If I understand the kernel development process correctly, this means it's on track to land in 5.6 (since 5.4 is the current stable and the merge window for 5.5 is already closed). Correct?
This is very welcome news! I had a seamless time using wireguard (via a streisand installation) on my honeymoon in Italy on my phone and more importantly, my wife's phone. It worked seamlessly.
Next up I'd like to see this be an easy config option in Unifi's network managment tools
> I had a seamless time using wireguard (via a streisand installation) ...
I've been using Wireguard via https://github.com/trailofbits/algo for a while now. Of all of the VPN experiences over the last couple of decades, Wireguard has been light-years ahead of the rest.
First: it's fast. If the server is up and you don't have packet loss, you can't tell when it is turned on. For fun, I wrote some trivial automation to automatically and randomly switch between a few wireguard back ends, and I generally can't detect it.
Second: it's easy. For me, an experienced technical user. I don't know enough about the ecosystem to recommend it to less technical people, though given how basically sound it is, I'll be surprised if there aren't really easy and robust front-ends coming up.
After switching to wireguard I've been really blown away at how much better the experience is on a phone than other VPN methods. It's always on on my phone as long as I'm not using my home wifi, and I just never need to think about it.
It works great on mullvad for me, never any issues. I just installed the PPA for Ubuntu 18.04 and everything else was easy peasy. Some people say it's faster for them but I don't see that on my Gigabit connection, just a bit less CPU compared to openvpn, but neither really uses all that much, it's a fraction of a single processor on my 6 core machine.
I don't remember exactly when I started using it but it feels like forever and I have forgotten about all the VPN nightmares that I had before.
I can't wait for Wireguard support in all kinds of routers and other appliances.
I've been using tinc[1] as a way to get a mesh VPN on all my machines that works even if some of them are behind restrictive firewalls. It works really well and I've automated the setup with puppet so I just deploy it automatically any time I bring up a machine. Highly recommended.
Anyone know if there has been any recent work on making wireguard cover this use case? I'm not really worried about security as I treat this overlay network as just as insecure as any other (running ssh over it) and mitigate exploits by running the tinc daemon as a normal user. But it would still be nice to get more performance and security from an in-kernel quality solution like wireguard.
I use zerotier[1] in a similar fashion, and I don't think there's any out of box solution to get wireguard to do "smart" routing (have two hosts on same switch talk directly, still be able to talk to server in a remote datacenter and a client roaming on cellular - with multicast and mDNS/bonjour working seamlessly).
It should be possible to set something up - but I believe you'd need some kind of managing daemon that helped nodes rendevouz and set up routes.
If you haven't given WireGuard a try yet, now is a good time.
Securely and reliably connecting all my devices with WireGuard was a big reminder to me that there's a much better internet hiding under the hub-and-spoke consumer services model. The internet can be so much more than our phones connecting to large data centers.
Hoping this will will have a pervasive effect like https in the networking world, esp for point to points that glue things together behind the scene. Encrypt all the things!
I recently had to start using PulseSecure. For authentication that damn thing loads a full blown webpage in the background, actually executes the JavaScript therein, fills some forms and submits that via POST. There's a PulseSecure module for openconnect, but it's unable to send the keepalive reauthentications, because it's unable to correctly associate the presented form inputs with the credential fields, so I'd have enter them manually, on each keepalive.
I can only hope that WireGuard is going to drive a solid piece of hardwood through every "commercial grade" VPN appliance out there, and then desintegrates their heads, too, just to be sure.
But given the inertia of big orgs, and the that public and governmental institutions for one reason or another seem to trust "BIG" names with "BIG" (i.e. bloated) products and marketing more, than small, easily auditable stuff, I don't see it happening… sadly.
But outside of DNS (and agree that’s a big outside), aren’t pretty much all major protocols already encrypted these days? SMB2 was the last big one I could think to but SMB3 has (optional) encryption.
pfSense is a FreeBSD downstream, right? First you'd have to port Wireguard to FreeBSD. Or you could run the userspace server, but expect poor performance.
Great experience with WireGuard so far, but does anyone know a simpler way to use it over networks where UDP is blocked (e.g. university Wi-Fi)? I've only found this comment[1].
You could try setting up a WireGuard server that listens on udp port 53, which is typically used by DNS and unlikely to be blocked. I haven't used it, but algo recently added a configuration option to do so[1]. Of course WireGuard traffic will look much different than DNS, so they could still block it if they really care to.
I'm excited by this, but I'd really love a userspace C or C++ implementation. I know that context switching syscalls take time, but I've enjoyed the trend of the last 10 years towards more userspace services, not less. (I'm particularly thinking of filesystems in userspace and block devices in userspace)
Still, cool. cool, cool cool. I wonder how long until it's in debian.
Well, to be fair, it was already pretty straight-forward to run WireGuard in production (if your distribution of choice has a WireGuard DKMS package). What I'm more excited about is more people building products on top of WireGuard, thus making it more accessible for the non-sysadmins out there.
What is the timeline for making wireguard viable for commerical VPNs?
"""
There's a few fundamental issues with wireguard that make it relatively unsuitable for commercial VPNs with many customers.
For a start, if you want to offer customers multiple concurrent devices, each device needs it's own key, and all keys for all customers' devices need to be loaded into kernel memory and cross checked against every packet received, which as you might imagine gets incredibly unwieldy and could savagely impact the performance of PIA servers.
When wireguard has the ability to hook a userspace daemon when it receives a valid-looking packet with unrecognised encryption, it'll be a lot closer to usable in commercial contexts, as the daemon could poke a database or cache to load the required keys on demand
WireGuard is much faster than OpenVPN, much simpler to set up than OpenVPN (except for having to set up IP addresses it's approximately as easy to get working as SSH), and it's much, much more secure than OpenVPN.
Sorry for off topic, but is there any way, how to setup wireguard (or any VPN) to be used for just single app (lets say Firefox) and not system wide on macOS?
Something similar to https://github.com/darkk/redsocks with ssh and setting up proxy in Firefox?
This is great news! I've been a wg user on an EdgeRouter for a little over a year now, and the experience is always just so _seamless_. The architecture of this thing's a beaut.
That news aside, this is an outstanding commit message. The kernel never disappoints on those.
It means that WireGuard will be included in your distro's kernel, which will ease installation. Before, you had to do some ugly kernel module compilation steps, usually using dkms, which was prone to failure and was a general nightmare to deal with. Moving forward, you'll just run "apt install wireguard-tools", and you'll be all set.
To temper expectations, though, this is slated for 5.6, which won't be released for another ~120 days or so. After that point it will trickle down to distros. So there's some time yet before users start seeing the direct consequences of this exciting announcement, but it'll be coming.
WG exposes a point to point / l3 network interface like any other to userspace, so an answer would not be specific to wireguard but about networking and routing in general.
Whenever so many networks are deployed with this that Apple becomes interested in supporting it for their users. Being in the kernel should help with this, but obviously there's no actual timeline. Maybe never
Much faster, as it is UDP-based, it basically just keeps spraying network packets. I noticed that my SSH sessions are resumed after closing and reopening my laptop half an hour later.
nikisweeting|6 years ago
- how it works internally
- how the routing works in different topologies
- a few complex and simple example setups
- performance expectations
- security model, key & config distribution
- setting up wireguard for, or inside of docker
- GUI tools and other wireguard-related software
- links to other tutorials, references, guides
AceJohnny2|6 years ago
I feel old and obsolete.
gukov|6 years ago
PS Are you an actual pirate?
vectorEQ|6 years ago
zx2c4|6 years ago
https://lists.zx2c4.com/pipermail/wireguard/2019-December/00...
https://lists.zx2c4.com/pipermail/wireguard/2019-December/00...
https://lkml.org/lkml/2019/12/8/257
MertsA|6 years ago
zamadatix|6 years ago
majewsky|6 years ago
signa11|6 years ago
samgranieri|6 years ago
Next up I'd like to see this be an easy config option in Unifi's network managment tools
Diederich|6 years ago
I've been using Wireguard via https://github.com/trailofbits/algo for a while now. Of all of the VPN experiences over the last couple of decades, Wireguard has been light-years ahead of the rest.
First: it's fast. If the server is up and you don't have packet loss, you can't tell when it is turned on. For fun, I wrote some trivial automation to automatically and randomly switch between a few wireguard back ends, and I generally can't detect it.
Second: it's easy. For me, an experienced technical user. I don't know enough about the ecosystem to recommend it to less technical people, though given how basically sound it is, I'll be surprised if there aren't really easy and robust front-ends coming up.
chadlavi|6 years ago
stjohnswarts|6 years ago
Jnr|6 years ago
pedrocr|6 years ago
Anyone know if there has been any recent work on making wireguard cover this use case? I'm not really worried about security as I treat this overlay network as just as insecure as any other (running ssh over it) and mitigate exploits by running the tinc daemon as a normal user. But it would still be nice to get more performance and security from an in-kernel quality solution like wireguard.
[1] https://tinc-vpn.org/
e12e|6 years ago
It should be possible to set something up - but I believe you'd need some kind of managing daemon that helped nodes rendevouz and set up routes.
[1] https://www.zerotier.com
ldng|6 years ago
crawshaw|6 years ago
Securely and reliably connecting all my devices with WireGuard was a big reminder to me that there's a much better internet hiding under the hub-and-spoke consumer services model. The internet can be so much more than our phones connecting to large data centers.
seriesf|6 years ago
Havoc|6 years ago
Hoping this will will have a pervasive effect like https in the networking world, esp for point to points that glue things together behind the scene. Encrypt all the things!
datenwolf|6 years ago
I recently had to start using PulseSecure. For authentication that damn thing loads a full blown webpage in the background, actually executes the JavaScript therein, fills some forms and submits that via POST. There's a PulseSecure module for openconnect, but it's unable to send the keepalive reauthentications, because it's unable to correctly associate the presented form inputs with the credential fields, so I'd have enter them manually, on each keepalive.
I can only hope that WireGuard is going to drive a solid piece of hardwood through every "commercial grade" VPN appliance out there, and then desintegrates their heads, too, just to be sure.
But given the inertia of big orgs, and the that public and governmental institutions for one reason or another seem to trust "BIG" names with "BIG" (i.e. bloated) products and marketing more, than small, easily auditable stuff, I don't see it happening… sadly.
cm2187|6 years ago
F00Fbug|6 years ago
I'm hoping that the 1.0 release will prompt Netgate to consider inclusion in pfSense.
LeoPanthera|6 years ago
loeg|6 years ago
haywirez|6 years ago
[1] https://news.ycombinator.com/item?id=17847008
yusefnapora|6 years ago
[1]: https://github.com/trailofbits/algo/pull/1594
GhettoMaestro|6 years ago
loxias|6 years ago
Still, cool. cool, cool cool. I wonder how long until it's in debian.
jeltz|6 years ago
sascha_sl|6 years ago
https://git.zx2c4.com/wireguard-go/about/
jlgaddis|6 years ago
I know you mean in stable, but it's been in unstable for 3+ years now!
fffrantz|6 years ago
majewsky|6 years ago
ralala|6 years ago
Agenttin|6 years ago
hsivonen|6 years ago
7ewis|6 years ago
My VPN provider has said they won't support WireGuard until it hits 1.0
zx2c4|6 years ago
fmajid|6 years ago
gruez|6 years ago
AFAIK there are some major issues with wireguard that have to be resolved before it's practical for commercial VPNs.
https://old.reddit.com/r/PrivateInternetAccess/comments/d1bl...
markosaric|6 years ago
novok|6 years ago
"""
There's a few fundamental issues with wireguard that make it relatively unsuitable for commercial VPNs with many customers.
For a start, if you want to offer customers multiple concurrent devices, each device needs it's own key, and all keys for all customers' devices need to be loaded into kernel memory and cross checked against every packet received, which as you might imagine gets incredibly unwieldy and could savagely impact the performance of PIA servers.
When wireguard has the ability to hook a userspace daemon when it receives a valid-looking packet with unrecognised encryption, it'll be a lot closer to usable in commercial contexts, as the daemon could poke a database or cache to load the required keys on demand
"""
https://www.reddit.com/r/PrivateInternetAccess/comments/d1bl...
boobePhuu7iet7i|6 years ago
doctoboggan|6 years ago
Does anyone know how this compares with OpenVPN? Is is worth setting up my own wiregaurd machine?
tptacek|6 years ago
Avamander|6 years ago
Much nicer to use in pretty much every aspect.
iudqnolq|6 years ago
Depending on just how our of date it is, that could be an issue: https://openvpn.net/security-advisories/
finchisko|6 years ago
Diagon|6 years ago
Redsocks is a transparent proxy, though. That'll redirect system-wide. I think you're thinking of your basic socks proxy - `ssh -D`.
_verandaguy|6 years ago
That news aside, this is an outstanding commit message. The kernel never disappoints on those.
funkyshit|6 years ago
zx2c4|6 years ago
To temper expectations, though, this is slated for 5.6, which won't be released for another ~120 days or so. After that point it will trickle down to distros. So there's some time yet before users start seeing the direct consequences of this exciting announcement, but it'll be coming.
ikeboy|6 years ago
moreentropy|6 years ago
Network Namespaces and VRFs are the correct way to approach this I think: https://www.kernel.org/doc/Documentation/networking/vrf.txt
ryanlol|6 years ago
Agenttin|6 years ago
jchw|6 years ago
rswail|6 years ago
tbrock|6 years ago
habitue|6 years ago
brian_herman__|6 years ago
talkingtab|6 years ago
baybal2|6 years ago
tptacek|6 years ago
pilif|6 years ago
On the other hand: No built-in client in any of the mobile OSes, so a third-party client install is required.
axismundi|6 years ago
eeZah7Ux|6 years ago
pferde|6 years ago
https://www.wireguard.com/performance/
https://an.undulating.space/post/181227-er_alternate_firmwar...
...and more. Put some minimum effort in yourself, man!
wyldfire|6 years ago
mangix|6 years ago
nif2ee|6 years ago
yjftsjthsd-h|6 years ago
amdavidson|6 years ago