The difference between wireguard and OpenVPN is that there is no real negotiation between the client and server.
Connecting to OpenVPN can take several seconds as it authenticates you, figured out encryption algorithms, IP and route management. If the network or OpenVPN server hiccup, it drops you and you need to reconnect and renegotiate again.
Wireguard does not do this, the interface comes up regardless if the remote server is up. The client and server key have already been exchanged, the routing and ip are statically configured, so the server can just receive packets without any negotiation.
Clients are identified by their public key, so roaming and ip switches are seamless as well.
There actually is a very tiny amount of negotiation in that protocol has perfect forward secrecy, so the connection re keys every two minutes (hard codes time value).
It's sort of hard to provide any other than "yes/no" to a question like "Is WG stable/reliable", right?
For most uses the answer is probably "yes" but there are use cases (I'm guessing around auth and middleboxes that do not like UDP) where the answer would be "no".
WireGuard is also orders of magnitude more secure than OpenVPN.
I stand by my assertion that eventually nobody will talk about Wireguard because everyone will use it for almost everything. It'll be like HTTPS, TLS, or TCP.
Installed OpenVPN instead, took me 2 minutes and worked immediately with far fewer config files changes.
I've had this experience before with Wireguard as well. People keep saying how easy it is and in my experience... it simply isn't.
OpenVPN has a lot of BS overhead and I'd be more than pleased to move off of it. But WG hasn't been simple for a common use case - install on Ubuntu VPS, client on Windows.
- WireGuard server running on my FreeBSD VPS. Always on.
- WireGuard client running on my MacBook Pro M1 laptop (and prior to that, on the MacBook Air that I had before this computer). I activate this one when I need to connect to my server or to some other device on the VPN.
- WireGuard client running on my iPhone X. Like with my laptop, I activate it when I need to connect to the server or to another device on the VPN.
- WireGuard client running on my grandfather's Mac Pro desktop computer. Always on. This allows me to remote into his computer via the macOS-builtin VNC server on his computer, to help him out when he is stuck at something. I use the macOS-builtin VNC client on my MBP or a third-party VNC client on my iPhone. In either case the connection is tunneled over the WireGuard VPN. I also have the builtin SSH server running on his computer that I connect to over WG VPN to transfer files or run commands through.
- WireGuard client running on my desktop computer which runs KDE Neon Linux. Always on.
WireGuard has been almost trivially simple to set up across all of these systems; FreeBSD, macOS, iOS, Linux. And I am sure it is equally simple to set up on many other systems as well.
WireGuard has been very stable and reliable too for all of the time that I have been using it.
Some months ago I changed the WireGuard configuration on my server to run on port 443 UDP instead of the UDP port that WireGuard server would run on by default. This has allowed me to connect to my VPN even when using some public hotspots that were very restrictive on what traffic they allowed through and where previously I could not connect to my WireGuard VPN. Deep packet inspection would still block the traffic I assume, but in all cases with regular public hotspots in my country I have been able to connect to my VPN after I made this change of what port I am using. I live in Norway.
I highly recommend anyone that wants to run their own VPN to use WireGuard.
I personally use my WireGuard VPN for connectivity between these hosts only, not for tunneling traffic that is routed out onto the wider Internet. (That is, my tunnel runs over the Internet but I only use it for traffic that is destined to the machines that are member of the VPN). So I cannot really comment on the use-case of tunneling Internet traffic, but from the experience with connecting the hosts in my VPN I can only assume that tunneling Internet traffic would work out equally well.
I am really eager to hear details how the VPNs are implementing Wireguard - particularly the address management portion.
Are you tunneling out of AWS, or are you using some AWS node as a wireguard server? Sounds like the former with wireguard interface being the default gateway (I am not an AWS user and am just guessing)... Adding a route for the AWS DNS server IP(s) to use the real network interface for traffic instead of the wireguard interface might work. Something like
ip route add <AWS DNS server IP, or AWS subnet) dev <normal network interface such as eth0>
e.g. ip route add 10.0.0/24 dev eth0
If what you care about is anonymizing your traffic, then you need someone else's computer. That's the idea, to mix your traffic in with a bunch of other traffic.
Some of the rest are probably run by criminals.
Oh yeah, let us not forget Facebook whose vpn app was created mainly to snoop on you other network activities
Edit: remember that you can roll your own temporary vpn: https://www.digitalocean.com/community/tutorials?q=vpn
ProtonVPN is also at least a bit better than other commercial VPNs, specifically the "Secure Core" feature is quite good. Proton is one of only like two or three companies I actually trust when it comes to their security and honesty.
It looks like the main contributor is (or was very recently) a Signal developer [1], but they have not committed to Streisand since 2018 [2].
[1] https://signal.org/blog/help-iran-reconnect/
[2] https://github.com/StreisandEffect/streisand/graphs/contribu...
* While creating a point to point tunnel is straightforward with Wireguard, it’s the networking part that takes time.
You need to do a bit of networking to set up firewall, access internet and other networks, etc, that may not follow a standard formula depending on your set up.
* Wireguard creates a tunnel. OpenVPN does a lot more, such as authentication, etc. The tunneling part of OpenVPN is much smaller than the whole
* Wireguard doesn’t support TCP
And that, stuff that tailscale adds is superfluous or not appealing?
The complexity rapidly grows as you scale, mostly pertaining to networking.
Now a better question is, how does OpenVPN compare with tailscale?!