WireGuard is in net-next (opens in new tab)

It may be way simpler for basic setups but it quickly becomes as or more complex than ipsec for more advanced setups such as those involving dynamic routing and/or fail over routes. The additional complexity is due to the fallout of allowed-ips and how they are used.

What you essentially end up with is that a wireguard interface represents a point to multipoint non-broadcast network. Any one that has dealt with Frame Relay or ATM can tell you what a headache dealing with dynamic routing over such a network can be. Fun things like having to hand configure your OSPF neighbors. This can be overcome by configuring each Wireguard peer to a separate interface essentially making the interface a point to point network or using another tunneling protocol overtop of Wireguard such as GRE or L2TP. But you quickly lose any simplicity advantage.

Even for something like a static floating route for backup Wireguard can be more complex because a Wireguard interface once turned up will not show as down unless manually turned down. This means the connection has to be monitored and the backup route installed based upon the monitoring criteria. Again nothing that can't be overcome but doing so raises the complexity.

Unless you are assigning each peer to a different Wireguard interface and setting allowed-ips to all ips you also have to figure out how to update the allowed-ips for peers to be updated as the routing changes.

Personally I would have preferred if allowed-ips didn't exist and each peer was assigned to a sub-interface whose status could change based upon keepalives. Then the normal ip routing and filtering facilities of the kernel could have been used instead of the current situation where you have some amount of filtering and routing effectively being done by the Wireguard interface and then some being handled by the kernel.

I used to contribute quite a bit to the Wireguard package for Ubiquity routers but stopped when I switched to ipsec. It was apparent that Wireguard was more complex to setup and troubleshoot for even slightly advanced scenarios.

As for your statement that it is faster that greatly depends upon the platform being used. It is faster than OpenVPN almost everywhere but many network devices have SoCs that provide slow CPUs and acceleration for ipsec or at least the crypto underlaying it. On those platforms it often is not faster than ipsec.

Don't get me wrong despite my comments overall I think Wireguard is pretty darn nifty and am happy to see it included in the kernel. I just think it needs more tooling developed around it before it can be a less complex replacement for ipsec in even some fairly basic scenarios.

This doesn't even cover the enterprise road warrior VPN scenarios where Wireguard currently lacks many of the more advanced enterprise features of OpenVPN or proprietary offerings from the likes of Cisco, Pulse Secure or Citrix. Hopefully development of the additional protocols and tools needed to add support for more advanced scenarios is accelerated now that Wireguard will be in the kernel. Of course once these are added there is the risk that a Wireguard based feature comparative implementation ends up just as bloated and complex to audit as any of the current alternatives.

I like my always-on IPsec tunnel on android. Never really understood this entire wireguard hype. Probably because VPN just got a bit easier for some people..?

IPsec, at least using IKEv2, also uses UDP in most deployments where you are not using IPsec directly without encapsulation (not that it makes a real difference). You may be confusing with OpenVPN, which can run over TCP.

In terms of speed, they are comparable. The great benefit of WireGuard is simplicity on Linux compared to the configuration nightmare that is StrongSWAN, but implementing IPsec/IKEv2 on OpenBSD using OpenIKEd is roughly comparable if you use Let's Encrypt certificates.

You can get really inexpensive GL.inet GL-MT300N-V2 "mango" boxes (about $20) that will provide transparent WireGuard or OpenVPN encryption for a device that doesn't support VPNs out of the box (ahem, a Smart TV or streaming box, to bypass geo restrictions). They don't support IPsec.

https://www.gl-inet.com/products/gl-mt300n-v2/

IPSec is too (at least in tunnel mode).

> Put some minimum effort in yourself, man!

It's reasonable to ask the community for opinions/analysis. I'm fine with telling people to do their own research for simple facts/processes, but "how do these things compare" is potentially subjective, depends on experience, and IMO is a suboptimal fit for websearching.

I can tell you that as long as the crypto in WireGuard is DJB stuff that can't be FIPS certified, Cisco and Juniper and such will still do a strong VPN business and you will rarely see it in BigCo, at least in the US.

Security is largely about checking boxes to reduce liability, and FIPS is a checkbox.

Corporate IT is unbelievably conservative. It's all still about Active Directory, Windows domains, and SSL VPNs with FIPS certification and AD support.

WireGuard is actually pretty awful from an IT security org perspective. There are no logs when someone connects or is trying to connect, so auditing or troubleshooting becomes extremely difficult short of packet captures. Additionally, there is no concept of two step auth, so if your key is compromised, anyone can connect without anyone knowing about the compromise.

If security companies adopt WireGuard, expect things like PulseSecure to remain as a wrapper around WireGuard. They'll at least standardize on a performant and verifiable VPN solution.

> I can only hope that WireGuard is going to drive a solid piece of hardwood through every "commercial grade" VPN appliance out there

I'm not sure that will happen. I mean, we had multiple solutions very close to what wg provides already. They're not as trivial to configure, but it would definitely be easier than creating a custom java applet instead.

Whatever makes enterprise VPN so bad, it doesn't seem to be the availability of better tech.

Currently looking at new vpn solutions where I work. Would like to use WG but it's just not suitable for a corporate environment (and neither is openvpn really, though we use it today), and it likely never will be because of how its designed (not a bad thing).

I've used it privately for a while and it is much better than anything else.

> But given the inertia of big orgs, and the that public and governmental institutions for one reason or another seem to trust "BIG" names with "BIG" (i.e. bloated) products and marketing more, than small, easily auditable stuff, I don't see it happening… sadly.

This might quite literally be F5’s reasoning behind their BIG-IP Edge VPN client. :)

Apart from DNS, the destination address on each packet leaks a lot of information about which online properties you are accessing. A determined attacker may even be able to figure out exactly which webpage you are on, based on the size of the packets and the order in which you connect to various addresses. Using a good VPN helps obfuscate a lot of that metadata.

Whether you can actually trust an HTTPS site or an IMAP connection when you're in a hotel in China is another problem that a VPN can solve. The CA infrastructure is ridiculously fragile, especially now that HPKP is dead in the water.

You should encrypt DNS. DPRIVE standardised DNS over HTTPS or if wrapping yet more things inside HTTP makes you want to vomit DNS over TLS directly. You can use it today.

Third: it doesn't wreck my battery life, like others do.

I've been using now wireguard for the past two years, really happy with it!

> Second: it's easy.

To give you some perspective, it's so easy that my four year old knows how to turn it on when we're traveling and she wants to watch PBS Kids.

On iOS it's still a userspace client, as I understand it, and the additional battery drain was very noticeable for me.

Do you have an automated way for turning it off when you're on home wifi? Trying a similar setup, and it isn't immediately clear other than via manual activation how to not use Wireguard in that situation.

Thanks.

I don't think it's fair to say "better" here. Waiting for stable software releases is a perfectly valid approach. It may not be your approach, which is also fine, but neither approach is better than the other.

This is what I've advising people with a little bit of know-how to do. Using Algo [0] (If you only need Wireguard and little else) or Streisand [1] (If you need Wireguard in addition to many other things) makes it pretty much trivial.

[0] https://github.com/trailofbits/algo

[1] https://github.com/StreisandEffect/streisand

Yeah, there are some issues which makes it harder than it has to be but e.g. Mulllvad has been providing it to their customers for a long time. Required extra work but not insane amounts of it according to a guy at Mullvad who I was talking to.

ProtonVPN is involved with funding Wireguard development: https://protonvpn.com/blog/wireguard-donation/

Cool, thanks, I'll have to check that out!! I've sorta been itching for an excuse to learn rust. Go left me underwhelmed, but that's probably due to me having misplaced expectations. (it's not a better C or C++, it's a better Perl/Python/Shell)

There is also https://github.com/cloudflare/boringtun

Edit: Someone running wg in userspace and can share some experiences with either implementation?

I think he/she means "when will Debian ship with kernel 5.6 or greater".

Thanks for the information. What is your recommended way to set up a wireguard server on a home network? Some quick googling tells me it is possible to do it with a raspberry pi, but I would be worried about that being a bottleneck.

> WireGuard is much faster than OpenVPN

Not relevant for most home internet connections

> much simpler to set up than OpenVPN

+1

> and it's much, much more secure than OpenVPN.

That’s uselessly vague. Do you mean the protocol, the implementation approach, the underlying crypto, or what?

It can't be easier to setup that OpenVPN was on my router (just clicking a checkbox), but I am very interested in switching to a new VPN as I would like to be able to stay continuously connected from my mobile phone, and I understand that OpenVPN isn't great for this.

What is your preferred method for getting a WireGuard server installed on your home network?

For most users, if it's not Google-able and in nice HTML format it doesn't exist ;)

I am not haha, I just snagged the cool username through a dormant username transfer request.

Same with OPNSense.

Exactly. Netgate has long said that they won't touch it until it's production-ready; they keep pointing to the warning messages in WireGuard saying that it's beta and when the time is right, they'll consider it.

I'm happy they're being cautious. The inclusion in the Linux kernel is perhaps (to Netgate) a sign that things are headed in the right direction.

As far as FreeBSD, all that exists today is a userspace package (AFAIK). Again, I'm hoping someone sees this as a step forward and will start working on the FreeBSD port.

I'm glad to see progress and hoping for more of it!

Userspace already has a package https://www.freshports.org/net/wireguard/

I would say DNS is more likely to be blocked than other UDP ports, to force the use of a specific DNS server (not uncommon on public networks).

Blocking DNS to arbitrary IPs is very common in locked down environments. They force you to use their resolver handed out by DHCP.

Udp2raw and similar software could be used to bypass UDP restrictions. Basically it creates valid tcp headers and sends those packets with them through raw socket.

We merged "Frankenzinc" for 5.5, some sort of contorted compromise solution. I'll be working on fixing lingering warts during the 5.5 and 5.6 cycles there.

I use zerotier in a similar fashion. It has been great.

Properly encrypted data is basically impossible to compress. Lossless compression requires repeating patterns in the data and lossy compression requires an ability to understand the content. Since properly encrypted data should be indistinguishable from random noise, neither of these things apply.

Compressing first and then encrypting the compressed data works fine though.

It works mostly without problems, but be careful relying on it as a sole means of accessing your server. I've locked myself out (luckily it was just a test server) by closing SSH port on public IP and allowing it only on Wireguard interface. One day I updated the kernel, dev headers got mixed up and my wg0 interface didn't come up after reboot.

I installed wireguard via ppa on my ubuntu based distro, which wasn't too much of a pain. Are you referring to the "hacks" needed in your install section on the website for e.g. Red Hat/Cent OS?

very happy with the performance and stability, thanks a lot for your work!

Would it mean that changes in Wireguard will require a new version of the kernel ?

EDIT: I mean, if I am on debian and I have kernel 5.6-build123, a patch to Wireguard would mean I will need to upgrade to 5.6-build124 ?

Not OP. I have a wireguard server setup on my home network. Client installed on my mobile devices. The always on UDP connection seems to use less battery than my previous setup of a TCP VPN. I use this setup to allow my mobile devices to use my home recursive DNS server, which blocks tons of domains for tracking, ads, etc.

It has a relatively seamless setup and is far from bloated, encryption is efficient on low-powered ARM devices and it works surprisingly well in environments where internet connections are shoddy at best.

This is what we (https://tailscale.com) are working on! WireGuard is incredible, but adding some key management (that integrates with your IAM system) and NAT traversal really helps to round things out. I'd love to hear suggestions and feedback on what we're building.

My experience with dealing with the DKMS implementation of the Nvidia drivers left a sour taste in my mouth. Not fun when something goes sideways with an update and thousand nodes need to be recovered

But its point updates will provide the option to update the kernel. https://wiki.ubuntu.com/Kernel/LTSEnablementStack

I created a script to distribute the configuration to all relevant VMs.

A network configuration is basically: a port, a name, a set of peers(public key, external ip, wireguard ip). If you want, you can distinguish between master and slave peers (=the slaves do not know/trust each other; master knows everyone)