Hacker News new | comments | show | ask | jobs | submit login
WireGuard: fast, modern, secure VPN tunnel (wireguard.com)
227 points by jermaustin1 5 months ago | hide | past | web | favorite | 43 comments

Note for users in China: you'll still need Shadowsocks in your stack (e.g. shadowsocks + CN2 + dns crypt/mask + IPv6 tunneling), since WireGuard is vulnerable to "deep packet inspection" and this is not a priority for WireGuard, as the author makes clear here:


If anyone has more recent information on dealing with the Great Firewall, I'd love to hear it.

I can't imagine shadowsocks will continue to work for long. There's not much traffic like that on the Internet, meaning it is extremely susceptible to identification via machine learning. Add on all the opsec problems associated with point-to-point VPN tunnels and you're going to have a bad time.

See also: https://github.com/madeye/sssniff

It looks like sssniff just checks whether a handful of packets are smaller size than expected; isn't that completely trivial to fix? Granted, it's one step in a long game of cat-and-mouse.

Not really, it's actually measuring entropy of the first few payloads. This is one example of the larger problem; typical wire protocols, even privacy focused ones like TLS/IPsec, tend to have some red content before the black starts.

If your goal is to hide in the noise, the best way is to find a source of noise and sound like it. Just being quiet doesn't do it.

Edit: nvm, can't get the code to paste. Look at the if elif elif elif block at the end.

There was a recent FLOSS Weekly episode with the developer. I thought it was an interesting listen.


I can't wait for WireGuard to take over the VPN world :-)

The whole solution just seems so elegant. It's just not at the point where I can download a GUI app and press one button to just connect. Waiting for that to happen.

I think that it would be hard for WireGuard to take over the VPN world. IPsec works virtually everywhere without any additional software. OpenVPN is easier to setup and have many mature clients for every platform, so if you require custom software, why would anyone choose something new, when you have proven and popular OpenVPN. I'm sure that WireGuard has some advantages, but I'm still skeptical.

That said, IPsec is astonishingly hard to setup and diagnose. Recently I installed strongswan on my server and Windows 10 is my client. I didn't figure out how to send intermediate letsencrypt certificate to Windows 10, it wasn't accepting connections without installing intermediate certificate as trusted and I tried very hard, I'm sure that strongswan configuration is correct (I put intermediate certificates into cacerts and it works on macOS). It's especially fun with very little and cryptic information from Windows 10. Now when connection was finally established, routes were not set properly. It turned out that configuring connection via GUI was not enough, I had to change some connection property via powershell script, so client would receive routes from server. Yes, VPN isn't very easy to setup, at least for casual use. But in the end it worked and I don't see any reason to switch.

OpenVPN is easier to setup than what exactly?

I found OpenVPN to just feel VERY VERY clunky. The clients look ugly and unpolished. Before anyone says that's superficial, I do think it shows a lack of attention to detail. Setting up the server also wasn't terribly easy (it wasn't too hard either for someone like me who's used Linux for many years).

I think most of OpenVPN's value has come from the fact that it's the last difficult of solutions to implement.

For the record, I wasn't claiming that WireGuard was this easy to setup. But I think the mentality of WireGuard is simplicity. I think it's only a matter of time before someone DOES implement a single click client/server with it.

Right now I use Algo, which is just an excellent set of scripts used to setup VPN servers. This way I don't have to use OpenVPN, and I can actually use IPSec with built-in OS clients.

Update: Also I'd like to add that WireGuard just feels like the kind of thing Apple would've implemented in their OS 10 years ago. But Apple today wouldn't. They just seem to be barely treading water in their MacOS group.

> OpenVPN is easier to setup than what exactly?

Definitely it was easier than strongswan for me. Documentation is clear, a lot of guides, AFAIK there's a single implementation, so no interoperation quirks, logging is actually useful. Client setup is a single .ovpn file which contains everything and installed using double-click or similar method. I guess that setting up a custom CA is the hardest part of setup and I just happen to work a lot with certificates, so it wasn't hard for me, everything else is as easy as any server software.

> I found OpenVPN to just feel VERY VERY clunky. The clients look ugly and unpolished.

I used paid software (Viscosity) for macOS, it was quite good IMO. I used official software for iOS, it worked without any problems. I'm not really sure what's ugly about VPN client, it's systems software, it should display icon in tray and allow to connect/disconnect, that's all. I remember that my friend had issues with OpenVPN official client on Windows laptop with hibernate, but I think he just had to restart connection, not that big of an issue.

> For the record, I wasn't claiming that WireGuard was this easy to setup. But I think the mentality of WireGuard is simplicity. I think it's only a matter of time before someone DOES implement a single click client/server with it. Right now I use Algo, which is just an excellent set of scripts used to setup VPN servers. This way I don't have to use OpenVPN, and I can actually use IPSec with built-in OS clients.

While I won't use any "single click" solutions unless I made them personally, I saw scripts which claim to install OpenVPN or IPsec automatically with absolutely minimal interaction. They had a lot of stars, so I guess they works. But if there's something that Wireguard could do better, that's good. It's still too hard for non-technical user to buy cheap VPS and setup his personal VPN with adequate security.

> The clients look ugly and unpolished.

Check out Viscosity. I've been a user for a few years now, it’s great stuff.

Seconded, it's a great client and the support from the devs is good.

Viscosity looks nice, has advanced features and can be scripted with AppleScript.

Some openvpn providers just give you a conf file that you import in your client, and that's all you need

You could do the same with wireguard, only the conf file would be about 6 lines of text. And you can understand the obvious purpose of each line.

Having relied on both OpenVPN and IPSEC in the past, I can tell you that configuring WireGuard is several orders of magnitude simpler. It's outright easy (OpenVPN is difficult, IPSEC is a smoking pile of horsedung). Furthermore, with the intention of being mainlined (it is currently available as a DKMS-powered package), wireguard will end up being universally available in the Linux world (other platforms will for now rely on user-space implementations).

The availability of ipsec, much easier to configure than openvpn, better crypto, and flexibility that none of the existing options can match, such as full IP change resilience (as long as only one end change at a time) and connection persistence.

It makes you wonder why VPN's have been so bad for so long.

There are some useful tools for setting up your own VPN server - I like Streisand[1] (which includes Wireguard), and I have heard good things about Algo[2], though I haven't used it.

1: https://github.com/StreisandEffect/streisand

2: https://github.com/trailofbits/algo

I've used Algo and it's worked flawlessly for me.

Agree on IPsec being hard to setup. I would add to that that OpenVPN on windows has serious performance issues. It is hard to exceed 5 MB/s. I believe that issues only affects the windows implementation.

> IPsec is astonishingly hard to setup and diagnose

It often seems to me that networking people like things to be hard and obtuse. Almost everything in networking seems more complex than it needs to be.

IMHO, it needs to be merged into the Linux kernel before it will have a chance. (yes, I know this doesn't apply to users of other OSes)

Also discussed here:


(presumably that's why it's on the front page today)

the WireGuard protocol has recently been formerly verified and findings are worth checking:

- https://www.reddit.com/r/linux/comments/7sh3k7/analysis_of_t...

has anyone done MFA with it yet?

Multi-factor Authentication? How would you do that with a system that is explicitly designed to use asymmetric keys?

Ah, clever. Thanks for link

If you're using Ubiquiti Edgemax routers there are Wireguard packages that work very well for site to site VPN's.

This should work with USG routers too right?

Nice. I recently bought an edgerouter X and I set it up with openvpn. I have to try this.

In particular, the first, which seems to have the most comments.


At risk of thread-jacking, may I ask: Why, when, and where should I be using a VPN to practice good, secure use of online content/resources?

I learned a lot from running through 2FA and security practices as explained at Tech Solidarity [1], but I'm still not clear on where VPNs should fit into my workflow on desktop, laptop, and mobile.

[1] https://techsolidarity.org/resources/basic_security.htm

I would be careful about using VPNs ever. For the most part, the truism about VPN services is accurate: VPN services give you all the security of coffee shop wifi, but in the cloud.

If you're going to use a VPN, you need to set up your own server. This will probably mean picking a cloud provider to trust, which isn't a fun problem (although it has a simple answer: use AWS). You'll need to set up the serverside to whatever VPN you choose to use on that cloud server.

For this problem, the gold standard is still Trail of Bits's Algo. Hopefully sometime this year we'll get to the point where Algo sets up WireGuard for people on Macbooks and Windows machines.

In the meantime, if you don't know what you're doing or how to set up a VPN, I'd use Algo's strongSwan rather than a shared WireGuard provider.

> This will probably mean picking a cloud provider to trust, which isn't a fun problem (although it has a simple answer: use AWS).

This is the first I've heard of AWS's trustworthiness in this respect. Can someone share some details?

Great advice on technical implementation - thanks for this!

I guess the takeaway I'm getting is that using this AWS-backed, encrypted tunnel will let me:

    Mask my traffic destination (via AWS routing)
    Hide my traffic content (via encryption to AWS)
    Minimize/eliminate tracking (assuming I don't accept cookies)
Are those the benefits I'm looking for out of this? Or am I missing benefits here?

The important part is knowing what you're looking for.

Using a VPN isn't inherently going to make you more secure. It is advised to do so when you are in networks where you don't trust someone to not monitor your traffic or inject stuff into unsecured traffic.

If you trust your ISP, then you really don't need a VPN. Unfortunately, most can't be trusted if you're in the US, especially since there was a recent senate action[1] that lets them collect and sell your history.

If you do use a VPN, then the trust problems with ISP will shift towards trust in AWS. There's nothing stopping AWS from doing the same things that your ISP does. It is just that most people trust AWS to not do that.

So to be clear, AWS can still see all your traffic and inject things into unsecured webpages. The VPN will just won't let your local ISP see what you're doing. All they see is encrypted traffic going to your AWS instance.

Also your traffic is not anymore tracking proof when you use a VPN since instead of people storing your home IP address, they can store your AWS VPN's address (which no one really does anymore. They just use cookies and tracking elements).

PS: Note that AWS charges for bandwidth. There are 'lightsail' instances where first 1TB egress is free.

[1]: https://arstechnica.com/information-technology/2017/03/how-i...

AWS has a ready made VPN service too.

I generally use a VPN 100% of the time on my laptop. It doesn't provide a ton of extra privacy by itself, but it combines my traffic with that of a large numbers of others. And by using browser extensions such as ublock, umatrix, and privacy badger, I can feel a little more peace of mind about being constantly watched.

On mobile, it's a different story. I'm not sure about iOS, but on unrooted Android phones, I don't believe there is a way to route IPv6 traffic over a VPN so you are a bit more limited from information gathering via that route. Also, VPN clients eat a lot of battery so useability goes down. My solution for that is to limit my use of mobile devices.

Edit: clarified a statement

Could always use a burner too.

Is there an equivalent to WireGaurd that can be used on Android or IOS?

kernel module needs to be integrated into custom Android ROM

Softether can use in China

...for one specific OS...

Or a userspace implementation written in difficult to bootstrap languages...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact