Return to Level1Techs.com

Anyone used WireGuard?

Hi forum.
For anyone not it the know, this is an alternative to OpenVPN, supposedly faster, simpler and with less likelihood of introducing new bugs, partly due to there only being one protocol suite.
https://www.wireguard.com/

I wonder if any of you sane people have any input about it? Have you tried it? What was/is your experience?

Also, to the ones knowing a little about cryptography, is the single suite of protocols, as opposed to OpenVPN, which have many, a good or a bad thing in your opinion? Their suite contains Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF.

I wouldn’t mine giving it a go but my VPN resides on my pfsense box.

I saw a thread on their subreddit, with someone praising it and wishing for it to be implemented in pfsense. The community was sceptic at best. Let me see if I can find it.

Edit: Here’s the reddit link, okay so only 6 comments and not at all sceptic all of them.

Looks like Wireguard is working with openbsd on an implementation down the road.

“Eventually we’ll work with OpenBSD to produce a component for their kernel, and perhaps even write a kext for Darwin and a driver for NT. For now, however, a cross-platform userspace version is most appealing.”

I don’t think the cross-platform userspace application will be useful to pfsense users, so we might have to wait some time before the openbsd kernel component is written.

Do you think it is essential to their success that they get available on openbsd/pfsense? Also in realtion to what platform other router manufacturers write their firmware in? I don’t know what Cisco and the like use. I also wonder how this “Market” is put together. We can all agree that pfsense folks are probably what you’d call “leaders” or “early adopters”, in the marketing nomenclature, but is this, router based VPN clients, where the main market share is?

1 Like

Considering the amount of shit OpenVPN has caused, I’m all for a competitor.

That being said, OpenVPN is considered to be a standard and it’s everywhere now. Sometimes too many choices means that they all suck.

Well, a standard in this regard is just convenient and easy, but not necessarily the best, as I sense you also imply. I’m thinking, if something better comes along and adoption on both ends of the tunnel (so to speak) is happening, it will become a proper alternative, maybe one day even the new standard. I do agree that too much choice can be counterproductive, or in other words, could be more productive, just look at all the Linux distributions available (which is also some of the beauty of it, but that’s another discussion).

I found out about it through my VPN of choice - Mullvad, who praise it to the skies. I don’t know how many other VPN providers have implemented it, but word on the street is that it is picking up speed. At least Mullvad and PIA has donated to the project. It currently ONLY runs on linux based systems, and as such, you can test it out on a number of routers with LEDE, running on top of OpenWRT (Source). also, a community member of UBNT ported it to EdgeRouter, maybe they’ll pick it up.

I have this machine behind NAT that I don’t control, and that I needed to be able to SSH into.

Without wireguard, I’d probably have had to run OpenVPN or an SSH reverse tunnel.

Setting up wireguard from the machine was easier than either of the two, but there’s some nuisances

  1. Systemd, every distro seems to have it’s own unit files

    /etc/wireguard/wg0.conf
    [Interface]
    Address = 192.168.177.2/24
    PrivateKey = xxxx_my_private_key
    ListenPort = 51820
    
    [Peer]
    PublicKey = xxxx_public_key_of_other_host
    Endpoint = dns.or.ip:51820
    PersistentKeepAlive = 25
    AllowedIPs = 192.168.177.0/24
    

    systemctl start [email protected]; systemctl status [email protected]; systemctl enable [email protected]

  2. I needed a ping from the machine through the tunnel, to maintain the NAT mappings when I’m not using the link (see PersistentKeepAlive above)

  3. Not sure how to get userspace implementation running on a Mac or ChromeOS system.

3 Likes