Wireguard plans

[wireguard 0]

Hi Staff

Thanks for a new software and please (please...) forgive me for somewhat derailing the thread but I wanted to ask something important to me, you can even delete this and DM me or whatever if you prefer...

I wanted to ask a question about this software and in particular about OpenVPN and your plans for enabling support for Wireguard. For the last 10 years you've worked hard on supporting OpenVPN via GUIs like Eddie and furthering Linux support with Hummingbird and now this which has been great, however...

...Put simply, OpenVPN is terrible. Really terrible. It has massive overheads and performance issues (on the raspberry pi, connected via ethernet, I cannot get passed around 50-60mbps even though I have 150mbps internet), this is no surprise as it's a userland component and not native to the kernel unlike Wireguard now. With the fact WG gets 'free' support from kernel maintainers, and will be native to Android (and I guess Raspberry Pi soon enough) with the 5.4 kernel (so in 5-10 years, all devices will have native WG for 'free') what are your plans for rolling out WG support in these software?

I ask because I have loved (and do love) what you've done with your clients over the last 10 years but for me (and many others) it's time to retire OpenVPN and let it fade to history as the worst VPN library ever made (it's truly a disgusting hack compared to WG, which itself has some flaws I admit)

Are you able to commit to WG client support in this software in 2021? My subscription is expiring at some point and my purchase decision is based around moving to WG on all my devices, if you add beta support in this library I'd love to continue with deployment and switching once your implementation rolls out for testing, however for me OpenVPN dies in 2021 with or without AirVPN which would be sad after using it for so many years.

(In another note, I find the fact you've released yet another OpenVPN library deeply interesting...Whilst all your competitors are turning to shiny new thing you're further investing in the old beast, I do wonder and hope this is the right commitment for you and your customers, many people (such as myself) are turning to WG as it promises much faster performance and better on energy usage (important in Android!))

Edited ... by wireguard

[OpenSourcerer 1359]

Well, admit it, there is only one annoying thing about OpenVPN: It's performance in certain modern world use cases. Even Wireguard devs refer to this as the only thing they want to do better than OpenVPN. Its security, integrity and trustworthiness are not questioned. And neither should you. So this:

4 hours ago, wireguard said:

but for me (and many others) it's time to retire OpenVPN and let it fade to history as the worst VPN library ever made

is kind of an exaggeration on your part, probably driven by the fact you don't know too much about OpenVPN, only that Wireguard presumably does the one thing OpenVPN doesn't excel at better, therefore improving your experience. No word about the numerous audits it went through, how it's still unbroken and that it's been developed as FLOSS, more or less transparently, with the community, for two decades.

This is obviously not a point against Wireguard, or its adoption, but we should look at it with open eyes. No audits yet, and the protocol itself is mostly unproven in the wild (or rather, proven a few times that it's too easily disruptable). Maybe it's fixed, who knows, but if not, it will be with time. But is it really time for production use in a sensible use case like privacy?

Imagine you've got problems with walking, you have the fabulous inherited problem of being able to walk with one foot only, but besides that the last time you were sick was five years ago, and this was a small cold which lasted two days, with mild symptoms. Wireguard promises you that drinking this bottle of oil of its own making will make you move with two legs properly. It says the best kernel devs worked on the formula, they all have experience in oil mixing, medicine and surgery, they know why you can only walk with one foot and they found the cure. It's this bottle of oil. Drink it! "Wow, this solves my problem", you say, thinking about the one apparent problem you lived with for so long..
but what about your five-year record of staying perfectly healthy?

[wireguard 0]

I mean, Wireguard was launched [1] in 2016, so it took 4 years before reaching a 'stability' point and being included in the kernel. I think that alone suggests it's reached a maturity level where it can be deployed and used for its intended purpose, I am not sure the Kernel developers would've merged the code had they felt it didn't meet their requirements (and, ultimately, Linus signed off on it too, so it has his blessing).

You could argue whether any new code in the kernel is "ready" every merge cycle, but at some point it is put out there and the world can indulge or ignore it. However it should be a serious consideration by any VPN provider and it's their duty to work around the shortcomings compared to alternatives. OpenVPN is well understood and has a more mature stability, but WG is leaner and more efficient, and has substantial energy savings (less energy used = less battery used = less electricity = win for earth).

I am simply stating that I am interested in understanding whether AirVPN plans to adopt WG in 2021, if not, my business will move to perhaps less suited clients but those that offer WG support; I am happy with the tradeoffs and am competent to accept even weaker security at the expense of dropping OpenVPN entirely across my 'stack'. My motives are not to have the 'best' security but more a VPN that does its best to encrypt my data against my threat model, if the NSA can read it with WG then so be it, a tradeoff I am happy to make.

If the Staff were to commit on the record (whether that's worth anything or not) that WG will come then fair enough, maybe a 1/2 year subscription is warranted, but using OpenVPN when a more suitable option exists is the nature of the free market. I suppose as customers drop off over time (perhaps more move to WG VPN provider) the financial cost of maintaining OVPN will outweigh its benefits and they'll be forced to adopt WG (I give it 5 years max).

Needless to say, investing in AirVPN means investing in OpenVPN, and that's not acceptable to me at this point, I want my money to go to those who are actively working within the WG domain and programming against it (perhaps finding bugs, active on mailing lists etc).

Air has its own OPVN fork and made additions to the code. If only they did the same for WG, not sure why the money is being spent for ProMind to improve on a mountain of rubbish but there we go, 2020 and we get another Linux OpenVPN client - maybe some are excited by this, but as an individual I just feel sad by this development...

(not to make this into a rant but just look at the Eddie desktop source code, thousands of lines of code just to make OpenVPN 'work' and do the 'right' thing, I am hoping the same isn't required for WG and loads of the cruft can be removed entirely).


[1]: https://lists.zx2c4.com/pipermail/wireguard/2016-June/000002.html

Edited ... by wireguard

[Brainbleach 5]

I subscribe to a couple VPN services, one of which supports wireguard and I absolutely am a supporter of this protocol.  Not only does it provide a HUGE speed increase but it's state of the art cryptography is arguably better than OpenVPN's.  I understand Air's original stance to hold off on the implementation of wireguard a few years ago but now in 2020, it's time.  It's ready for mainstream adoption and that's why all major vpn providers have already started supporting it.  

[OpenSourcerer 1359]

11 minutes ago, wireguard said:

I am simply stating that I am interested in understanding whether AirVPN plans to adopt WG in 2021, if not, my business will move to perhaps less suited clients but those that offer WG support; I am happy with the tradeoffs and am competent to accept even weaker security at the expense of dropping OpenVPN entirely across my 'stack'. My motives are not to have the 'best' security but more a VPN that does its best to encrypt my data against my threat model, if the NSA can read it with WG then so be it, a tradeoff I am happy to make.

Yes, AirVPN plans on doing so, maybe even this year still.
Also, be careful with your words. You write, you want a protocol that does its best to encrypt your traffic but otherwise don't care if the NSA can read it, and you're willing to accept a security downgrade just to scratch OpenVPN. Well, let me introduce you to an already established protocol that fits this need precisely.
This contradicts what AirVPN stands for on so many levels, like, why should AirVPN adopt a protocol that can't keep the customers' traffic confidential? This also contradicts Mr. Brainbleach's "state of the art cryptography" argument. If the NSA could read WG, how is it more secure than OpenVPN, then, the contents of which the NSA provably could not decrypt in the past?

If you're willing to have less security for the sake of adopting a new, unproven-in-the-wild protocol, AirVPN might just not be the right VPN service for your use case. It's as simple as that. You could let your subscription run out and in two years you return and see what's up. It's a free market, after all, you wrote it yourself. Don't let AirVPN force you to stay with it.

[Staff 9750]

@wireguard

User "wireguard" is not an account with a valid AirVPN plan  If you really wanted to show your support to AirVPN and prove that you are a customer, you would have written from an account with a valid plan. In reality, accounts like "wireguard" seem to be created with the only purpose to pump something and defame something else. From now on, write only from an account that has valid plan, to show that you are in good faith.

Our plans about putting Wireguard into production in the near future have been published with a lot of details, albeit without a precise release date (and we have thoroughly explained why), so we will not write again for the nth time about them.

About performance, please provide details as we do frequently. Currently we outperform Wireguard with our setup in AES-NI supporting systems, as you can see from our and our customers' tests, while Wireguard can outperform OpenVPN in CHACHA20 in non-AES-NI supporting systems.
.
When we put Wireguard into production, OpenVPN will stay, so investing in our own OpenVPN development is perfectly fine.

Just a few reasons that make OpenVPN superior to Wireguard for many, different needs:

• it's faster than Wireguard in AES-NI supporting systems when it uses AES. Have a look here!
• it can be connected over stunnel, SSH, SOCKS5 and HTTP proxies, and Tor swiftly
• even for the above reason, for an ISP it's not so easy to block OpenVPN, while it's trivial to block Wireguard
• it supports TCP
• it supports dynamic IP address assignment
• it supports DNS push
• it does not hold in a file your real IP address when a connection is closed
• a significant part of our customers will not be able to use Wireguard effectively, simply because UDP is totally blocked in their countries or by their ISPs
• UDP blocking and heavy shaping are becoming more and more widespread among mobile ISPs, making Wireguard slower than OpenVPN in TCP even in mobile devices, or not working at all in mobility

About Torvalds and Linux kernel, you only tell a part of the story. Wireguard was first put in some Linux kernel line when Wireguard was still in beta testing and no serious audit was performed, and not put in a kernel milestone release.

A further note about battery draining you mentioned in one of your previous messages: our app Eddie Android edition and Wireguard, when used with the SAME bandwidth and the SAME cipher (CHACHA20-POLY1305), consume battery approximately in the same way, so that's yet another inessential point that does not support your arguments and show once more that our investments have been wise.

Finally, let's spread a veil on your embarrassing considerations on ciphers, security, privacy and NSA. Let's underline only that CHACHA20.-POLY1305 is very strong, the cipher algorithm in itself (if implemented correctly) is not a Wireguard problem in any way.

It would be a reason of deep concern if Wireguard needed OpenVPN defamation to convince us that it's a good software. Unfortunately various bogus accounts have been created with such assumption and purpose, and the hidden agenda is no more hidden.

Kind regards
 

[Flx 76]

17 hours ago, Staff said:

From now on, write only from an account that has valid plan, to show that you are in good faith.

Alright what have you done to correct this? Why do you still allow guests to post/reply-to-topics?
Content provided for/to members only get the same right as guests do?


 

[Brainbleach 5]

Just to make things clear, I am in no way wanting to "replace" open vpn with WG.  Open vpn has many valid use cases that WG can't replace.  But having it as an option for those who wish to use it would be nice.  I keep seeing comments about how it's "unproven" in the wild and whatnot and i'm not quite sure what you guys mean by that statement.  WG is running on a handful of other VPN's for a couple years now so how does that mean it's unproven?

[Staff 9750]

@Flx

The first message was approved by some moderator in the wrong thread, not a big deal. Then we moved the message on its own thread, this one. Then user "wireguard" posted more messages which were all approved by some moderator.

@Brainbleach

Of course. We were replying to "wireguard" who invites surreptitiously to punish AirVPN because AirVPN uses and develops actively OpenVPN: "Needless to say, investing in AirVPN means investing in OpenVPN, and that's not acceptable to me at this point," . He/she also kept claiming that "it's time to retire OpenVPN" (sic), that OpenVPN is a "truly disgusting hack" (sic) and so on,. showing his/her embarrassing ignorance and lack of good faith. Nothing to do with your messages.

Funny how bogus account writers are so eager to become from time to time AirVPN software lead developers, general managers for AirVPN strategies, marketing directors and more. 😀

We wanted to prove beyond any reasonable doubt that his/her claim are unreasonable and based on wrong assumptions and terrible omissions, showing how Wireguard can not replace OpenVPN for a significant percentage of our customers and how our OpenVPN development has been beneficial for many users around the world.

That said, we claimed that Wireguard needed to be developed and tested further years ago, so at the time our claim was totally reasonable. We also claimed years ago that the problem was not with CHACHA20 which to the best of nowadays knowledge is a very robust and secure cipher.

Now the problems are different because Wireguard is asked to offer something which it was not designed for, i.e. providing some kind of anonymity layer. Such problems include lack of DNS push, lack of dynamic IP address assignment (with subsequent problems with client key-private address static correspondence, a very tough legal problem for us but above all for our customers), need of keeping client real IP address stored in a file. We have resolved them one by one with external software and internal work around. Once the problems are resolved in a robust way, which means testing thoroughly the adopted work-around, we can offer Wireguard, not earlier.

Kind regards