|
|
Subscribe / Log in / New account

Virtual private networks with WireGuard

Virtual private networks with WireGuard

Posted Mar 6, 2018 19:03 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
Parent article: Virtual private networks with WireGuard

What is the advantage compared to IPSec? The in-kernel ipsec encryption is perfectly adequate for most purposes (just ignore the crappy ciphers).

The userspace key agreement protocol (IKE) is another story, but you don't have to use it, ipsec actually has a standardized cross-platform API to manage the kernel-level keys.

to post comments

Virtual private networks with WireGuard

Posted Mar 7, 2018 2:18 UTC (Wed) by amworsley (subscriber, #82049) [Link] (6 responses)

The key advantage as stated was a vastly smaller implementation (4000 lines) making vastly easier to check for flaws.
Another additional design features is that it has very few options and deliberately selected modern algorithms likely to be secure for much time in the future. Greatly reducing the chance of insecurity through mis-configuration versus ipsec.
Finally once a secure tunnel is set up the remote end can change IP as the public key is used to verify any new IP address automatically - removing another "brittleness" where transport network changes can kill the connectivity.

I am not aware of how it handles replay and denial of service attacks but hopefully when it is merged in there will be many chances to check for these and other issues.

Also if it is 4000 lines to implement it would be hard to add it to other platforms.
Presumably if it is popular Android phones could start using fairly quickly.
It would be interesting to know how it would handle the China's great firewall.

Virtual private networks with WireGuard

Posted Mar 7, 2018 14:12 UTC (Wed) by bavay (subscriber, #60804) [Link] (3 responses)

I am absolutely naive with VPNs, so my questions might be totally off, but one thing I find potentially dangerous is the ability to silently loose a VPN connection. If you are transmitting sensitive data over a link that you know is most probably under surveillance, you absolutely don't want the VPN to disconnect and your data transfer to resume over the non-VPN network (when accessing public IPs). Is it something that is addressed at the VPN level or should it be addressed at another level? Does WireGuard offers something to prevent it?

Mathias
PS: Yes, the data transfer itself is also encrypted, but better safe than sorry and encapsulate it within a VPN alongside masses of uninteresting data

Virtual private networks with WireGuard

Posted Mar 7, 2018 14:45 UTC (Wed) by smurf (subscriber, #17840) [Link]

Wireguard does not "lose a connection" the way a VPN link dies. The connection and the rest of the kernel setup are is still there, packets simply get dropped until the connection is re-established.

I've been using it for months on my office VPN. Zero problems, it's a breeze to set up compared to OpenVPN (and much faster).

Virtual private networks with WireGuard

Posted Mar 10, 2018 0:20 UTC (Sat) by coolhandluke (guest, #114151) [Link] (1 responses)

In the case where all traffic absolutely *must* go over a VPN (or else not be sent at all), I have previously configured firewall rules (both on the host itself as well as its upstream router, for an additional layer of defense) to only permit outbound IP traffic destined to the VPN gateway and drop any other traffic.

This ensures that traffic will not be sent out if the VPN link dies for any reason.

Whether or not this approach is an acceptable solution for you obviously depends on your specific requirements.

Virtual private networks with WireGuard

Posted Mar 12, 2018 22:46 UTC (Mon) by james (subscriber, #1325) [Link]

I've seen people go one stage further and configure the router without a default gateway, just with routes to the public IP addresses of the VPN concentrators.

Those routes to the VPN concentrators are the only routes over the WAN link(s): even without a firewall, the router won't know which way to send packets to the Internet until the VPN is up. Then routing protocols (configured to talk to the internal addresses of the VPN concentrators) can add more routes.

Virtual private networks with WireGuard

Posted Mar 7, 2018 14:57 UTC (Wed) by smurf (subscriber, #17840) [Link] (1 responses)

Wireguard simply throws away packets it can't decrypt. It works at wire speed (for some definition of "wire", anyway) so even if you saturate the link with bogus encrypted packets, that's no worse than saturating it with any other kind of packet.

Android will get a userspace implementation.

Virtual private networks with WireGuard

Posted Mar 8, 2018 5:37 UTC (Thu) by thestinger (guest, #91827) [Link]

It's worth noting that as of Android 8.0, there's a toggle to block connections not made via the always-on VPN to deal with issues like an OpenVPN app dying. A kernel implementation is more efficient but there's a sane way to use userspace VPN implementations.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds