Wireguard

[jugs 1]

Hey guys,

 

I was wondering now that your other competitors are actively integrating Wireguard into their offerings, when do you think you'll have something ready for your customers?

[Khariz 109]

Interesting.  I feel dumb for having never even heard of this before.

[zhang888 1066]

Too early for production. Number of reasons:

 

1) Linux support only, both server and client, at this point, which signifficantly limits the number of users

 

2) Project is less than a year old and hasn't seen any production deployments yet, even among VPN services

 

3) Single developer without funding or business model, almost no community support, both code and money.

While the code contributions can be easily tracked (there are almost none), the money contributions are a little bit more difficult to track. But just from the project page Bitcoin address, we can see the developer got only 0.27 BTC during almost a year of development. That is about $300:

https://blockchain.info/address/1ASnTs4UjXKR8tHnLi9yG42n42hbFYV2um

 

However, zx2c4 is a great kernel hacker and developer, I personally tested Wireguard during the first days of its release and it's an interesting idea and implementation. Has a great potential for small internal employments at this point.

 

The project somewhat reminds me Nginx, the robust and efficient web server that started the same way.

Now it powers lots of most busiest websites, and it started as a hobby project with a single developer as well.

Until the community gave it a huge boost, somewhere around 2009 (5 years after initial release), the deployments were minimal, even though the performance advantages over Apache were clear.

[zx2c4 0]

 

hasn't seen any production deployments yet

without funding

or business model

 

Is there a reason why you make these unsubstantiated claims? With what authority do you speak? What knowledge could you possibly have on these three points?

[Khariz 109]

 

 

hasn't seen any production deployments yet

without funding

or business model

 

Is there a reason why you make these unsubstantiated claims? With what authority do you speak? What knowledge could you possibly have on these three points?

 

How about you just correct him with correct information?  I'm not saying you need to give us your exact numbers or project developers, but it would be just as easy to say "On the contrary, I have more than 100 projects in development and have raised over half a million dollars at this point", instead of "WTF are you talking about?"

 

Just my 2 cents.

[zhang888 1066]

1) Based on the number of commercial VPN providers currently using it

2) A more clear funding transparency report would be nice to see - compared to donations to many other open source projects I find $300 very low.

More could be in PayPal, but again assuming only Linux and crypto enthusiasts mainly use the project the BTC donations is a good example.

3) Business model - clarify if you can. OpenVPN has a business model while still being open source. Same as many other projects.

This is how to sustain development and other costs. Almost same as point 2 - funding.

[Nnyan 3]

I'm not an expert

 

Hey guys,

 

I was wondering now that your other competitors are actively integrating Wireguard into their offerings, when do you think you'll have something ready for your customers?

 

I'm not an expert but having one (or more) companies publish a guide on how to use Wireguard with their service doesn't count as "actively integrating".  It's not part of their offering just a guide.  They clearly state:

 

"Warning: WireGuard is still under active development and should be seen as experimental. Mullvad is providing this installation for test purposes and on a limited scale." 

 

Even on the Wireguard site it states:

 

About The Project Work in progress. WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities.

 

That to me tells me it should not be used in a production environment.  Want to test it?  Sure, go for it! I myself am thinking of testing it in a sandbox.  

[jugs 1]

I'm not an expert

 

Hey guys,

 

I was wondering now that your other competitors are actively integrating Wireguard into their offerings, when do you think you'll have something ready for your customers?

 

I'm not an expert but having one (or more) companies publish a guide on how to use Wireguard with their service doesn't count as "actively integrating".  It's not part of their offering just a guide.  They clearly state:

 

"Warning: WireGuard is still under active development and should be seen as experimental. Mullvad is providing this installation for test purposes and on a limited scale." 

 

Even on the Wireguard site it states:

 

About The Project Work in progress. WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities.

 

That to me tells me it should not be used in a production environment.  Want to test it?  Sure, go for it! I myself am thinking of testing it in a sandbox.  

 

I'm not sure what "actively integrating" means to you, but they are rolling it out for public test so they can figure out how to integrate it...

[SlipBetween 1]

Hey guys.  I've been seeing some other VPN providers working with wireguard, and the tech seems pretty solid and promising.  I was wondering if Air was possibly looking at working with it as well in the near future.  Thoughts?

[mwm 19]

Any news on a potential uptake on this protocol? Looks like PIA are keen to adopt and so are Mullvad.

[Khariz 109]

I’m eager to try it out, so I will likely subscribe to some services that use it.

[trekkie.forever 6]

Opinions alone, no offense meant to anyone.

 

Wireguard has some nice features (IP roaming, easy to set up)

 

But also a lot of hype surrounding it. Does not work in many corporate environments which does not allow UDP

 

No obfuscation support (AFAIK) and hence will be easy to block in countries like UAE and China if it becomes popular

 

There is definitely a limited case use for it however

 

I believe that any VPN designed in 2016 or later should have obfuscation as a major design goal. Early days for sure and all the best to the developers

[flat4 79]

cool, I'll keep reading.

[Aegisprotection 4]

Mullvad expands their WireGuard VPN-service to a total of 30 servers. I really hope that also AirVPN will jump on the bandwagon. Any progress on this?

[Staff 9972]

Mullvad expands their WireGuard VPN-service to a total of 30 servers. I really hope that also AirVPN will jump on the bandwagon. Any progress on this?

 

 

Hello!

 

Why should we do that? In other words, what advantages in terms of security and/or performance do a user get from Wireguard (over OpenVPN) when deployed before an audit has been performed?

 

In terms of performance, we are concerned about this:

https://www.wireguard.com/performance/

 

The Wireguard performance is low, while the OpenVPN reported throughput is fake. Remember that we could beat in a single core of an archaic Q6600 CPU 300 Mbit/s in 2014. In 2018 (just a couple of weeks ago) we have obtained 1.7 Gbit/s on our AES-NI optimized machine with a load of 300+ clients practically in just ONE CORE of an E3-1270 @ 3.80 Ghz with a Linux kernel 4.9 and AES-256-GCM (so we could even go higher with ChaCha20 Poly305).

 

The fact that in the Wireguard web site not believable data for OpenVPN is published is a reason of concern. Then, the performance of Wireguard is not interesting, especially on a core of an i7 with ChaCha20.

 

On top of that, it is unfair to deploy to our customers a service based on a software that's not yet been tested enough in our opinion. USA Senator Wyden recently recommended Wireguard to replace everything (IPsec, OpenVPN...) in USA infrastructures and recommended to recommend Wireguard to NIST:

https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-Senator-Recommends

 

Why this requirement before any serious audit when we know for sure (from the Snowden documents) that plans to insert backdoors in random number generators and other cryptography-related software, and then have that very software approved by NIST, started several years ago? This is another reason of concern that maybe makes Wireguard wide deployment premature: it is safer to check deeply the software and the ECC employed first, and then deploy to the public.

 

Remember what happened  with the infamous Dual_EC_DRBG, we are not short on memory like some of our competitors are, and we are not trading your security for a fistful of dollars by riding the Wireguard hype. When and if Wireguard will prove to be as secure as OpenVPN, and capable to provide the same (or higher) performance, and provide obfuscation and more protocols choice, then we'll be very happy to experiment with it.

https://en.wikipedia.org/wiki/Dual_EC_DRBG#Software_and_hardware_which_contained_the_possible_backdoor

 

Kind regards

[AnnaGlup 0]

Im using Wireguard on my smartphones for 3 month.

My reason to no longer use OpenVPN is the battery life.

OpenVPN needs a lot of juice while with Wireguard it looks like it needs nearly nothing.

Stabile connection and fast performance. Even IPV6 works well.

Im already using a Custom Rom so Setup was a 5 minute job.

Other advantage no VPN is used in Android. I need this for another feature.

Overall a clear win for me, only my router is still using AirVPN.

[Staff 9972]

Hello!

 

Given the reputation of Daniel J. Bernstein, concerns about the specific employed ECC are not relevant. However, remember that Wireguard is not ready for production and you must not use it when security of your data is a priority. Wireguard developers are very honest about it, so use it at your own risk. From the official web site:
 

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come.

 

We can't propose to our customers something based on experimental code that has not undergone a proper security auditing and those who do are clearly not protecting their customers' interests. Sooner or later Wireguard will reach a mature, stable release and will be audited and peer reviewed. That will be the right time to consider to put it into production.

 

Kind regards

[kaymio 7]

Hello,

 

we've waited a few years for IPv6 to arrive, so we can wait to get Wireguard mainlined and audited. Wireguard is an interesting prospect for the future for sure. Linus Torvalds seems to be excited too

 

https://www.phoronix.com/scan.php?page=news_item&px=Linus-Likes-WireGuard

[c69c7kfrv48fuJ8Re44C 5]

Hi Staff!
Any update on Wireguard in 2020? Apparently it’s in the Linux kernel now. Ready for action?

[jeuia3e9x74uxu6wk0r2u9kdos 30]

25 minutes ago, c69c7kfrv48fuJ8Re44C said:

Hi Staff!
Any update on Wireguard in 2020? Apparently it’s in the Linux kernel now. Ready for action?

 
https://restoreprivacy.com/wireguard/
 

AirVPN has also chimed in over WireGuard’s implications for anonymity, as explained in their forum:

Wireguard, in its current state, not only is dangerous because it lacks basic features and is an experimental software, but it also weakens dangerously the anonymity layer. Our service aims to provide some anonymity layer, therefore we can’t take into consideration something that weakens it so deeply.

We will gladly take Wireguard into consideration when it reaches a stable release AND offers at least the most basic options which OpenVPN has been able to offer since 15 years ago. The infrastructure can be adapted, our mission can’t.

In their forums, AirVPN further explained why WireGuard simply does not meet their requirements:

• Wireguard lacks dynamic IP address management. The client needs to be assigned in advance a pre-defined VPN IP address uniquely linked to its key on each VPN server. The impact on the anonymity layer is catastrophic;
• Wireguard client does not verify the server identity (a feature so essential that it will be surely implemented when Wireguard will be no more an experimental sofware); the impact on security caused by this flaw is very high;
• TCP support is missing (third party or anyway additional code is required to use TCP as the tunneling protocol, as you suggest, and that’s a horrible regression when compared to OpenVPN);
• there is no support to connect Wireguard to a VPN server over some proxy with a variety of authentication methods.

Despite these concerns, many VPN services are already rolling out full WireGuard support. Other VPNs are watching the project and are interested in implementing WireGuard after it has been thoroughly audited and improved.

In the meantime, however, as AirVPN stated in their forum:

“We will not use our customers as testers.”

[Brainbleach 5]

Well it's been a couple years and WireGuard has improved greatly.  Any information in maybe supporting this in 2021?

[OpenSourcerer 1435]

15 minutes ago, Brainbleach said:

Well it's been a couple years and WireGuard has improved greatly.  Any information in maybe supporting this in 2021?

I can confirm it is coming. Even though wg matured a bit, it's still got technical and privacy caveats Staff will make very clear when the first experimental servers hit the scene. However, I cannot say when. Stay tuned for more info on the Announcements forum.