Hacker News new | past | comments | ask | show | jobs | submit login
WireGuard on OpenBSD (jasper.la)
119 points by fcambus 6 days ago | hide | past | web | favorite | 28 comments

This is great! I love seeing Wireguard spread. I just spent three weeks traveling abroad and installed wireguard on my home server right before I left. It saved me a lot of trouble when I need to get work done "in the US", but even moreso, it was great so that my kids could continue to watch PBS while we traveled, and it was so easy to use on iOs that everyone in the family could make it work for them.

Yeah, I seriously appreciate WG. Allows me to keep all home automation local / non-cloud while still giving me the option of easily controlling and checking elements remotely.

Genuine question: In terms of getting from Network A to Network B, is there anything that Wireguard does special that OpenVPN cannot/does not?

OpenVPN is harder to configure and uses/allows arkane crypto. The same applies to IPsec, just more strongly. WireGuard is more in line with modern cryptographic protocols that we know and love from e.g. instant messaging.

Also lower-latency which is really great for streaming video for example. At least in my case it's the difference between stuttering video and nice stream.

From an operator/user point of view, it's way easier to configure. It only took me maybe an hour or two including reading all the docs and dealing with my special firewall situation to get it set up on the server. Setting it up on the clients only takes about five minutes and then the client literally flicks a switch. No passwords or anything required, because it uses a simple out of band key exchange for the setup.

One of the things I really like about WireGuard is how easy "split tunneling" is. I can define a subnet as available through the interface and only traffic destined for it will be routed.

This is especially helpful for users with metered connections. You don't have to send ALL your traffic, only the ones destined for LAN will get sent.

I'm in a similar position with regards to tinc. I'm willing to grant that wireguard is vastly simplified, easier to configure, and likely better performance. But it doesn't appear to currently support routing through intermediate hosts with opportunistic NAT punching, meaning the presented network won't actually be fully connected. Which I might accept and work around if I didn't already have a better option set up...

If you've got a working OpenVPN setup, then it probably makes sense to just stick with that. I'm guessing the real gains are only to be had when you want to overhaul your setup anyway.

Wireguard supports roaming IPs and is typically a lot faster / less resource intensive than OpenVPN.

I haven't bothered setting up wireguard yet, but on paper it looks a lot better and when it's stable I suspect a lot more people will jump on board.

OpenVPN supports client roaming as well, though. The wireguard design is more flexible in that everyone can roam, but taking advantage of that requires userspace daemons that coordinate it. And as far as I can tell, the userspace hasn't been developed to the point of supporting those features yet.

I've sized up its current functionality as useful for replacing OpenVPN, but not yet as a general mesh VPN.

> roaming IPs

This. I've installed it on Android just because I get a better experience with WiFi switching on when I have a poor signal. And having my SSH connection not break is nice.

Have a prayer at being code-audited by you.

Looks like it's also now available for windows: https://hn.algolia.com/?query=https:%2F%2Flists.zx2c4.com%2F...

super exciting. can't wait to see where it goes from here.

I'm definitely happy to see Windows getting closer, but I do think it's important to state up front that this is "pre-alpha" currently. Depending on you use case, that is super important.

The final part of the article mentions this "What is particularly neat is that WireGuard on iOS supports Always-on."

I can only agree. I have WG installed on my iPhone, iPad and use the WG service provided by Mullvad VPN. And it is on all the time since a few months back. I don't experience any connectivity issues, lack of performance or degradation in battery/power consumption. It really just works. Huge thanks to Jason for developing WG as protocol, server implementation and clients.

If I have a Wireguard server at home, can I use it on my phone in "always-on" mode? Would it cause problem when I connect to my home's wifi?

It's been a while but I tried to do that with ipsec or something like that in the past and I think it was causing problems. With the routing maybe.

You can also run in on-demand mode and exclude your home WiFi, which is what I do. Then you'll be connected to the VPN at all times except when you're on the home WiFi.

you need a fixed routable ip address for your home

I use afraid.org dynamic dns offering and it works great.

Is static IP really required? A DynDNS domain won’t do?

Does this mean we're close to WireGuard being viable as a pfSense package?

It's unrelated. pfSense is a FreeBSD derivative; not OpenBSD. FreeBSD already has wireguard-go in ports, but the userspace implementation may not be suitably performant for the kinds of embedded devices pfSense targets.

FWIW, there is a NetBSD kernel implementation work in progress that might be useful (at least as a starting place) for OpenBSD:


No activity since March, though.

Will the kernel portion depend on lkm?

OpenBSD no longer has lkm, or any loadable kernel module framework. Any kernel implementation would have to be part of the kernel source tree (this one is userland, in ports).

I thought wireguard is kernel-mode software and I disliked it because of that. Interesting, may be there's Linux version of user-mode wireguard. I wonder what's the performance difference between usermode and kernelmode wireguard.

There is a go implementation of WireGuard with a fairly hefty warning at the top. [0]

There's also official documentation for how a userspace implementation should behave. [1]

The android version of WireGuard has a userspace implementation for devices without WireGuard in the kernel, which at the moment is pretty much all.

[0] https://github.com/WireGuard/wireguard-go

[1] https://www.wireguard.com/xplatform/

There is user mode wireguard for Linux, it is wireguard-go: https://git.zx2c4.com/wireguard-go/.

There is also BoringTun: https://github.com/cloudflare/boringtun which is faster

Disclaimer: I wrote BoringTun

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact