Hacker News new | comments | ask | show | jobs | submit login
WireGuard for iOS (zx2c4.com)
358 points by dmmalam 75 days ago | hide | past | web | favorite | 89 comments

As the mailing list post mentions, this is a super new code base, and we could certainly use a hand, if any iOS developers out there are itching to help out. Opportunity to jump into a codebase while it's still pretty fresh, if that sort of experience is appealing to you. Don't hesitate to email me (jason [at] zx2c4.com) or poke me on IRC (I'm zx2c4 on freenode in #wireguard).

Thanks so much for your work on this, I think iOS is the last major platform right? Amazing effort in so short a time, I guess that's another advantage alongside the security ones of having a very simple, focused code base without unnecessary knobs and dials.

I'm sorry it didn't make it into the kernel this cycle though, granted maybe that was a little much to hope for at this stage of things, and I really hope Vancouver goes well for you and Zinc. It's not that WG is hard to get setup on any given system, but I think kernel integration will lower the bar towards getting it available as a standard feature in a lot of turnkey appliance systems that I see a ton in SMB usage in particular. I can understand being conservative there but man do I already want it everywhere :)!

Our final frontier is Windows, actually. Hope to have that out soon!

There's TunSafe [1], a client for Windows. Its source code [2] has been published as well.

[1]: https://tunsafe.com/

[2]: https://github.com/TunSafe/TunSafe

By the same programmer as uTorrent.

What is the current status with getting the required bits merged into the Linux kernel? I don't really follow lkml (my email service would instantly hit its quota), and the todo list (https://www.wireguard.com/todo/) surprisingly doesn't include any word about this.

Posted v8 a few weeks ago. I'm working on v9 now. I'm mostly working on readying the new crypto api, Zinc -- https://lwn.net/SubscriberLink/770750/95c3c169634d1447/ -- and I'll be hopefully discussing it with some folks at the conference in Vancouver next week.

Any chance the session will be recorded? I noticed that Linux Plumbers no longer seems to publish on Youtube in recent years (since 2013) and the tickets to the conference are sold out. :<

Also a big thank you. There's nothing wrong with charging for an app or VPN service, charity is unfortunately not a sustainable business model and the app can still remain FLOSS but that's just my two cents.

I’d certainly not mind helping fund development in some form, if there is some discomfort with charging for the app I’d be happy to see an IAP tip jar.

You can donate directly here [1]. Apple takes a 30% tax on app purchases, so (as usual) it's better to donate directly.

[1]: https://www.wireguard.com/donations/

Thanks for the update, and good luck!

Is Windows cool loading GPL kernel modules, or is that a userspace implementation?

I have no idea how it's implemented, but I'll comment on the GPL thing assuming it's a module, and assuming that modules are derivative works (not clear if true).

There shouldn't be a problem from Microsoft's side since they're not the ones distributing it. You are free to assemble a module that has incompatible licenses terms and use it personally because the GPL only really activates on distribution (like if you sell your laptop with this module installed).

So even in the worst case, Microsoft shouldn't care. Does Windows even have the concept of MODULE_LICENSE like Linux?

Excellent. Has work on the userspace UWP version started? I'd be happy to help, but I don't want to duplicate any work in progress.

What are the steps still to be taken for Windows? Any particular aspect that could benefit from contributions?

Any news which API you will use to communicate with the Windows IP stack? I heard someone mention UWP but I don't think it's supported in Windows 7?

A massive thank you to you and any of the sponsors who made it possible to put a rush on the iOS app. Never imagined it'd be here so soon. Worked fantastically - generated a client profile on the server and setup within a couple of minutes with the QR code.

It's solving all my problems - inter-DC communication, IPv6 tunnel and now mobile VPN.

Sent some $ your way :).

Thank you so much for this software!

I'm glad that WireGuard followed in TunSafe's footsteps [1] and also released an iOS TestFlight alpha / beta. Then we can help to provide feedback instead of just waiting. A week ago we had no iOS alternatives and now we suddenly have two. Thanks! [1] https://www.reddit.com/r/WireGuard/comments/9t85h6/tunsafe_r...

If anyone is interested in setting up a VPN with wireguard [0], I'd like to whole-heartedly recommend Algo [1]. It's a set of Ansible scripts that sets up a dual IPSec/wireguard VPN on a VM or other machine.

Wireguard itself is already super simple to setup and configure, and Algo makes it even easier by automating most of the surrounding process.

I personally used it to setup a VPN a few days ago, and then manually tweaked it a bit to turn it into a site-to-site VPN instead of having it be just for tunneling (fun fact: wireguard works on Vyatta (AKA Ubiquiti) [2], and is currently running flawlessly on my Edgerouter Lite).

Seriously, this is amazing software that just works and runs incredibly fast. Huge thanks to Jason and all the contributors to the various projects for their great work.

[0]: https://www.wireguard.com/

[1]: https://github.com/trailofbits/algo

[2]: https://github.com/Lochnair/vyatta-wireguard

Ooh. Thanks for the algo recommendation. I had been looking for something which can easily support multiple users (having unique keys!), for a small/medium office. Algo looks perfect.

I would also suggest Streisand, which offers a nice web page with client config downloads after you've set it up. You can do a WireGuard-only build through the setup wizard.


I don't recommend Streisand; it spins up a bizarre collection of services. If you're excited about WireGuard (as I am), a huge part of the reason why is not to have all the horrible attack surface of legacy tunneling protocols, cryptography, and tools.

You can turn a lot of it off during the setup process. I usually block off most of the ports via ufw, leaving open the bare minimum of ssh and wireguard.

If you’re going to disable the other services, why not use Algo instead

These are both excellent suggestions. I rely on Algo for professional uses and Streisand for personal use.

Interesting - would you mind talking a bit about why you chose Algo for professional use and Streisand for personal use? I've been meaning to research them both more closely, but just getting by on manually configured SSH tunneling for the time being.

Thanks so much for this, I've just set it up and works flawlessly. (just a tad slow since I'm tunneling via Frankfurt but on the software side it's absolutely lighting fast!)

Only if you have Ubuntu if you're using Linux.

If you're referring to Algo, you're correct, but it's intended to only setup a server, not a client. Having an Ubuntu VM or VPS available to host a VPN is a reasonable assumption to make.

> Having an Ubuntu VM or VPS available to host a VPN is a reasonable assumption to make.

Is it? I personally & professionally prefer Debian over Ubuntu: by default it’s free-software–only, and I find that it’s somewhat more stable & predictable (which are important in a production server system). Of course, some people don’t care as much about software freedom as I do, and others may have had different experiences with respect to stability & predictability.

Ubuntu is nice on the client side, given the reality of proprietary drivers in which we live, but even there I prefer e.g. Mint if I’m not using pure Debian.

Just to comment on the paid version joke. You can simply offer a carbon-copy of your app with a cost of 3.99 -- I'd personally be more than happy to pay for it to compensate you for your effort and support the software -- it's the least frictional way for me to pay you.

A bon entendeur, salut

Actually, you can donate here: https://www.wireguard.com/donations/ -- hopefully with similarly low friction.

Even better to go this way; no Apple tax.

For reference, on $3.99, Stripe takes ~10%, Bitcoin ~3%, Patreon ~12%, and Paypal ~15%. Apple takes nearly 30%.

Doesn't stripe usually charge 3%?

3% plus a flag of $0.30 from memory?

It wasn't hard to check so it's actually 1.75% domestic cards (Australia) or 2.99% international, $0.30 flag fall.

On $30 that is $0.83 - $1.20, or 2.75% - 3.99%

Look at that I completely used the wrong starting figure...

On $3.99, this is $0.37 - $0.42, or 9.27% - 10.51%

Offer an in app purchase as donation. Low friction flow for iOS users, free money for you!

Not necessarily. The reviewers may get upset if two apps are too similar.

More importantly, Apple might.

Not if you claim that the apps are exactly the same in the description in thestore.

You'll still get people complaining, it's the nature of user reviews.

I am using WireGuard for iOS and already vastly prefer it over OpenVPN Connect: WireGuard stays connected and doesn't exhibit OpenVPN's unreliable reconnect-on-unlock behavior. Your efforts are much appreciated.

OpenVPN on IOS is horrible. But if you're looking for something a bit more mature than wireguard for now, IKEv2 IPSec VPNs based on strongswan work great.

There are some ready made docker containers [0] that set up an IKEv2 VPN and can generate an IOS mobileconfig file for your phone.

[0]: https://github.com/gaomd/docker-ikev2-vpn-server

The configuration PFSense uses for Strongswan works without requiring you to install a mobileconfig file on iOS.

This has rapidly become my favourite solution for a VPN setup because it uses only built-in software on the client and it's extremely stable.

You still need an mobileconfig to configure On Demand (kind of always on) mode. But yeah, native IKEv2 on iOS is pretty solid.

I am so glad to hear this! I've been holding off on Wireguard solely because I need iPhone support, but I've had the same problems you're referring to with OpenVPN.

Nice joke on the pricing of the app. :) Though you have a donation option on your website, it probably makes sense to put in the iOS app, in some way, a message to tell the user that this is an option to support the development (I’m not going to tell you what the best way to do this is, because it involves usability and other considerations, including App Store rules).

Can't wait to give this a spin next time I'm in China. Streisand[1] claims that Wireguard can jump the GFW and I'm interested in seeing how the performance stacks up compared to Shadowsocks with simple-obfs.

One particular feature I like with Shadowrocket on iOS is the VPN-on-demand feature it offers. I can tell the app to only turn my VPN on when on wifi, for example, since global roaming is itself essentially a VPN back to my home telco. In that instance, I don't want to route my traffic back up from Australia to the US (which I pick for my VPN due to its close routing from China). Can I expect the Wireguard app to feature something similar in time?

[1]: https://github.com/StreisandEffect/streisand

I use WireGuard (including WireGuard iOS) every day in Shanghai. It’s mostly fast and performant but nothing escapes the occasional “drop all UDP to your endpoint”. Typically this manifests as windows of time (typically a few minutes) where no traffic to the VPN gets through. However, unlike an openVPN solution WireGuard recovers without having to bounce the tunnel or constantly reconnect.

The GFW is not a monolithic entity though so be aware that performance and blocking characteristics can vary widely between cities, ISPs, and sometimes even between cell towers.

VPN on demand features are on the iOS todo list. iOS supports the idea of making a VPN on demand for cellular or WiFi so it will be able to do what you want once that feature is merged.

GFW probing is an interesting subject, and it's great that WireGuard can't really be probed (it does not respond at all to handshakes that do not use an expected key).

An interesting related talk: https://www.youtube.com/watch?v=QBp6opkcxoc

That's all good news.

I'm aware that them blackholing all UDP traffic is always going to be an issue, but it's good to hear that Wireguard recovers gracefully. So, too, does Shadowsocks.

Alternatives are always good, and having something more reflecting a true VPN rather than a SOCKS proxy will be useful once it makes it to Windows.

The really nice thing about WireGuard on Linux is that it acts like a regular network device and thus you can use iptables or network namespaces for free with it. Very clean and genius design that eradicates the need for any client support as well as removing the potential for leaking at the network device level (if you configure it in the "container" mode where you move your host network devices into an inaccessible network namespace and only provide wg0 on the host).

At lot of Linux VPN creates network interfaces (tap/tun), and support namespacing them - you can do the same thing with OpenVPN .

The really nice thing is the full in-kernel implementation, and the lack of configurability.

Right, sorry. I was comparing it to the shadow-socks project GP was referring to. (And the userspace WireGuard implementation uses TUN/TAP. In fact one of the rootless containers subprojects I've worked on is using TAP to allow for unprivileged network bridge emulation for rootless containers.)

I was wondering if the behaviour of recovering gracefully or not gives away if its a (specific) VPN?

VPN fingerprinting is simple in most cases. The preamble to stateful VPN session initiation is generally trivial to detect. WireGuard does not (at this time) attempt to obfuscate itself, but it’s more resistant to that particular type of detection since it does not do such negotiation. So yes, this behavior could be potentially used as a heuristic distinguisher for a deep packet inspection tool.

>"It’s mostly fast and performant but nothing escapes the occasional “drop all UDP to your endpoint”."

Does the GFW start dropping UDP packets between two endpoints beyond a certain threshold? Is WG generating that message or something else?

Who knows? The behaviour I've observed suggests it may, but it's such an opaque system that it's hard to know.

For example, there's suggestions that people have had better success if they're sending HTTP obfuscated data to an endpoint that also responds to HTTP requests. The implied situation here is that the GFW might see mass HTTP data to an IP, then try to query it itself. If it gets no results, it's probably not a HTTP server but rather obfuscated VPN data. It'll then choose to drop or aggressively throttle data to that IP.

In my experience, I've had a VPN go more or less dead for a couple of days after about 30 days of use, before recovering after I leave it for a bit. In the interim, I can spin up a second IP and be fine on that one. That said, it was also to a streisand instance, which does respond to a HTTP(S) request on the IP, so maybe this heuristic wasn't my tell.

So maybe I was instead picked up because I globally routed all traffic directly at one IP and never went outside that. Others have suggested success on keeping VPNs active longer if they occasionally browse directly to random sites, so that the GFW sees their IP accessing a multitude of sites and therefore doesn't look as much like all data is going to a single IP. I've not had any noticeable anecdata to go either way on this.

The reality is, no one trying to jump the GFW truly knows how the GFW does its DPI. Moreover, as a reply said to my original post, the GFW isn't a single entity and differs across cities and regions in China.

Interesting. Thanks for the detail. Streisand is just WG implementation then?

There is a massive team watching traffic that leaves China. If the number of people using WG increases beyond their comfort level, they will block it straight away.

The Wireguard code would need the ability to mask itself as other types of traffic. Maybe a module, so people could add or change the behavior as required? I only mention this so you don't build a dependency on it. Every time Tor evolves, it takes about a day and it's blocked again.

One thing that isn't quite clear to me after a quick peruse of the website - say I'd like to use WireGuard as a VPN for my general personal internet security. I guess I'd need a server running somewhere with a WireGuard server, and then the iOS client - is that correct? i.e. it's not something like a SOCKS tunnel where I just need ssh at the other end.

Yes, if by personal security you mean encryption of all your traffic with anonymity only towards your LAN/ISP; since your server's IP will be the sole egress point.

If you're looking for anonymity as well I would recommend you take a look at Mullvad [0] who offer a great service with full Wireguard support [1].

I've ran Wireguard on a $5 DO Droplet for a while, but decided to support Mullvad instead and get the benefit of their infrastructure for the same monthly price.

Not a plug or anything I just genuinely am impressed by the performance and ease of use. For transparency's sake, AzireVPN is their primary competitor in the Wireguard space.

[0] https://mullvad.net [1] https://mullvad.net/en/download/wireguard-config

[1] gives a very good rundown of what you need to do to make it work. It is actually very trivial (once you've got wireguard.ko). Just generate a key, and cross-copy the public halves.

However configuration to make forwarding of all packets and thus making it usable as a full VPN requires a few extra steps on the server:

    * net.ipv4.ip_forward = 1
    * net.ipv4.conf.all.proxy_ARP = 1
And on the client, especially if you're using wg-quick:

    * AllowedIPs =
But it shouldn't take that long. I got it working in tens of minutes.

[1]: https://www.wireguard.com/quickstart/

On the server config I also had to add some iptables rules

  PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
  PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE

Ah yes, I forgot about that. (It is mentioned in the documentation though.)

Like anything else, you need an appropriate server at the other end.

For SOCKS, that would be a SOCKS server (not sshd). (ssh <-> sshd happens to have an option to spawn a limited SOCKS server, but it is not the only SOCKS server in existence.)

Ah, I see - thanks for the clarification.

Fantastic progress!

Going to China soon and was wondering if anyone has tried if this works through the GFW?

From another user "reaperhulk"

>I use WireGuard (including WireGuard iOS) every day in Shanghai. It’s mostly fast and performant but nothing escapes the occasional “drop all UDP to your endpoint”. Typically this manifests as windows of time (typically a few minutes) where no traffic to the VPN gets through. However, unlike an openVPN solution WireGuard recovers without having to bounce the tunnel or constantly reconnect. The GFW is not a monolithic entity though so be aware that performance and blocking characteristics can vary widely between cities, ISPs, and sometimes even between cell towers.

>VPN on demand features are on the iOS todo list. iOS supports the idea of making a VPN on demand for cellular or WiFi so it will be able to do what you want once that feature is merged.

Reaperhulk, for what it's worth, is a crypto engineer and also a co-author of Frinkiac.

When I was there I had to wrap all my tunnels in Stunnel because UDP traffic will simply get dropped from time to time.

Was with OpenVPN though, not Wireguard.

Really wishing it would get a pluggable traffic obfuscation system, let a thousand obfuscator Bloom and make it hard for tyrant governments

This is great news! I would love to test it out just as soon as NordVPN finishes deploying support.

I need an invitation code to install..?

Still no word about zerotier?

What about zerotier? Were they looking at supporting wireguard? That would be cool, but a little bit surprising since I thought they pretended to be a layer 2 device rather than the layer 3 device that wg provides. But it's been a while, so maybe I misremember.

Hell yes.

I had IPSec VPN set up on my iPhone for a year, zero problems. Native Apple client, no apps to install, just a profile file. It is always on for all traffic.

The client side story for IPSec is great, but configuring the (strongSwan) server is far from trivial. There are many decisions to make, and mistakes to avoid.

Yes, amazing projects like Algo exists, but you can't use these on all platforms (ex: OpenWRT).

My hope is that wireguard will provide a much easier (and safer) setup experience.

> server is far from trivial.

Yes, but most people will use commercial VPN providers, with added benefit of obscure IP address, with your own server IP is still unique to you.

That's only one of many legitemate uses for a VPN.

Personally I use a VPN to connect back to my homenet when I'm out on the road, or to connect to my company's network when out of office.

If you think the only usage of a VPN is anonymizing your IP, you have an incredibly lacking understanding of the history and use-cases for a VPNs.

Again :) No third-party apps to install for IPSec VPNs, this is seriously more secure

> No third-party apps to install for IPSec VPNs, this is seriously more secure

Just as telnet.exe is available on Windows but ssh isn't, so telnet must be more secure.

It depends on your threat model and also on the tech below.

Not a valid point, telnet is not encrypted, IKEv2 is pretty solid.

Don’t know what it does after reading this whole email.

It's an email for a mailing list of people who already know about the project, not a press release, but somebody posted it here anyway. The main site -- https://www.wireguard.com -- has lots of info if you're curious.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact