Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Download WireGuard for Windows pre-alpha for testing (zx2c4.com)
94 points by dtamhk on June 20, 2019 | hide | past | favorite | 26 comments



Work is progressing steadily by the day on WireGuard for Windows and Wintun, the TUN driver we're writing that this uses. Hopefully this won't be "pre-alpha" for much longer.

You can get the former at https://www.wireguard.com/install/ and learn about the latter at https://www.wintun.net/


In the previous discussion thread linked below, somebody claims WireGuard is subject to DPI. An examination of the White Paper and of real packet captures does not reveal any obvious opportunity to "inspect" WireGuard if you aren't in possession of the keys.

Most likely that poster uses DPI sloppily to include simple blocking strategies, like hey, if we see two packets in a row between two (ip,port) pairs starting 01 00 00 00 going on way and then 02 00 00 00 going the other way, that could be WireGuard, let's block the rest of the data on that (ip,port) pair for a while.

However, am I missing something and actually there is something meaningful to inspect without having the keys?

If I'm not, what's your preferred way for people to sidestep that sort of blocking? Tweaking WireGuard to use different values would obviously work but it destroys the point of having a single specification.


DPI doesn’t imply any ability to decrypt the traffic. It refers to networking equipment fingerprinting the traffic to detect application/protocol information (basically anything in the OSI model lower than layer3/4)

That aligns with the DPI-related comments in the linked prior comment thread, which reference use of DPI for internet firewalling by various governments.

Also, as noted in that same comment thread, bypassing DPI is an un-goal of Wireguard.


> It refers to networking equipment fingerprinting the traffic to detect application/protocol information (basically anything in the OSI model lower than layer3/4)

Right, so then is your claim that there _is_ such information revealed in WireGuard? Because I don't see any.

If you do DPI for - say - TLS you get a strong fingerprint (JA3 is a popular thing for this) that lets you distinguish Google from Twitter, Firefox from Safari, or curl from Python's Requests, again without decrypting the traffic.

But where is the fingerprint in WireGuard? If I give you a tcpdump for 5 minutes of UDP traffic the most you can say is that some of it looks like WireGuard traffic. You might remember when we used to get this sort of useless diagnostic, "Over 4000 of these packets use port 80! This is web traffic". We did not call that "Deep Packet Inspection" because it wasn't deep and didn't in fact inspect the packets, just some metadata.


https://lists.zx2c4.com/pipermail/wireguard/2018-September/0...

From the Wireguard mailing list, there is an application layer fingerprint that is easy to detect.


I’m not sure what case you’re trying to make. Yes, network equipment can do pattern-matching on Wireguard traffic and have reasonable confidence based on the packet contents and flow patterns that the traffic is a Wireguard VPN.

For example: https://ipoque.com/news-media/press-releases/2019/rohde-schw...

Edit: also, to clarify the note you had about port 80, that’s why I pointed out that DPI refers to layers beyond 3/4. “Hey these are TCP packets to port 80” is not DPI. “Hey, the contents of these packets match my signature for Wireguard traffic” is DPI.


> "Over 4000 of these packets use port 80! This is web traffic". We did not call that "Deep Packet Inspection"

The right analogy is "these packets went through these tubes".


What would it take to have a TUN-less client that exposes the VPN connection as a SOCKS proxy? The use case I'm imagining is being able to sit down at a machine as an unprivileged user, connect to a VPN, then run Firefox Portable and have all traffic from the browser go through the VPN, all without having to install anything.


I'm afraid it's not super clear here. Are you working on a Windows SERVER/DAEMON for WireGuard as well as a client, or just a client?


With wireguard there is no difference - there are no servers and clients, just peers.


Very interesting. Thank you!



Doesn't add much to the discussion, I know, but let me just chime in to thank the people of WireGuard for releasing this wonderful piece of software for free.


We've needed a solution like this for almost a decade. Thank you, thank you. Love the minimalist vibe to it, gets the job done, transparent + reduction in complexity for user = safety.

Would you ever consider creating a mesh network manager (to replace horrors like Hamachi)? It could allow people to generate the keys conveniently/safely and connect servers/clients in a distributed, non-centralized manner easily.


Pre alpha my arse it works great! Been running it for over a week or so and no issues. Saved me at least twice now whilst in incredibly remote locations.

Awesome work by the wireguard team


What I'd really like to see, and didn't as of a few months ago, is a userspace docker/linux wireguard that doesn't require any special kernel privs or capabilities.


There's a Go WireGuard. It's the basis for macOS WireGuard.


Yes, and it's pretty adamant that it's not to be run on linux. (like, you have to edit some source to add something like "yes I really mean to do this")

Once you blow past the warnings about compiling it on linux, it still failed to actually work in my testing. Fair enough.

It doesn't seem like it should be an insurmountable problem, but I'm a level or two from being able to make it work by sheer force of code.


I'm pretty sure he's just trying to get you to run the more performant kernel version on Linux, especially since the goal is to mainline it into the Linux kernel. I can't see a substantive reason for it to be a bad idea there.


I know Wireguard is faster but I found OpenVPN much easier to set up.


You are the first person I have ever seen say that. WireGuard setup is approximately the same as SSH; the only thing it adds over SSH is IP addresses. I've set up OpenVPN multiple times and I'd reserve a couple hours of my time if a client demanded it, because that's how long it'd take me. WireGuard would take me a couple minutes and I'd be doing it from memory.


As a sibling suggests, it's very easy to set up OpenVPN _badly_.

I have a config right now on my other PC labelled "Old staging KEEP" which is this type of setup for OpenVPN, it's relying on a crappy out-of-box private CA setup, no passwords, shared private keys, it's likely vulnerable to key compromise attacks and a dozen other problems as configured.

Edited to add: Also, the reason I kept it, this config relies on hijacking public addresses. Some... person... took an OpenVPN config example with 172.16.0.0/16 addresses and it conflicted with the stupid WiFi NAT in their office, so they just changed the IP addresses to a public range nearby, apparently not realising (certainly not caring) that this means it's now randomly breaking other things too.

But for the typical end user this looks like it worked. Random drive-bys can't get in, spinning it up for the new frontend dev is easy, what's not to like? If it takes them five minutes to install & configure OpenVPN wrong, and an hour to install & configure WireGuard right, they will conclude WireGuard is harder, even if it might have taken them a week to get OpenVPN done right.


This genuinely surprises me. OpenVPN is a dense and obtuse rabbit hole of many poorly named configuration options with terrible documentation.

WireGuard asks so much less of you.


OpenVPN has more poorly written tutorials available which explain how to configure it by copying and pasting huge config files often containing security vulnerabilities or other poor practice. Just off the top of my head, I believe the default cipher was bf-cbc until fairly recently they implemented TLS cipher selection.


Finally! Have TunSafe on some 20+ windows machines. Time to see how this compares :)

Overall TunSafe has been awesome apart from some minor annoyances - like laptops not auto-reconnecting sometimes after hibernating.


Question. Why the cute-bunnies-reminiscent-of-80s-cartoon "mascots" for WinTun?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: