As the mailing list post mentions, this is a super new code base, and we could certainly use a hand, if any iOS developers out there are itching to help out. Opportunity to jump into a codebase while it's still pretty fresh, if that sort of experience is appealing to you. Don't hesitate to email me (jason [at] zx2c4.com) or poke me on IRC (I'm zx2c4 on freenode in #wireguard).
Thanks so much for your work on this, I think iOS is the last major platform right? Amazing effort in so short a time, I guess that's another advantage alongside the security ones of having a very simple, focused code base without unnecessary knobs and dials.
I'm sorry it didn't make it into the kernel this cycle though, granted maybe that was a little much to hope for at this stage of things, and I really hope Vancouver goes well for you and Zinc. It's not that WG is hard to get setup on any given system, but I think kernel integration will lower the bar towards getting it available as a standard feature in a lot of turnkey appliance systems that I see a ton in SMB usage in particular. I can understand being conservative there but man do I already want it everywhere :)!
What is the current status with getting the required bits merged into the Linux kernel? I don't really follow lkml (my email service would instantly hit its quota), and the todo list (https://www.wireguard.com/todo/) surprisingly doesn't include any word about this.
Posted v8 a few weeks ago. I'm working on v9 now. I'm mostly working on readying the new crypto api, Zinc -- https://lwn.net/SubscriberLink/770750/95c3c169634d1447/ -- and I'll be hopefully discussing it with some folks at the conference in Vancouver next week.
Any chance the session will be recorded? I noticed that Linux Plumbers no longer seems to publish on Youtube in recent years (since 2013) and the tickets to the conference are sold out. :<
Also a big thank you. There's nothing wrong with charging for an app or VPN service, charity is unfortunately not a sustainable business model and the app can still remain FLOSS but that's just my two cents.
I’d certainly not mind helping fund development in some form, if there is some discomfort with charging for the app I’d be happy to see an IAP tip jar.
I have no idea how it's implemented, but I'll comment on the GPL thing assuming it's a module, and assuming that modules are derivative works (not clear if true).
There shouldn't be a problem from Microsoft's side since they're not the ones distributing it. You are free to assemble a module that has incompatible licenses terms and use it personally because the GPL only really activates on distribution (like if you sell your laptop with this module installed).
So even in the worst case, Microsoft shouldn't care. Does Windows even have the concept of MODULE_LICENSE like Linux?
A massive thank you to you and any of the sponsors who made it possible to put a rush on the iOS app. Never imagined it'd be here so soon. Worked fantastically - generated a client profile on the server and setup within a couple of minutes with the QR code.
It's solving all my problems - inter-DC communication, IPv6 tunnel and now mobile VPN.
I'm glad that WireGuard followed in TunSafe's footsteps [1] and also released an iOS TestFlight alpha / beta. Then we can help to provide feedback instead of just waiting. A week ago we had no iOS alternatives and now we suddenly have two. Thanks!
[1] https://www.reddit.com/r/WireGuard/comments/9t85h6/tunsafe_r...
If anyone is interested in setting up a VPN with wireguard [0], I'd like to whole-heartedly recommend Algo [1]. It's a set of Ansible scripts that sets up a dual IPSec/wireguard VPN on a VM or other machine.
Wireguard itself is already super simple to setup and configure, and Algo makes it even easier by automating most of the surrounding process.
I personally used it to setup a VPN a few days ago, and then manually tweaked it a bit to turn it into a site-to-site VPN instead of having it be just for tunneling (fun fact: wireguard works on Vyatta (AKA Ubiquiti) [2], and is currently running flawlessly on my Edgerouter Lite).
Seriously, this is amazing software that just works and runs incredibly fast. Huge thanks to Jason and all the contributors to the various projects for their great work.
Ooh. Thanks for the algo recommendation. I had been looking for something which can easily support multiple users (having unique keys!), for a small/medium office. Algo looks perfect.
I would also suggest Streisand, which offers a nice web page with client config downloads after you've set it up. You can do a WireGuard-only build through the setup wizard.
I don't recommend Streisand; it spins up a bizarre collection of services. If you're excited about WireGuard (as I am), a huge part of the reason why is not to have all the horrible attack surface of legacy tunneling protocols, cryptography, and tools.
You can turn a lot of it off during the setup process. I usually block off most of the ports via ufw, leaving open the bare minimum of ssh and wireguard.
Interesting - would you mind talking a bit about why you chose Algo for professional use and Streisand for personal use? I've been meaning to research them both more closely, but just getting by on manually configured SSH tunneling for the time being.
Thanks so much for this, I've just set it up and works flawlessly. (just a tad slow since I'm tunneling via Frankfurt but on the software side it's absolutely lighting fast!)
If you're referring to Algo, you're correct, but it's intended to only setup a server, not a client. Having an Ubuntu VM or VPS available to host a VPN is a reasonable assumption to make.
> Having an Ubuntu VM or VPS available to host a VPN is a reasonable assumption to make.
Is it? I personally & professionally prefer Debian over Ubuntu: by default it’s free-software–only, and I find that it’s somewhat more stable & predictable (which are important in a production server system). Of course, some people don’t care as much about software freedom as I do, and others may have had different experiences with respect to stability & predictability.
Ubuntu is nice on the client side, given the reality of proprietary drivers in which we live, but even there I prefer e.g. Mint if I’m not using pure Debian.
Just to comment on the paid version joke. You can simply offer a carbon-copy of your app with a cost of 3.99 -- I'd personally be more than happy to pay for it to compensate you for your effort and support the software -- it's the least frictional way for me to pay you.
I am using WireGuard for iOS and already vastly prefer it over OpenVPN Connect: WireGuard stays connected and doesn't exhibit OpenVPN's unreliable reconnect-on-unlock behavior. Your efforts are much appreciated.
OpenVPN on IOS is horrible. But if you're looking for something a bit more mature than wireguard for now, IKEv2 IPSec VPNs based on strongswan work great.
There are some ready made docker containers [0] that set up an IKEv2 VPN and can generate an IOS mobileconfig file for your phone.
I am so glad to hear this! I've been holding off on Wireguard solely because I need iPhone support, but I've had the same problems you're referring to with OpenVPN.
Nice joke on the pricing of the app. :) Though you have a donation option on your website, it probably makes sense to put in the iOS app, in some way, a message to tell the user that this is an option to support the development (I’m not going to tell you what the best way to do this is, because it involves usability and other considerations, including App Store rules).
Can't wait to give this a spin next time I'm in China. Streisand[1] claims that Wireguard can jump the GFW and I'm interested in seeing how the performance stacks up compared to Shadowsocks with simple-obfs.
One particular feature I like with Shadowrocket on iOS is the VPN-on-demand feature it offers. I can tell the app to only turn my VPN on when on wifi, for example, since global roaming is itself essentially a VPN back to my home telco. In that instance, I don't want to route my traffic back up from Australia to the US (which I pick for my VPN due to its close routing from China). Can I expect the Wireguard app to feature something similar in time?
I use WireGuard (including WireGuard iOS) every day in Shanghai. It’s mostly fast and performant but nothing escapes the occasional “drop all UDP to your endpoint”. Typically this manifests as windows of time (typically a few minutes) where no traffic to the VPN gets through. However, unlike an openVPN solution WireGuard recovers without having to bounce the tunnel or constantly reconnect.
The GFW is not a monolithic entity though so be aware that performance and blocking characteristics can vary widely between cities, ISPs, and sometimes even between cell towers.
VPN on demand features are on the iOS todo list. iOS supports the idea of making a VPN on demand for cellular or WiFi so it will be able to do what you want once that feature is merged.
GFW probing is an interesting subject, and it's great that WireGuard can't really be probed (it does not respond at all to handshakes that do not use an expected key).
I'm aware that them blackholing all UDP traffic is always going to be an issue, but it's good to hear that Wireguard recovers gracefully. So, too, does Shadowsocks.
Alternatives are always good, and having something more reflecting a true VPN rather than a SOCKS proxy will be useful once it makes it to Windows.
The really nice thing about WireGuard on Linux is that it acts like a regular network device and thus you can use iptables or network namespaces for free with it. Very clean and genius design that eradicates the need for any client support as well as removing the potential for leaking at the network device level (if you configure it in the "container" mode where you move your host network devices into an inaccessible network namespace and only provide wg0 on the host).
Right, sorry. I was comparing it to the shadow-socks project GP was referring to. (And the userspace WireGuard implementation uses TUN/TAP. In fact one of the rootless containers subprojects I've worked on is using TAP to allow for unprivileged network bridge emulation for rootless containers.)
VPN fingerprinting is simple in most cases. The preamble to stateful VPN session initiation is generally trivial to detect. WireGuard does not (at this time) attempt to obfuscate itself, but it’s more resistant to that particular type of detection since it does not do such negotiation. So yes, this behavior could be potentially used as a heuristic distinguisher for a deep packet inspection tool.
Who knows? The behaviour I've observed suggests it may, but it's such an opaque system that it's hard to know.
For example, there's suggestions that people have had better success if they're sending HTTP obfuscated data to an endpoint that also responds to HTTP requests. The implied situation here is that the GFW might see mass HTTP data to an IP, then try to query it itself. If it gets no results, it's probably not a HTTP server but rather obfuscated VPN data. It'll then choose to drop or aggressively throttle data to that IP.
In my experience, I've had a VPN go more or less dead for a couple of days after about 30 days of use, before recovering after I leave it for a bit. In the interim, I can spin up a second IP and be fine on that one. That said, it was also to a streisand instance, which does respond to a HTTP(S) request on the IP, so maybe this heuristic wasn't my tell.
So maybe I was instead picked up because I globally routed all traffic directly at one IP and never went outside that. Others have suggested success on keeping VPNs active longer if they occasionally browse directly to random sites, so that the GFW sees their IP accessing a multitude of sites and therefore doesn't look as much like all data is going to a single IP. I've not had any noticeable anecdata to go either way on this.
The reality is, no one trying to jump the GFW truly knows how the GFW does its DPI. Moreover, as a reply said to my original post, the GFW isn't a single entity and differs across cities and regions in China.
There is a massive team watching traffic that leaves China. If the number of people using WG increases beyond their comfort level, they will block it straight away.
The Wireguard code would need the ability to mask itself as other types of traffic. Maybe a module, so people could add or change the behavior as required? I only mention this so you don't build a dependency on it. Every time Tor evolves, it takes about a day and it's blocked again.
One thing that isn't quite clear to me after a quick peruse of the website - say I'd like to use WireGuard as a VPN for my general personal internet security. I guess I'd need a server running somewhere with a WireGuard server, and then the iOS client - is that correct? i.e. it's not something like a SOCKS tunnel where I just need ssh at the other end.
Yes, if by personal security you mean encryption of all your traffic with anonymity only towards your LAN/ISP; since your server's IP will be the sole egress point.
If you're looking for anonymity as well I would recommend you take a look at Mullvad [0] who offer a great service with full Wireguard support [1].
I've ran Wireguard on a $5 DO Droplet for a while, but decided to support Mullvad instead and get the benefit of their infrastructure for the same monthly price.
Not a plug or anything I just genuinely am impressed by the performance and ease of use. For transparency's sake, AzireVPN is their primary competitor in the Wireguard space.
[1] gives a very good rundown of what you need to do to make it work. It is actually very trivial (once you've got wireguard.ko). Just generate a key, and cross-copy the public halves.
However configuration to make forwarding of all packets and thus making it usable as a full VPN requires a few extra steps on the server:
Like anything else, you need an appropriate server at the other end.
For SOCKS, that would be a SOCKS server (not sshd). (ssh <-> sshd happens to have an option to spawn a limited SOCKS server, but it is not the only SOCKS server in existence.)
>I use WireGuard (including WireGuard iOS) every day in Shanghai. It’s mostly fast and performant but nothing escapes the occasional “drop all UDP to your endpoint”. Typically this manifests as windows of time (typically a few minutes) where no traffic to the VPN gets through. However, unlike an openVPN solution WireGuard recovers without having to bounce the tunnel or constantly reconnect.
The GFW is not a monolithic entity though so be aware that performance and blocking characteristics can vary widely between cities, ISPs, and sometimes even between cell towers.
>VPN on demand features are on the iOS todo list. iOS supports the idea of making a VPN on demand for cellular or WiFi so it will be able to do what you want once that feature is merged.
What about zerotier? Were they looking at supporting wireguard? That would be cool, but a little bit surprising since I thought they pretended to be a layer 2 device rather than the layer 3 device that wg provides. But it's been a while, so maybe I misremember.
I had IPSec VPN set up on my iPhone for a year, zero problems. Native Apple client, no apps to install, just a profile file. It is always on for all traffic.
The client side story for IPSec is great, but configuring the (strongSwan) server is far from trivial. There are many decisions to make, and mistakes to avoid.
Yes, amazing projects like Algo exists, but you can't use these on all platforms (ex: OpenWRT).
My hope is that wireguard will provide a much easier (and safer) setup experience.
It's an email for a mailing list of people who already know about the project, not a press release, but somebody posted it here anyway. The main site -- https://www.wireguard.com -- has lots of info if you're curious.