I tried OpenVPN and IPsec and IPsec works much better for Windows client and Linux server. Also CPU load for server was much lower (I'm using very low power VPS). I don't think that it's because of userland implementation, but rather because OpenVPN has some implementation issues. So I'm using IPsec now. Unfortunately I've hit some problems with IPv6. I managed to configure real IPv6 address from /64 VPS subnet for each client, but this configuration does not work reliably.<p>Another problem is that I did not found a way for Windows to keep tunnel up all the time. There's some way for "Always on" connection, but I couldn't configure it, there's no GUI option and it seems to require a lot of powershell magic and no easy to follow tutorials.<p>Another problem with IPsec is that only strongswan can provide adequate implementation. OpenBSD iked daemon can't send certificate chain, so I can't use Letsencrypt certificate. Libreswan does not support MSCHAP-V2 protocol, so easy configuration with username/password is not possible. Also default strongswan configuration does not allow Windows clients to connect without further tweaks (Windows does not want to use strong ciphers and strongswan does not want to use weak ciphers).<p>It's a mess.<p>So, yeah, wireguard might be interesting for me, as I still did not find a suitable solution which checks all the boxes. IPsec works for me, but it's not ideal.<p>Last time I checked, wireguard for Windows was in beta, but it looks like it's stable now according to the website. I guess it's worth to try it now.
One thing I like about WireGuard is that beginner tutorial setups for it are point-to-point, which means that it's High Availability. If one node goes down only communications to it are lost, the rest of the network is still up. Beginner tutorial setups for OpenVPN are for gateways which have the gateway being a single point of failure.<p>Point-to-point is annoying because you have to update every node when you add or change a node, but we have appreciated the HA aspect of it.<p>Of course I'm sure you can do point-to-point with OpenVPN and you can do gateways with Wireguard, but the design of them does influence how they're used.
Is there a way with wireguard to replicate the "push routes from the server" feature of OpenVPN? I would really like to switch but I cannot find a way to replicate that
One big advantage that IPSec has over both OpenVPN and WireGuard is that the client is built in to both iOS and Android so you don't have to worry about finding an appropriate client.<p>The last time I tried OpenVPN the client seemed to primarily be a vehicle for displaying ads for a VPN service that I wasn't interested in (I wanted to VPN back to my home network, not to an endpoint in another country).
Wireguard is an excellent choice. Much simpler and faster (lower CPU, according to my bench-marks). It's also much better on windows, as it doesn't have to use the crufty old tun/tap driver. It's smooth and easy cross-platform, and so much simpler than openvpn.
What is the current status of WireGuard being added directly to the mainline Linux kernel? I know there was a push to do this awhile back, but as far as I know it has not been added—is that correct, and is it still planned to happen sometime?
I find that setting up any kind of VPN is always a PITA. I'm so relieved since I found sshuttle [1].<p>[1] <a href="https://sshuttle.readthedocs.io/" rel="nofollow">https://sshuttle.readthedocs.io/</a>
Does anyone have a good solution for keeping VPNs connected on an iPhone? I've set one up in the past and wanted to always stay connected to my VPN server at home, but I've found the biggest challenge isn't setting up the VPN, but making sure it stays connected or reconnects when the signal is interrupted.
I try wireguard between a ubuntu server and my osx and the speed is turtle-slow:<p><a href="https://www.reddit.com/r/WireGuard/comments/cor7ze/wireguard_from_osx_ubuntu_it_connect_but_web/" rel="nofollow">https://www.reddit.com/r/WireGuard/comments/cor7ze/wireguard...</a><p>Is unsolved.
Time for shameless plug, but I hope someone will find my experience useful.<p>I tried wide variety of VPN solutions, including Wireguard, IKEv2, OpenVPN, L2TP/IPsec, PPTP. Eventually I came to conclusion: I don't need VPN at all with all it's packet-level machinery, I just need fast encrypted proxy for browser and IM to forward my TCP connections securely.<p>And in practical terms, even Wireguard is not fastest substitution for proxy because packet loss on last mile (roughly) causes delays comparable to RTT between client and destination server versus proxy where retransmit on last mile packet loss occurs only between proxy server and client (it's also true for OpenVPN in TCP mode, but it has much more serious downsides caused by packet encapsulation inside stream protocol). Despite that fact Wireguard and other packet-level tunnels have higher theoretical throughput (from server point of view), simple TCP-to-TCP connection forwarding often gains higher practical speeds and more durable if such TCP-forwarding do not depend on state of underlying tunnel. So I decided: forward each TCP connection in separate encrypted connection will be just fine.<p>There already exist software which allows to wrap SOCKS in TLS or SSH (for example stunnel or haproxy for TLS case and OpenSSH for SSH case), but TLS handshake delay for each connection kills speed benefits for typical browsing scenario. Dynamic port forwarding via SOCKS proxy built-in into OpenSSH client has another drawback: all forwarded connections multiplexed into single one and in real networks with packet loss it makes high speeds unapproachable.<p>For these reasons I decided to re-implement both stunnel and OpenSSH client for connection forwarding purposes.<p>Here it is: <a href="https://github.com/Snawoot/ptw" rel="nofollow">https://github.com/Snawoot/ptw</a> - TCP-to-TLS wrapper, which keeps pool of established TLS connections in order to cancel TLS handshake delay. May serve as transparent proxy on Linux router (sends haproxy PROXY-protocol v1/v2 in connection prologue) or serve as wrapper for plain SOCKS/HTTP/whatever proxy.<p>And second one: <a href="https://github.com/Snawoot/rsp" rel="nofollow">https://github.com/Snawoot/rsp</a> - Rapid SSH Proxy, faster [1] replacement to `ssh -ND`. It also uses connection pooling, and, unlike default OpenSSH client, maps TCP connections one-to-one to SSH connections. You don't need any setup on server side: working SSH server should be already enough.<p>And this is how I quit hating. Now I don't need to turn proxy on/off, because it doesn't imposes performance penalty. In SpeedTest I achieve almost full connection speed (mine is 100Mbps) with ptw or rsp (versus 50Mbps with wireguard).<p>[1] - <a href="https://github.com/Snawoot/rsp#performance" rel="nofollow">https://github.com/Snawoot/rsp#performance</a>
big fan of pritunl vpn. hands down the best vpn interface i've ever used. i would actually say it was pleasant. It only took about an hour to setup my first one, and it's like a 15 minute task to setup a new one now. highly recommend it for anyone setting up a new vpn.<p>personally, i found wiresharks documentation confusing and left me unsure of the best practices. im sure if i used it regularly it would be clear, this was just my first impression and then I left it behind.