Hacker News new | past | comments | ask | show | jobs | submit login

In case the author is reading this, I recently started using Wireguard in Mac OS with the Mac app and the experience has been great.

Not only is it much faster other VPNs that I used in the past, but compared to other clients (Forticlient and Tunnelblick), the overall experience feels much nicer, IMO.

Thank you so much for your work!




> Not only is it much faster other VPNs

IPSec is as fast as Wireguard. And there is native client in MacOS. As for bloated codebase, there is an OpenBSD iked rewrite.


iirc, ipsec is considered somewhat of a security nightmare by modern standards, given that it difficult to fully understand and very easy to misconfigure in an insecure way. I would only recommend using ipsec over wireguard when legacy compat matters.


It is. Even the companies I integrate with that require it know it's full of pitfalls. When you've been doing ipsec for two decades and it's a checkbox in your compliance sheet though, you check the box and hopefully you're good at it by now.


IKEv2 can be configured securely, but by someone that that is familiar with that particular minefield. Both on Windows and MacOS the GUIs configure weaker security by default (the cynic may wonder why!).

On MacOS you can use Apple Configurator /Apple Profile Manager and on Windows Powershell, to configure stronger security.

The nice thing with WireGuard is it’s either secure or it’s off.

As you say, it’s easy to misconfigure IPSec and the number of experts gets smaller day by day.


Doesn't IPSec need a "clean" network connection, without any NAT in the middle? Wireguard was designed to work well even in the presence of NAT.


In IKEv2 it’s optional but IPsec NAT traversal (NAT-T) uses UDP port 4500.


If you enable UDP encapsulation, it will work over NAT.


With IPSec native client in MacOS, there are several problems:

- multiple users on the same machine cannot have their own credentials for the same tunnel; you have to create several tunnels and each user sees all of them. Obviously, you cannot save password then.

- if you want to setup routing for your L2TP split-tunel, you have to create bash scripts (ip-up, ip-down) in /etc/ppp. Not even Linux makes you to do this by hand.

Compared to this, Wireguard for Mac is much more polished.


Why L2TP and not IKEv2?


Depends on the other side, too.

Otherwise, a good question for Ubiquity, why they don't support IKEv2 (among other things), when they are using strongswan underneath anyway.


Is IPSec as fast as Wireguard if I'm running it on a potato like a Raspberry Pi 2?


Yep


I wanted to add this. We have had a nearly flawless experience and the macOS app is really nice and polished. It feels like a nice native app, which is rare these days.

However, I've had issues since I upgraded to Big Sur. I can't edit my tunnels anymore.


Seconded. I can't comment on the Mac app but I have tried it on unix, windows and android and I'm extremely pleased that it allowed me to fairly easily create my own secure VPN that connects my home network laptop and phone.


Absolutely agree. The app just worked. The connection is fast and stable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: