- It has a vastly smaller attack surface than e.g. OpenVPN, because it is much less complex.
- Its performance is improved by being kernel based.
- Compatibility is helped by it being in the mainline kernel, i.e. every device shipping a recent enough kernel will be able to have it (no need to deploy/version libraries etc).
This goes both ways. Userland systems are susceptible to a myriad of attacks that a kernel, being privileged code, is not. We rely on the kernel (plus CPU rings) for most of the security enforcement in a machine, after all.
However, IF that code is compromised, the consequences are much more catastrophic.
I have been a bit weary of the WireGuard hype for much the same reason. Surely kernel mode is (a) the equivalent of running as root (b) opens up greater attack surface by virtue of running at kernel level
Hm. I guess no-one has bothered with nftables yet, even when dealing with network code that's becoming part of the new upstream kernel (not just this blog, AFAIK wireguard upstream doesn't have any examples on using nftables either, just iptables).
I guess we need a new networking how-to?
Anyone aware of some resources I might have missed?
The community kind of skipped right over nftables to BPF. Simple use cases use iptables, complicated ones use BPF, nftables isn't flexible enough for the complicated use cases so everyone keeps using iptables.
IMO nftables is best used with your full ruleset defined in a file, and atomically loaded. nftables certainly does make your ruleset more grokkable than statefully appending ad-hoc rules everywhere, but you necessarily need the whole picture to gain from it.
So unfortunately it makes less sense for one-liners. Case in point: to use the masquerade action in a postrouting/nat chain, you also have to register a (possibly empty) prerouting/nat chain.
Does wireguard have a noticeable overhead wrt data size compared to a unencrypted connection? I was thinking of setting up it on a small RPi-Like board at home, then on the laptop I carry around (when the lockdown is over). The purpose would be connecting to the Internet through the home broadband public IP which could be handy. However the laptop connects through a metered 4G connection which, although the data cap is more than reasonable, raises some concerns should the encryption require a lot more data than normal.
I just sent 200MiB of zeros over my wireguard connection to my VPS and my transmit counter on my wifi card went up by 238MB. Vs sending 1024MiB over just wifi to my Pi where the transmit counter went up by 1.04GiB.
I know its orthogonal to WireGuard itself, but I'd like to see these guides sometime provide some guidance around DNS, so that I can access services without having to remember the VPN client IP addresses.
If you're using NetworkManager and wireguard, try out the integration between the two as well. It lets you treat the tunnel as any other VPN in nm, and also easily avoids some issues with routing loops if you roam back on to your home network. Before, I always had to manually use wg-quick when I came back home or left.
In my experience, this does work somewhat, but doesn't set up the routes properly[1] and doesn't provide an interface to the networkmanager applet, so you are still left with configuring the profiles in the terminal. There is much left to be desired. Sadly the third-party plugin isn't much better and seems to be discontinued[2].
also available in ubuntu 20.04 (universe) via the dkms/module support thats been standard for use w/ wireguard for years. wireguard also just hit 1.0 from a stable api perspective.
One thing that is imo downplayed about WireGuard as opposed to other VPNs is ease of use, specifically:
- setup is easy
- automated config of large setups is easy
- it is extremely resilient under network temporary failure
It's not really different from what's shown here, only you set AllowedIPs to a single address instead of all addresses (0.0.0.0/0). Here's a short guide I just wrote: https://jtvjan.nl/documents/s2s-wireguard.md
Assuming you meant Wireguard both times, I have a small guide I wrote for my team that I can throw up on my site. If I don't post a link here in a couple hours, reply here so I get a notification.
If you are just interested in configuring clients, Wireguard for Windows comes with a GUI that you can use. For Mac I'd suggest just using wg-quick[^1].
[+] [-] greatjack613|6 years ago|reply
Excuse my ignorance, but can someone explain why a kernel based networking stack has less of an attack surface then a user-space based stack?
I mean logically user-space should be more secure no?
[+] [-] tpolzer|6 years ago|reply
- It has a vastly smaller attack surface than e.g. OpenVPN, because it is much less complex.
- Its performance is improved by being kernel based.
- Compatibility is helped by it being in the mainline kernel, i.e. every device shipping a recent enough kernel will be able to have it (no need to deploy/version libraries etc).
These don't have anything to do with each other.
[+] [-] outworlder|6 years ago|reply
However, IF that code is compromised, the consequences are much more catastrophic.
[+] [-] wmf|6 years ago|reply
[+] [-] traceroute66|6 years ago|reply
[+] [-] e12e|6 years ago|reply
I guess we need a new networking how-to?
Anyone aware of some resources I might have missed?
OK, I guess the nftables wiki is the "how-to": https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
[+] [-] dharmab|6 years ago|reply
[+] [-] mindslight|6 years ago|reply
So unfortunately it makes less sense for one-liners. Case in point: to use the masquerade action in a postrouting/nat chain, you also have to register a (possibly empty) prerouting/nat chain.
[+] [-] squarefoot|6 years ago|reply
[+] [-] nightfly|6 years ago|reply
[+] [-] mathieubordere|6 years ago|reply
[+] [-] jimmcslim|6 years ago|reply
[+] [-] parshimers|6 years ago|reply
http://blogs.gnome.org/thaller/2019/03/15/wireguard-in-netwo...
[+] [-] mqus|6 years ago|reply
[1] https://forum.manjaro.org/t/wireguard-with-networkmanager-1-... [2] https://github.com/max-moser/network-manager-wireguard/
[+] [-] rubatuga|6 years ago|reply
https://www.naut.ca/blog/2020/02/17/setting-up-a-wireguard-v...
[+] [-] tazeg95|6 years ago|reply
[+] [-] pkulak|6 years ago|reply
[+] [-] sandov|6 years ago|reply
[+] [-] kapilvt|6 years ago|reply
[+] [-] ur-whale|6 years ago|reply
[+] [-] borplk|6 years ago|reply
Everything I have found so far is about consumer VPN stuff.
I'm interested in possibly using wireshark for server-to-server as a less painful alternative to TLS.
[+] [-] franga2000|6 years ago|reply
[+] [-] jtvjan|6 years ago|reply
[+] [-] franga2000|6 years ago|reply
[+] [-] platz|6 years ago|reply
[+] [-] tjohns|6 years ago|reply
Wireguard uses a custom protocol that isn't supported by Windows' built-in VPN client. Most OSes only natively support IPsec/L2TP or PPTP.
[+] [-] kasey_junk|6 years ago|reply
There is a wire guard client for Windows.
[+] [-] boromi|6 years ago|reply
[+] [-] leotaku|6 years ago|reply
[^1]: https://manpages.debian.org/unstable/wireguard-tools/wg-quic...
[+] [-] kccqzy|6 years ago|reply
[+] [-] rubatuga|6 years ago|reply
https://www.naut.ca/blog/2020/02/17/setting-up-a-wireguard-v...
[+] [-] enrichpu|6 years ago|reply
[deleted]