Jump to content
Not connected, Your IP: 54.166.223.204
routeninja

Wireguard response from Mullvad

Recommended Posts

The folks at Mullvad gave me a couple days to try their service (Very generous of them, thank you!).

I sent an email to them asking about Wireguard, and how they feel comfortable offering that when the actual project side says, do not rely on this code. Here is the response they gave:\
 

Quote
We are currently installing more wireguard servers in the locations that
we have, and hopefully in the near future, we will cover more locations
globally.

The most common question brought up from our user is about the privacy
and security issue on Wireguard. We have been continuously improving how
we set up on our end to ensure the secure level on our wireguard server.
We now delete and re-add peers if they have not had a handshake in 180
seconds on the WireGuard servers, this removes any public IP or stats of
amount of data that has been received / sent.

If you wish to hide your own public IP-address from the exit server,
then consider using multihop, the exit server will then only see an
internal IP-address used by the WireGuard servers.

So I decided to go look at the wireguard project page. It no longer says "Do not rely on this code". It appears that it has been removed. The last time it was on there was August 24th of this month: https://web.archive.org/web/20190824001445/https://www.wireguard.com/

So it appears that in the past four days they have removed that, I am not sure why. Do you guys have any thoughts on that? Does this mean we should start looking into it? Btw, the OpenVPN testing with them and Air are very close with speed tests. However, the wireguard testing is significantly faster (but potentially unsecure).

Share this post


Link to post

Well, i think it depends on your threat model. I wouldn't use Wireguard for purposes that require a high level of privacy.
But i think for the average user - as we all certainly are - it shouldn't be a major problem using it, at least if it is set up correctly. The guys at Mullvad apparently did their homework on this.

But still, Wireguard is far from being complete, but if you are keen on testing new tech stuff, go for it!

Regards,

BB.


AMD Ryzen 3950X @ 105W PPL

Gigabyte X570 Aorus Elite

AMD RX 5700 XT

Corsair DDR4-3200 32GB

 

Share this post


Link to post

I do not understand these "privacy concerns". You enter AllowedIPs=0.0.0.0/0 and disable config saving. The end. IP address of the client will still be in memory here and there, but so is the case with openvpn.

I will probably temporarily switch to mullvad when my subscription expires to try it. AirVPN is nice, but i would prefer using wg across the board. This is the last openvpn instance i have to deal with.

Share this post


Link to post
@rndbit

In Wireguard you need to map a static IP address in the VPN to a client key permanently as dynamic IP assignment is not available. The private IP address is easily found out by anyone. Once we receive a request by a proper authority about the VPN IP address we can link the address to a unique account. That's a serious privacy concern that does not exist in OpenVPN.

Now that we have ChaCha20 cipher even in OpenVPN Data Channel (including our OpenVPN 3 library), there's no pressure to push our customers toward dangerous solutions just for marketing reasons. We can quietly wait for a Wireguard's stable release featuring all the implementations we need (dynamic IP addresses and TCP support).

Kind regards

 

Share this post


Link to post
56 minutes ago, Staff said:
@rndbit

In Wireguard you need to map a static IP address in the VPN to a client key permanently as dynamic IP assignment is not available. The private IP address is easily found out by anyone. Once we receive a request by a proper authority about the VPN IP address we can link the address to a unique account. That's a serious privacy concern that does not exist in OpenVPN.



 
I think because of this it would make sense to pay anonymously when planning to use Wireguard.

BB

AMD Ryzen 3950X @ 105W PPL

Gigabyte X570 Aorus Elite

AMD RX 5700 XT

Corsair DDR4-3200 32GB

 

Share this post


Link to post
54 minutes ago, BlueBanana said:

But what i don't understand about this... you get a static private IP, that begins with 10.x.x.x. This iP is internal, not public. How could anyone find out, except the VPN provider?


The simplest method is through WebRTC or any other STUN based technique, which will reveal your private addresses (or more precisely the IP addresses of your interfaces, virtual or real) even with Network Lock enabled (it will NOT reveal your public IP address, of course). Check in ipleak.net for example.

Kind regards
 

Share this post


Link to post

This post lead me to read up about OpenVPN and WireGuard, it is interesting to read how much people dissing OpenVPN and praising WireGuard even the developer of WG strongly recommend not to use it for production. People been praising WG like it the huge VPN revolution, those kind of praising concerns me. Because of past experience of how product can be a great at marketing but fail at the execution.

This article I been reading up provides a great insight about WG. https://restoreprivacy.com/wireguard/  The article point out the cons about WG which they have great valid points. I found one section in the pro of WG that WG have smaller codebase which made it easier for auditing and better performance. I found that opinion extremely subjective because smaller codebase may not always be better than a larger codebase. And lines of code is not the best indication of the efficiency and the quality of the software. developers can do shitty coding of 3,800 lines and performs terribly, it goes the same for a larger shitty codebase. Again, using the quantity as a justification for quality is a wrong reason to do so. Quantity and quality is two different beasts and they never be equal to each other.

I was reading the comment of the article and this user "Anonymous by declaration, not really" on Oct 25th, 2019 stated that OpenVPN have a HUGE UNKNOWN Hole (directly quoted by that user). Is there any merits of that comment? What holes does OpenVPN have? I tried looking around and I couldn't find such a thing especially that users said "UNKNOWN" without providing the information. To me, it look like too much jargon throwing around and it painted the user coming from conspiracy theory forums. Anyone can understand this person and does this user have some merits? 

@flat4 I agreed with you. Using a software that are specialized tool without an audit report is terrifying. And that pushes me to think there is something up. Similar thing when NordVPN pushed so hard on the advertising part in YouTube and look what happened. Yea.... I wouldn't use WG until the privacy and security community say something about it.

Share this post


Link to post

I think the question of WireGuard support should be revisited sometime this year as it is now included in the Linux kernel, the warning stating not to rely on their code has been removed from their website earlier last year, and it is now included in the default repositories for Ubuntu 19.10 and onward. The two main things missing still are support over TCP and non-static VPN local IP addresses.

Share this post


Link to post

Unrelated to the op but I've given Mullvad a try after I had payment problems here with Avangate late last year and to say I'm unimpressed with them is an understatement. One month in with frequent disconnects and packet loss and I've thrown in the towel to be back here. Live and learn....

Share this post


Link to post

Personally I think that we should trust the Staff and AirVPN.

We trust this service to protect our privacy, and AirVPN's mission statement (https://airvpn.org/mission/) is crystal clear.

I don't think they are a bunch of lazy masochists who like scourging themselves with hundred of thousands lines of code instead of few thousands, they are people interested in standing by what they have written and when they say that they prefer using technologies validated, audited and tested they are just doing what we pay them for: protect OUR privacy and freedom; moreover, the service is not just used by Netflix users, torrenting people, and so on, but also by activists, NGOs, journalists and dissidents who can seriously risk their life if their privacy is left "unprotected" because the software they are using has not been properly and thoroughly tested.

At the moment, to my knowledge, AirVPN is using the state of art (technically a bit more because they have improved OpenVPN forking it) of the VPN technologies to protect users' privacy both on desktop and mobile.

When, and if, the time will come, and Wireguard will be the de facto industry standard (because audited, tested, validated in different case scenarios over the months/years) and will replace OpenVPN because it has 1) better performances 2) stronger user's privacy protection and it will be 3) easier to maintain I'm more than sure that it will be adopted also by AirVPN.

Share this post


Link to post

I use Wireguard quite a bit in my internal world and I'm pretty impressed with its speed and ease of use.  I love how quickly a connection can be set up and torn down, and its docker use case has some advantages.  That said I don't think of it as a client based vpn that allows for the kind of flexibility something like openvpn or eddie-ui has.  At least not yet.

So, I don't think WG is the second coming of privacy-based encryption, but I do find it a nice tool to have in the toolbox.

 

Share this post


Link to post
On 3/31/2020 at 8:41 PM, kbps said:
https://mullvad.net/en/blog/2020/3/30/wireguard-no-longer-new-kid/

 Wiredguard is about to be implemented into the Linux kernel. This must surely be a good thing for wireguard adoption.
Unfortunately, wireguard is blocked in China, doesn't work anymore through WG protocol..................I have tested Astrill/Torguard/VPNac woth their WG protocol...........confirmed by torguard staff........ damn..........

Share this post


Link to post
11 hours ago, Pengxiao said:
On 3/31/2020 at 2:41 PM, kbps said:
https://mullvad.net/en/blog/2020/3/30/wireguard-no-longer-new-kid/

 Wiredguard is about to be implemented into the Linux kernel. This must surely be a good thing for wireguard adoption.
Unfortunately, wireguard is blocked in China, doesn't work anymore through WG protocol..................I have tested Astrill/Torguard/VPNac woth their WG protocol...........confirmed by torguard staff........ damn..........

Wireguard is not designed to bypass blocks. It's sufficient blocking UDP (or strongly shaping outgoing UDP packets) to make Wireguard unusable, and that's more and more common practice on many mobile ISPs in every continent and country. Forget connections over stunnel and don't even fantasize about connections over SSH. There are also other important limitations and concerns, anyway we will make them all very clear when we offer Wireguard.

Please use OpenVPN as usual to bypass China blocks.

Kind regards
 

Share this post


Link to post
15 minutes ago, Staff said:

Wireguard is not designed to bypass blocks. It's sufficient blocking UDP (or strongly shaping outgoing UDP packets) to make Wireguard unusable, and that's more and more common practice on many mobile ISPs in every continent and country. Forget connections over stunnel and don't even fantasize about connections over SSH. There are also other important limitations and concerns, anyway we will make them all very clear when we offer Wireguard.

Please use OpenVPN as usual to bypass China blocks.

Kind regards
 
Does this mean that AirVPN is setting up/will soon set up WireGuard servers?

Share this post


Link to post
Posted ... (edited)

Quite perplexed by the use of the wg protocol, to be honest. I can say that I saw good speeds with a debian iso but that was something out of the ordinary. IVPN, a provider praised for their speeds, has been nothing but a bummer for me. Torrents are around 7MB/s and with another I am at 20 MB/s. On IVPN I used wg and on the other it was ovpn.

But I cannot say that I don't understand the hype that wg goes through. But for me it is ovpn all the way. If you look at all the security issues and how providers are supposedly "fixing" them, I can only walk around with a huge question mark over my head. Why's wg needed anyway? What can it do that ovpn cannot do for us privacy minded folks? Why "fix" it when ovpn is still working as intended and always has? Surely, you wouldn't try to apply the use-case of an Volkswagen to an F1 car. With that said, I always liked AirVPN's approach to wg and that AirVPN kept prioritizing ovpn over wg.

Anyway, everybody can do as he likes, I for one will stick to ovpn in the meantime.
 

Edited ... by sudoopenvpn
common good

Share this post


Link to post
On 5/2/2020 at 11:50 PM, Staff said:

very continent and country. Forget connections ov

On 5/2/2020 at 11:50 PM, Staff said:

Wireguard is not designed to bypass blocks. It's sufficient blocking UDP (or strongly shaping outgoing UDP packets) to make Wireguard unusable, and that's more and more common practice on many mobile ISPs in every continent and country. Forget connections over stunnel and don't even fantasize about connections over SSH. There are also other important limitations and concerns, anyway we will make them all very clear when we offer Wireguard.

Please use OpenVPN as usual to bypass China blocks.

Kind regards
 
Thank you very much!

Share this post


Link to post
On 5/7/2020 at 7:07 AM, sudoopenvpn said:

Why's wg needed anyway?


There are articles and posts regarding on why WireGuard is a thing in Google results. The simplified point of WireGuard based on my findings: modern encryption, smaller code base and performance improvement. The performance improvement is the main point of WireGuard over OpenVPN.

The smaller code base statement is what bothers me. Their point is that it is easier to audit the code since it is less line of codes (WireGuard have about 3K of code lines whereas OpenVPN have about 600K code lines). Sure, it is easier to audit but my question is that having a smaller code base is better? Honestly, I felt this is merely subjective because OpenVPN accumulated 19 years of audited codes that proved their worth. Sure, it is nice to have a smaller code base to execute quickly but what about security standpoint? I wonder if the statement will be remain true if WireGuard accumulate 19 years of codes, will it still be less than OpenVPN or other VPN software?

Share this post


Link to post

Rather than a back and forth debate, all that is required is an apples-to-apples lab pentest setup. This should put any debate to rest. Maybe they are both equal from a privacy standpoint. The next value-add would be performance and if wg is faster, it would now be the new king on platforms it is supported on.

Share this post


Link to post
2 hours ago, WxjThf8HJV5ShAQ said:

it would now be the new king on platforms it is supported on.


This is, again, subjective. WireGuard don't have TCP protocol support, it only use UDP protocol to transmit (according to WireGuard's website). The problem with it is that UDP tend to be blocked often than TCP. K-12 and Higher Education Institutions usually have their network to block UDP and some ISPs put a block on UDP as well. It is worthless to use WireGuard if the network have UDP blocked. WireGuard will not be a new king on platforms if it doesn't support plethora of protocol. On the other hand, OpenVPN have ranges of protocol it can use to transmit which make it versatile to use. 

Share this post


Link to post
6 hours ago, NoiselessOwl said:

This is, again, subjective. WireGuard don't have TCP protocol support, it only use UDP protocol to transmit (according to WireGuard's website). The problem with it is that UDP tend to be blocked often than TCP. K-12 and Higher Education Institutions usually have their network to block UDP and some ISPs put a block on UDP as well. It is worthless to use WireGuard if the network have UDP blocked. WireGuard will not be a new king on platforms if it doesn't support plethora of protocol. On the other hand, OpenVPN have ranges of protocol it can use to transmit which make it versatile to use. 

But that is the point. Eliminating TCP gained the added performance most likely (tunneling TCP-over-TCP is a known performance killer). With the 1.0+, in-tree of the linux kernel and a clean external security audit, if it meets your use-cases, what else is the issue? 

If all else fails for your use-case, you can run wireguard over TCP with TunSafe but you're back again to OVPN lacking performance.

Share this post


Link to post
4 hours ago, WxjThf8HJV5ShAQ said:

But that is the point. Eliminating TCP gained the added performance most likely (tunneling TCP-over-TCP is a known performance killer). With the 1.0+, in-tree of the linux kernel and a clean external security audit, if it meets your use-cases, what else is the issue? 

If all else fails for your use-case, you can run wireguard over TCP with TunSafe but you're back again to OVPN lacking performance.

Saying that wireguard gained performance by eliminating TCP is like saying my car got faster because I removed low gears.  Physically impossible and it's just silly.

Wireguard is supposedly faster because of its modern protocol and the fast chacha20 data cipher and that's comparing UDP vs UDP.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...