Jump to content
Not connected, Your IP: 34.225.194.144
Sign in to follow this  
routeninja

Wireguard response from Mullvad

Recommended Posts

The folks at Mullvad gave me a couple days to try their service (Very generous of them, thank you!).

I sent an email to them asking about Wireguard, and how they feel comfortable offering that when the actual project side says, do not rely on this code. Here is the response they gave:\
 

Quote
We are currently installing more wireguard servers in the locations that
we have, and hopefully in the near future, we will cover more locations
globally.

The most common question brought up from our user is about the privacy
and security issue on Wireguard. We have been continuously improving how
we set up on our end to ensure the secure level on our wireguard server.
We now delete and re-add peers if they have not had a handshake in 180
seconds on the WireGuard servers, this removes any public IP or stats of
amount of data that has been received / sent.

If you wish to hide your own public IP-address from the exit server,
then consider using multihop, the exit server will then only see an
internal IP-address used by the WireGuard servers.

So I decided to go look at the wireguard project page. It no longer says "Do not rely on this code". It appears that it has been removed. The last time it was on there was August 24th of this month: https://web.archive.org/web/20190824001445/https://www.wireguard.com/

So it appears that in the past four days they have removed that, I am not sure why. Do you guys have any thoughts on that? Does this mean we should start looking into it? Btw, the OpenVPN testing with them and Air are very close with speed tests. However, the wireguard testing is significantly faster (but potentially unsecure).

Share this post


Link to post

Well, i think it depends on your threat model. I wouldn't use Wireguard for purposes that require a high level of privacy.
But i think for the average user - as we all certainly are - it shouldn't be a major problem using it, at least if it is set up correctly. The guys at Mullvad apparently did their homework on this.

But still, Wireguard is far from being complete, but if you are keen on testing new tech stuff, go for it!

Regards,

BB.

Share this post


Link to post

I do not understand these "privacy concerns". You enter AllowedIPs=0.0.0.0/0 and disable config saving. The end. IP address of the client will still be in memory here and there, but so is the case with openvpn.

I will probably temporarily switch to mullvad when my subscription expires to try it. AirVPN is nice, but i would prefer using wg across the board. This is the last openvpn instance i have to deal with.

Share this post


Link to post
@rndbit

In Wireguard you need to map a static IP address in the VPN to a client key permanently as dynamic IP assignment is not available. The private IP address is easily found out by anyone. Once we receive a request by a proper authority about the VPN IP address we can link the address to a unique account. That's a serious privacy concern that does not exist in OpenVPN.

Now that we have ChaCha20 cipher even in OpenVPN Data Channel (including our OpenVPN 3 library), there's no pressure to push our customers toward dangerous solutions just for marketing reasons. We can quietly wait for a Wireguard's stable release featuring all the implementations we need (dynamic IP addresses and TCP support).

Kind regards

 

Share this post


Link to post
56 minutes ago, Staff said:
@rndbit

In Wireguard you need to map a static IP address in the VPN to a client key permanently as dynamic IP assignment is not available. The private IP address is easily found out by anyone. Once we receive a request by a proper authority about the VPN IP address we can link the address to a unique account. That's a serious privacy concern that does not exist in OpenVPN.



 
I think because of this it would make sense to pay anonymously when planning to use Wireguard.

BB

Share this post


Link to post

But what i don't understand about this... you get a static private IP, that begins with 10.x.x.x. This iP is internal, not public. How could anyone find out, except the VPN provider?

Share this post


Link to post
54 minutes ago, BlueBanana said:

But what i don't understand about this... you get a static private IP, that begins with 10.x.x.x. This iP is internal, not public. How could anyone find out, except the VPN provider?


The simplest method is through WebRTC or any other STUN based technique, which will reveal your private addresses (or more precisely the IP addresses of your interfaces, virtual or real) even with Network Lock enabled (it will NOT reveal your public IP address, of course). Check in ipleak.net for example.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...