Wireguard
When Linus endorses something like this
Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.
lkml - 02 Aug 2018
You’ve got to take notice… Can it be true? Is it really possible that he’s giving high praise to somebody’s code? 99.99% of the times whenever something from Linus hits HN/Reddit, it’s because he’s chewing off somebody’s head(and usually, with good reason). Take, for instance, this from a couple of months ago:
The fact is, using a union to do type punning is the traditional AND STANDARD way to do type punning in gcc. In fact, it is the documented way to do it for gcc, when you are a f*cking moron and use "-fstrict-aliasing" and need to undo the braindamage that that piece of garbage C standard imposes.
lkml - 05 Jun 2018
In fact, there’s a whole /r/linusrants
subreddit dedicated to Linus’s rants
In any case, that sort of praise is enough to pique my curiosity and look a little more into Wireguard. I run a few OpenVPN servers in the cloud - mostly to bypass restrictive proxies at work. Since these are typically on the smallest VM SKUs available on the cloud provider, anything that promises more efficiency and/or lower latency is welcome.
Wireguard vs others
And if that isn’t convincing enough:
-
Just 4k LoC, modern crypto that’s easy to audit [compared to 100s of Klocs for OpenVPN ]
-
In kernel module - so a lot more efficient
-
Set up is very easy - like setting up password less SSH (in fact, easier than that)
Server
Setting up Wireguard is quite easy - there are numerous guides on the internet - the one that I used is here. What’s nice about this particular guide is that it also walks you through setting up a DNS server so that you can prevent against DNS leaks.
Clients
Linux
The Linux CLI client worked pretty flawlessly from my home desktop which is on KDE neon. Wireguard plugins to network manager are still being written - so you’d have to wait for it if you want something pointy/clicky. IMO though, the cli is very very easy.
Android
There’s also an Android app that you can get from the play store after signing up to the beta. Again, worked flawlessly. Do note that this is still user mode - however there are custom ROMs that integrate Wireguard into the kernel [so it’s more efficient and a lot less battery hungry] If LineageOS integrates Wireguard into their default kernel, I’d basically have a good reason to put a custom ROM on the PixelXL.
Issues
I wanted to exclude private network traffic (so everything except 192.168.x.y, 172.16.x.y and 10.x.y.z gets routed through VPN). I changed the wireguard client configuration on my desktop to this:
[Interface]
Address = 10.200.200.2/32
PrivateKey = <snip>
DNS = 10.200.200.1
[Peer]
PublicKey = <snip>
Endpoint = <snip>:2194
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4
# AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21
That should have done the trick (it’s a list of all networks other than private networks) - but once I enabled the config,
it would’nt route traffic - and I’m not exactly sure why. I’ve currently reverted AllowedIPs = 0.0.0.0/0
What’s next
Other than that, Wireguard seems very cool - especially if it gets merged soon and becomes a part of the linux kernel.
Does this mean that we can get rid of OpenVPN? Alas, doesn’t look like it - primarily due to two reasons:
-
There’s no open source Windows client to Wireguard yet. If Windows is part of your mix, then you should probably stick to OpenVPN. There’s a closed source windows client [TunSafe] but then that goes against the spirit (and even if you don’t give a damn about the spirit, you should choose open source products/solution for anything that’s security sensitive)
-
Wireguard is UDP only. If outgoing ports are blocked, you can try common ports like 80/443 that are left open - but if UDP is blocked, you’re out of luck
However, Wireguard’s clearly the future - so I’ve setup wg on all my cloud servers. I also plan to set it up on my home router which is basically a way to justify a router upgrade :) since Wireguard client and server are also built into LEDE/OpenWrt