> WireGuard doesn't work over TCP.<p>I see this repeated in a lot of places about WireGuard but is there anything wrong with UDPTunnel (<a href="http://www.cs.columbia.edu/~lennox/udptunnel/" rel="nofollow">http://www.cs.columbia.edu/~lennox/udptunnel/</a>)?<p>Why would one prefer this instead of WireGuard + UDPTunnel?
It's cool but the author's motivation doesn't make sense.<p>OpenVPN was too hard to setup so they decided to write their own VPN from scratch? It's cool as an academic endeavor but by actually using it, they not only tossed out all the years of security work and the audits OpenVPN has gone through but also spent a ton of time creating something that they now will have to personally maintain.
3 source files, amazing. This is a great opportunity for folks to learn more about implementing a VPN.<p>I'm planning to re-implement it in rust (to learn from) and then contribute to Wireguards rust effort.
I automatically cringe and walk away when I see tcp over tcp. I’ve been bitten by it too many times. Someone correct me if I’m wrong, but it’s fundamentally incorrect and is pretty much guaranteed to devolve into pathological cases.
> Uses only modern cryptography, with formally verified implementations.<p>That's a bit light on details. Does it have hardware acceleration? Replay attack protection? Perfect forward secrecy? What are the underlying algorithms? Implementation verified by whom?<p>> Small (~25 KB), with an equally small and readable code base. <i>No external dependencies.</i><p>This looks cool, however I don't like the fact that it doesn't use a trusted crypto library such as libsodium. It is likely to get less review and if weaknesses are detected in the algorithms, it is less likely to be improved.
Reminds me this: <a href="https://github.com/unbit/vpn-ws" rel="nofollow">https://github.com/unbit/vpn-ws</a><p>Too bad that it never evolved further.
> Maybe:<p>> * Support for multiple clients.<p>As long as it doesn't support multiple clients that can connect to each other, it's more of a proxy/gateway than a VPN.
> OpenVPN is horribly difficult to set up.<p>OpenVPN is dead easy to setup with a shared secret, and it can work over TCP in pretty much the same way.
> WireGuard doesn't work over TCP<p>Can somebody well versed explain what the difference between TCP and UDP in this case? I obviously know what these are, I just don't understand why it's such a debatable choice applied to VPNs.
What's the significance of emphasizing port 80 and 443? You can assign basically any ports to any application. If some firewall blocks all traffic but 443, you can configure the service yourself to listen on 443.
Is openvpn really that hard to set up? I don't remember having any issues just tweaking the default config file. If you want tcp 443 you just:<p><pre><code> port 443
proto tcp
</code></pre>
Is that really too hard?
I wonder how it fares compared to VPN over ssh, <a href="https://help.ubuntu.com/community/SSH_VPN" rel="nofollow">https://help.ubuntu.com/community/SSH_VPN</a>
But does it look like SSL traffic? That's the problem with OpenVPN, it's quite easy detect. For restrictive environments I much prefer Ocserv (uses OpenConnect/AnyConnect protocol) or mirosoft's sstp protocol.<p>I was back in Dubai recently and sadly WireGuard didn't work, so I had to use OpenConnect, which while doesn't have the connectionless-like behaviour of WireGuard atleast worked.
Or you could encapsulate OpenVPN inside stunnel to make it indiscernible from regular HTTPS traffic<p><a href="https://www.perfect-privacy.com/en/manuals/linux_openvpn_stealth_stunnel" rel="nofollow">https://www.perfect-privacy.com/en/manuals/linux_openvpn_ste...</a>
A simple noob question: in this context where I want to access a private remote machine, what are the advantages of a VPN (let's say over TCP, I don't know if it matters?) vs. a simple ssh tunnel?
>Doesn't perform any heap memory allocations<p>That's fascinating, I wonder how they managed that (unless they used cheats like sbrk of course).