Jump to content
Not connected, Your IP: 3.226.97.214
routeninja

Wireguard response from Mullvad

Recommended Posts

@go558a83nk

The main advantage over OpenVPN in terms of performance is the fact that Wireguard runs in the kernel space while OpenVPN runs in the userspace, Cipher CHACHA20 is available in OpenVPN too. It's slower than AES in AES-NI supporting systems, so it is very relevant only in those systems which do not support AES-NI, typically mobile and embedded devices based on ARM processors.

So when Wireguard can't run in the kernel space (for example when you use it in Android or iOS) you lose that gain.

The fact that Wireguard does not support TCP is bad for us, because it cuts out a  very remarkable percentage of our users: those who have their ISP blocking or heavily shaping UDP, those who need to pass through some proxy (which supports only TCP) to get on to the Internet, and those who need to tunnel the VPN protocol over SSH or sTunnel.

Kind regards
 

Share this post


Link to post
13 hours ago, go558a83nk said:

Saying that wireguard gained performance by eliminating TCP is like saying my car got faster because I removed low gears.  Physically impossible and it's just silly.

Wireguard is supposedly faster because of its modern protocol and the fast chacha20 data cipher and that's comparing UDP vs UDP.

Please read up on the facts. TCP-over-TCP introduces a dramatic loss in transmission performance known as TCP meltdown. OpenVPN recommends using UDP also to avoid this overhead. Anyway, yes wireguard is built from scratch with less code to execute and runs in kernel space which also adds to its performance gain. Not liking and criticizing because it doesn't do TCP is asinine since you're using the wrong tool for your use-case. If you need TCP, either run it over a TCP supported method as mentioned before or use something else
 
TCP stands for Transmission Control Protocol. Basically a means of sending traffic over the Internet with some built-in measures to ensure that traffic can get to its destination. If anything goes wrong during transmission, the protocol has some means to try to find a solution (send the packet of information again or try an alternative route or such). TCP Meltdown occurs when you stack one transmission protocol on top of another, like what happens when an OpenVPN TCP tunnel is transporting TCP traffic inside it. The underlying layer may detect a problem and attempt to compensate, and the layer above it then overcompensates because of that, and this overcompensation causes delays and problems with the transfer of data. That's the layman's version of it that is easy to explain and understand. We therefore instead recommend that you use UDP, which has no transmission control, and on top of that send your TCP traffic as usual, so that there's only one layer of transmission control, and the problem can be avoided.

Some people mistakenly believe that TCP is the best protocol to ensure the best reliability and performance for sending traffic over the Internet. This is the exception.

If you want to learn more there's a good article here on an external website: Why TCP Over TCP Is A Bad Idea

Share this post


Link to post
6 hours ago, Staff said:
@go558a83nk

The main advantage over OpenVPN in terms of performance is the fact that Wireguard runs in the kernel space while OpenVPN runs in the userspace, Cipher CHACHA20 is available in OpenVPN too. It's slower than AES in AES-NI supporting systems, so it is very relevant only in those systems which do not support AES-NI, typically mobile and embedded devices based on ARM processors.

So when Wireguard can't run in the kernel space (for example when you use it in Android or iOS) you lose that gain.

The fact that Wireguard does not support TCP is bad for us, because it cuts out a  very remarkable percentage of our users: those who have their ISP blocking or heavily shaping UDP, those who need to pass through some proxy (which supports only TCP) to get on to the Internet, and those who need to tunnel the VPN protocol over SSH or sTunnel.

Kind regards

 

Agreed, I don't propose one solution or the other, but offer the option to those of us who want to use it as it fits what we are trying to do.

Thank you.

Share this post


Link to post
20 minutes ago, WxjThf8HJV5ShAQ said:

Please read up on the facts. TCP-over-TCP introduces a dramatic loss in transmission performance known as TCP meltdown. OpenVPN recommends using UDP also to avoid this overhead. Anyway, yes wireguard is built from scratch with less code to execute and runs in kernel space which also adds to its performance gain. Not liking and criticizing because it doesn't do TCP is asinine since you're using the wrong tool for your use-case. If you need TCP, either run it over a TCP supported method as mentioned before or use something else
 

TCP stands for Transmission Control Protocol. Basically a means of sending traffic over the Internet with some built-in measures to ensure that traffic can get to its destination. If anything goes wrong during transmission, the protocol has some means to try to find a solution (send the packet of information again or try an alternative route or such). TCP Meltdown occurs when you stack one transmission protocol on top of another, like what happens when an OpenVPN TCP tunnel is transporting TCP traffic inside it. The underlying layer may detect a problem and attempt to compensate, and the layer above it then overcompensates because of that, and this overcompensation causes delays and problems with the transfer of data. That's the layman's version of it that is easy to explain and understand. We therefore instead recommend that you use UDP, which has no transmission control, and on top of that send your TCP traffic as usual, so that there's only one layer of transmission control, and the problem can be avoided.

Some people mistakenly believe that TCP is the best protocol to ensure the best reliability and performance for sending traffic over the Internet. This is the exception.

If you want to learn more there's a good article here on an external website: Why TCP Over TCP Is A Bad Idea

I know this.  What I'm saying is that removing TCP doesn't make UDP faster but that's what you imply.  People who complain about openvpn being slow have already tried UDP as that's the default protocol with AirVPN and every other VPN I've tried.  They're typically only using TCP if their network requires it.

Share this post


Link to post
3 hours ago, go558a83nk said:

I know this.  What I'm saying is that removing TCP doesn't make UDP faster but that's what you imply.  People who complain about openvpn being slow have already tried UDP as that's the default protocol with AirVPN and every other VPN I've tried.  They're typically only using TCP if their network requires it.

What I'm saying is that TCP doesn't add any value to the Wireguard design except if you want to use it to get through open ports. In that case, use something else.
  1. OpenVPN: TCP/TCP - Bad
  2. OpenVPN: UDP/TCP - You're establishing the tunnel via UDP here, so no gain over Wireguard
  3. Wireguard: You're establishing the tunnel over UDP, same as #2 above but wireguard is more performant, so choose wg.
I fail to see the benefit of OVPN UDP/TCP over Wireguard. Unless you're trying to use a non-recommended configuration of OpenVPN (TCP/TCP) in which case you're only doing so due to other limitations which should be the exception and not the rule.

BTW - Another good reference where you can get wireguard to work where UDP is blocked.

Share this post


Link to post

This thread was a very interesting read. I have to say I was considering switching back to PIA. I have a subscription with them but I just don't trust anyone behind any software as much as I trust the guys at AirVPN. I spent a good year looking at VPN outfits and nobody gave me the warm feeling of trust I feel I have rightly placed in AirVPN.
I did want to try Wireguard as friends of mine said it was better and may help my phone (android 10) connection stay more stable, it's choppy and often mail servers wont connect (through Eddie) as well as other apps. It may be Eddie not being compatible with my OS though, so I am going to try OpenVPN for Android from Fdroid store (when I work out how!). I will keep an eye on this thread but for now I think I was mis-sold the idea of WG. I didn't even know there were security and/or privacy issues, in fact I was given the impression it was more secure and private! glad I found this thread

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...