Good to see WireGuard getting some coverage. I‘ve been embracing it from the very beginning for small scale Kubernetes clusters running on virtually any cloud provider lacking isolated private networking[1]. It‘s been running stable in different environments for more than a year; set up and forget. Unlike similar software it‘s also dead simple to configure.
can wireguard work over tcp?
many captive portals i encounter daily block most ports and almost always allow only tcp. so i set up openvpn on port 443 over tcp, which got through everything so far.
Couldn't you theoretically run traffic over pseudo-TCP. I.e. you send packets that look like TCP (IP packet type TCP + TCP header), but bypass the kernel's TCP stack and put arbitrary, packet-based data in it, like UDP. Theoretically speaking.
There's no reason why it couldn't, but doing that would kill all the performance that it currently provides. You could fairly easily tunnel wireguard over tcp using socat.
It is a layer 3 vpn that supports v4 and v6 payloads. It does not support any layer 2 connection like you would get from a tap interface.
You can certainly make a mesh of connections between different hosts by adding the remote peer's public key and ip address to each host's configuration. There is nothing in wireguard that makes that automatic though.
Ah, so to connect N hosts together you need to configure N-1 connections in each of the hosts?
That's a bit of a hassle, though not prohibitive. A VPN that's secure and easy to configure would definitely be useful in getting all the components in our infrastructure talking to each other. No need to worry about authentication or encryption, it'd all be handled for you by the VPN.
I've tried Tinc, Wireguard and OpenVPN. Currently I'm on OVPN via a pfSense box (doesn't support WG yet).
Tinc is neat if you need a mesh network but it was an utter pain to properly setup (half the time I wouldn't get any connection, the other I would not get data over it).
OVPN and WG have been fairly pleasant in that regard, though OVPN still suffers from some non-obvious failure cases when you stray away from a simple VPN connection.
In my case, I only dial into a OVH instance to A) setup/config containers on it and B) use OVH as VPN.
Tinc's mesh network is overkill, the clients are all behind X number of NATs or firewalls and without the central server there is no use for the VPN.
I might think about Tinc again if I feel the urge to setup multiple boxes.
WireGuard isn't simply a vanilla transport that uses Curve25519 for key agreement and some symmetric encryption construction for bulk encryption. It's an instantiation of Trevor Perrin's Noise Protocol Framework, with special protocol allowances for zero-allocation implementation and for DoS avoidance.
It's easy to come up with something smaller than WireGuard if all you're doing is slapping some kind of encryption on a tun/tap device.
1. Easy is good. Example: The entire purpose of Noise is to simplify and make things easier for people.
2. I am not "slapping some kind of encryption" on tun/tap devices. Though it would be easy to do so, I have not required "bulk encryption" for this software to be useful. IMO, the flexibility to add this, easily, is indeed a feature worth mentioning (some users might need it), but not one I need right now.
3. Small, fast, flexible and portable are software virtues most useful and therefore most important to me. What I see here in this cheap, senseless comment is the act of trying to superimpose someone other user's virtues, e.g. encryption protocols. It is trying to impose one persons goals onto another persons goals without even knowing what are the other persons goals. The usual nerd web forum nonsense.
Not all users need, or value, the same things.
The authors of Curve25519 and the peer-to-peer software I use, both academics whose software is used by security consultants, do not spend time reading and interacting with the HN peanut gallery. In fact this is true of the authors of most software I use. I think there is a reason for that. Why do I waste my time reading this garbage? (Every time I respond to it I feel like I have been suckered/duped into playing a time-wasting game.)
Because despite the garbage comments there are some interesting, unconventional end users who read HN. Not sure where else one would find this audience all checking the same website.
How "easy" it was for any of these authors I mentioned to write the software I value is mildly intriguing but truthfully not something I really care about. The fact is that they were the only ones to write it and publish it. That is what is important to me.
All of this is tangential to the question: Is Wireguard portable to BSD, Minix, Plan9, etc.?
But I guess the fact that whatever I am using, for almost 10 years before WireGuard appeared, is smaller than WireGuard has irked someone into trying to dismiss that prior software. The reason apparently is that it might have been "easy" to avoid writing a large amount of code.
It might have been easy to do for the original author, but for those 10 years, no one else did it. The alternatives chose significantly different (IMO, inferior) designs and were all much larger, stacked with "features" and complexity I did not need.
The temptation to make things complicated and larger than they need to be is irresistable for most people writing software. It takes serious effort to find authors who can resist this temptation, effort most users will not make. I make that effort and reap the rewards.
The author of the parent comment exploits that temptation and the larger number of undetected mistakes it produces as a business.
It is easy to see the competing interests and inherent biases between a user that values relatively small, simple software and a security consultant who needs relatively large, complex software (the norm) to continue to exist in order to stay in business.
I really don't care about any of this. I would only push back on the idea that you might want to choose VPN software by first verifying that it somehow can take advantage of Curve25519 and then counting lines of code (whether or not you choose to include OpenSSL's line count). No, that would get you to some bad places.
The problem with your comments is they assume things about other users. You have no idea what software I use, how I verify it, how I modify it or how I use it. You have no idea what I am doing. Stop making assumptions.
If you really dont care (as would be expected) then dont downvote and comment.
If you want to use this forum to give unsolicited "advice" to readers then you can do that (easy for me to filter this out). But please do not use my comments as a launching pad for your free "advice" and "guidance".
If you want to change what software people use, why not write some software yourself and publish it?
"... (whether of not you choose to include OpenSSL's line count)..."
Why does someone just assume everyone wants to use OpenSSL?
I have never intentionally chosen to use libssl or other SSL/TLS libraries and I never will. (That wont stop this person from replying to a comment that has nothing to do with SSL/TLS from telling us how we can use SSL/TLS to get whatever it is we are after.) Not gonna happen with this user.
The reason I am interested in Curve25519 is precisely because I am not interested in OpenSSL. I am interested in Curve25519 because I like the type of software the author writes.
That author writes what I consider to be relatively small, fast, portable, flexible software. The authors of OpenSSL write the sort of software I do not like to use, for a variety of reasons. There are too many to list. OpenSSL, and SSL/TLS in general, is nothing more than a PITA to me.
It is a nuisance.
I do not care if SSL libraries offer Curve25519. I was already using Curve25519 before they adopted it. I am not interested in SSL/TLS. I do not care how much anyone else likes it.
I am interested in alternatives to SSL/TLS and the prevailing web PKI. The author of Curve25519 provided prototypes for one such alternative.
I do not care what someone else thinks of these, when that person can offer zero technical analysis to support his snarky opinions. The only thing that matters to me is what I think of the software. If I like it, I use it.
I use CurveCP everyday on my own network. If somebody giving free "security advice" on a web forum has a problem with the fact I like some software, then they should take it up with the author of the software who published it.
Me, I am just a satisfied end user. I know nothing.
Thats what you think I did? I said I was using some unnamed peer-to-peer software. I never told anyone else to mimic me. I did not even answer others who asked me to name the software. Interestingly, I never said I personally was using encryption nor did I explain how encryption might be implemented, yet you went right ahead and assumed you knew how this software worked and how I was using it, including something about "slapping some encryption on a tun/tap device".
I do not offer security advice nor do I tell people what to do or what not to do in web forums. That is what you do.
Do you hold any professional licenses? Ones that permit you to give advice? I am guessing you do not. How would someone hold you to account for receiving bad advice?
If you honestly think I am "offering security advice", then why not ask me, "You mentioned that you use some software that can (optionally) perform encryption. Are you offering security advice?"
The answer will always be "No." (I am not obsessed with security. The primary "threat model" for me is advertising and certain web developers who want to waste my time.)
I am not a "conventional" user. I do not choose software based on popularity or the opinions of others. Other HN readers are not going to follow me like some sort of pied piper, if that is what you are worried about. Especially since with a few exceptions (where I am using well-known software that is popular on HN) I am not even disclosing the "brand names" for what software I am using. Even if I did disclose, the majority of HN readers would not want to use what I am using. I make sacrafices they would not be willing to make.
It would be nice to be able to discuss software choices with other nonconventional users reading HN, but it is precisely because of commenters like yourself that unconventional users like me are better off keeping such things to themselves.
I meant the downvote and accompanying reply I got on the initial comment I made where I asked the question "How portable is WireGuard to BSD, Minix, Plan9, etc.". Even if he did not do the downvote, a comment like the one he left triggers an automatic flurry of downvotes.
He claims something about "bad security advice". But really what is going on is he is telling people what software to use again, and what software not to use.
I mention I am using some software, for a purpose he does not know (no encryption in fact required for my use) without naming the software, and he posts some inane comment about writing such software being "easy". I am not the author of the software in question, I believe he is talented software author, and I really dont care how easy it was for him to write.
What I care about is that being small in size, I can work with the source code easier. What I care about, the things about software I value, is not "security advice". Its what I care about.
Of course what he cares about, the software he chooses to endorse, is security advice. I do not care what software he likes or doesnt like. But he will not spare us his opinions. Because he is here to "give advice".
I do not endorse software. I rarely name the software I am using. I might describe it generally. While I may have different preferences and make different choices, I certainly do not try to put down other users choices in software. Other users specify software by name, providing links and wax poetic about it. The "security expert" says nothing.
I make a comment about software I am using, and the qualities of software I care about (small, portable, fast, flexible), without naming the software, and suddenly we have (as he claims) a "bad security advice" alert.
Never mind that the point of the comment is to ask if WireGuard is portable, so I can try using it.
I find the idea that someone is actively trying to indiscriminately control what software HN readers use to be insulting. If advice or recommendatons are sought, then requests for advice or recommendations will be made. But when someone is trying to supress or discredit the informed choices of users who are neither seeking (nor giving) advice then that is truly pathetic.
One would hope that reasonable persons would be above this sort of behavior.
There exist closed source third party clients for Windows/OS X, and wireguard itself has currently two (unreleased) reference libraries in Go and Rust to support future cross-platform clients.
So the answer to "how portable" is probably "portable" :-)
(I don't know if there are any plans for _kernel_ mode implementations for anything but Linux, but cross-platform user mode clients are part of the project's goals)
I found your post interesting. What you describe looks like something I might want to use or at least experiment with. That was the reason I requested information on the software you were using. I don't know 'tptacek' or how he is involved in this.
Does he? He said that a similar design is straightforward.
In 2014 I wrote up a spec for something that exactly matches that comment (linking tun/tap devices via Curve25519-protected UDP) and started implementing it. I know you're not using that because I never finished it. My employer shut down shortly thereafter and I wasn't able to transfer ownership of the IP to myself.
So this isn't a nonobvious idea. There's no clairvoyance required.
I fail to see how the "obviousness" of the software I choose to use has anything to do with the simple question I posed: Is WireGuard portable?
The fundamental idea of using /dev/tap to accomplish peer-to-peer networking goes back further than when this software was written and further back than Curve25519. Who cares? This is a silly tangent.
The point about clairvoyance is that one cannot criticise software just because it uses /dev/tap. One needs to know much more than that. He does not know what software it is I am using, only that I'm not using WireGuard (yet). He does not know how I am using it, what changes I have made or what my particular needs are as a user. But it seems he wants to put down someone else's choice of (undisclosed) software and elevate his own choice, as a WireGuard user.
I have seen this sort of "commentary" before, too many times. The need to tell others what software is good, bad, what they should or should not use, etc. This is done unsolicited, without knowing anything about the users particular needs and use cases, without providing detailed technical reasons for their opinions, and at least with this particular user, it is often worded in some ridiculous didactic style. To be clear, I am referring to countless posts by this particular member over many years to the aggravation of other users, not simply the one comment in this thread.
There are reasons I try to avoid naming software; one is because of commentary like this, by HN members eager to criticize others' software choices without any justification.
I am really tired of this sort of commentary and the childish attitude it represents.
Trust me when I say that the details of the design of the software I am using are unique amongst the open source Layer 2 alternatives. While they are all perhaps obvious and easy to implement, they have not been selected by the alternatives, for whatever reasons. I sincerely doubt one could guess the details of this design, let alone the code itself, just from my mentioning it includes a userspace program utilising /dev/tap. And even if they could, who cares? This is a useless tangent.
The question was: Is WireGuard portable?
Apologies to anyone reading this for the distraction I inadvertently triggered.
Apparently, Linus wants it in the Kernel[2].
[1] https://github.com/hobby-kube/guide/blob/master/README.md [2] https://lkml.org/lkml/2018/2/13/752