on it, but it's been a _long_
time since the early 2000's.

~~~
all_blue_chucks
AFAIK it remains the single most selective platform out there. If a project is
included in an OpenBSD release you know it has undergone serious whitebox
scrutiny for security issues. I'm not aware of any platform that is quite so
pedantic at the source code level.

~~~
tptacek
I've said pretty much all I have to say about this, here:

[https://news.ycombinator.com/item?id=7071219](https://news.ycombinator.com/item?id=7071219)

------
app4soft
FTR, _WireGuard_ also available in F-Droid repo for all Android 5.0+
devices.[0]

> _If your device has a custom kernel containing the WireGuard module, then
> the module will be used for superior battery life and performance. Otherwise
> a userspace version will work sufficiently on all other devices._

[0]
[https://apt.izzysoft.de/fdroid/index/apk/com.wireguard.andro...](https://apt.izzysoft.de/fdroid/index/apk/com.wireguard.android?repo=main)

~~~
zx2c4
For Google Pixel devices, we're actually prebuilding and distributing
WireGuard kernel modules for use in that app:

[https://github.com/WireGuard/android-wireguard-module-
builde...](https://github.com/WireGuard/android-wireguard-module-
builder#downloading)

~~~
dstaley
I'm assuming these modules require superuser access, correct?

~~~
zx2c4
Yea, kernel-wireguard on Android is just for people who have rooted their
phones and want a little extra adventure. Cellphones have weird networking
stacks and unusually written drivers (I'm looking at you, qcacld and
rmnet_perf...), so supporting WireGuard's kernel module on Android has been
very worthwhile to us for fine tuning things. Plus the performance is as good
as can be in kernel space. But it's definitely something for "rooters only."

------
3fe9a03ccd14ca5
What’s the best “WireGuard as a VPN configuration” doc out there? Many are not
clear about what is being set up, why the cidrs are chosen, how it works
without DHCP etc. other guides focus on only proxying rfc1918 traffic and not
your entire connection. Is my DNS leaking? Is ALL traffic going through it?

OpenVPN, with all of its issues, is simple to set up in a way that’s not
leaky.

~~~
brunoqc
The best is probably with network namespaces where you don't have network
access by default, only wireguard has.

[https://www.wireguard.com/netns/#routing-all-your-
traffic](https://www.wireguard.com/netns/#routing-all-your-traffic)

There's probably some guides out there.

------
BrandoElFollito
While I love the product and use it in production, debugging is a royal pain
in the ass.

There is zero logging to help understand when and how a connection is
established (or not) server side.

Logging that someone tries to conne ct but wrong key, wrong protocol, whatever
- that would help tremendously. Today it is tcpdump or wireshark all the way.

------
roboctipus
Could someone please explain what a meaningful example usage of WireGuard
might be? The intro seems to imply something that could be duplicated with a
terminal + SSH forwarding + a VPS. How is this better and/or different? Thank
you :-)

~~~
chousuke
I use it as an IPSec replacement for a site-to-site tunnel and to provide my
phone a VPN connection to my home network.

Wireguard is _much_ easier to set up than either IPSec or OpenVPN, and seems
to outperform at least the latter.

------
diminish
wireguard is now available from android, ios to mac, windows and other
platforms.

~~~
Daniel_sk
The iOS app is very bare-bones and it drops the connection once a day and
doesn’t notify you about and doesn’t try to reconnect automatically. I hope
Mullvad VPN will release their own app this year.

~~~
rubatuga
Has never dropped a connection for me. It always reconnects.

