For anyone wanting to try it, WireGuard with Algo VPN [1] to set it up on a server is a great combination. I found it quite easy to setup and use.<p>Algo has built-in support for various cloud providers, where, when you run it from, day, your desktop, it can setup the VPN server for you based on answers to some questions (with sensible defaults) and some information on connecting to the provider (like an API key, for example). You also get QR code images that you can use to install a VPN profile on your phone.<p>You can also run Algo from within a server and have it setup the VPN for you.<p>[1]: <a href="https://github.com/trailofbits/algo" rel="nofollow">https://github.com/trailofbits/algo</a>
WireGuard is great, but I think it's really undersold when it's described as being just a vpn. It's really an encrypted tunnel that is configured like a network adapter in the Linux network stack.<p>This lets you configure it with stuff like systemd-networkd and unit files, or easily spin up a tunnel with a few `ip` commands, and setup some simple nftables rules to do all sorts of stuff.<p>I do use it as a vpn as well, but it's so much easier to setup than, say, OpenVPN, where you need to create tun/br interfaces and then tie them together with a service, etc. That said, OpenVPN and other actual VPN software does more than just a tunnel (like pushing routes, config settings, etc), so WireGuard cannot replace everything by itself.<p>The documentation is rather sparse, but there isn't much to it either. The manpages have what you need to know and the rest is just general Linux network stack knowledge.
One thing I wish for wireguard: the ability to look up keys/ips in an external system like LDAP. I moved an entire call center [50+ people] fully remote last week. We're using wireguard. Key management stinks, and that is my only complaint! It is an incredible piece of software and I'm very thankful for it.
I'm a bit baffled by WireGuard. From 10 000 feet, the protocol is similar to IPSec - encrypt packets, and send them over the internet using a connectionless protocol.<p>So why is it so much better?<p>Is it because it's a new and simpler <i>implementation</i> than what we have for IPSec?<p>Is it because the protocol, being newer, is simpler and cleaner than IPSec?<p>Is it because, being newer, it can use a modern ciphersuite?<p>Are there fundamental advances in the design?<p>One of the nice things about IPSec is that it's a standard. There's a reasonable chance that two endpoints written by separate parties will be able to communicate. Introducing a whole new protocol whose main implementation is its definition seems like a step backwards.
Given the occasion, could someone write a paragraph about what downstream effects are expected by wireguard existing? So far I’ve seen mostly technical arguments for it. VPNs have become a more important piece of infrastructure now. The most significant approachability increase really came from mobile based solutions and auto pilot systems like Google’s Outline.<p>Will WG make a marked difference in stability, speed, approachability for normal users, or what can we expect?
I really hope WireGuard becomes a standard and get's included in the macOS/iOS and Windows kernels as well. Key management and and other fancy features could be left to userspace applications but having the basic wg capability in the kernel would be great.
I'm a big fan of Wireguard. I wrote wg-access-server [1] as an all-in-one wireguard VPN solution. I recently added some docs [2] and support for deploying with Helm. I'd love some feedback on here or on github. Give it a try.<p>[1] <a href="https://github.com/place1/wg-access-server" rel="nofollow">https://github.com/place1/wg-access-server</a>
[2] <a href="https://place1.github.io/wg-access-server/" rel="nofollow">https://place1.github.io/wg-access-server/</a>
I recently setup WireGuard on my new dedicated server and it is amazingly easier compared to OpenVPN. I've setup several site-to-site and client-to-site VPNs on OpenVPN so maybe I'm just use to all the iptables/route gotchas, but not needing to do the whole CA/easyrsa stuff is a huge bonus.<p>I like how their official tutorial video shows all the raw ip commands and then shows their wg-quick configuration script. That way you understand what the script is doing and what commands its running.<p>One big limitation is that it cannot bind to a specific IP address. The author states it shouldn't matter because it won't respond without the right auth key (and it doesn't support TCP so people can't tell if it's sitting there listening) but I found I did get into weird routing loops where packets will come in on one IP and go out on another one. The primary outgoing IP is what shows up when you run `wg show`.<p>It is super weird to implement a brand new service and have a config option for the port, but not the IP address(es) to listen on.
I like the idea of WireGuard as a simple tunnel, but I wish people would stop comparing it with VPNs. VPNs have lots of extra functionality that is necessary to support a variety of use cases, both functionally (like pushing routes or scripts to clients) and security-wise (like real key management and SSO).<p>I literally can't replace any VPN I currently use with Wireguard because I would lose needed functionality. I could maybe replace the tunnel to a bastion host, but even then I would actually be worse off security wise, because I'd be losing cert-based key management. (ex. <a href="https://smallstep.com/blog/use-ssh-certificates/" rel="nofollow">https://smallstep.com/blog/use-ssh-certificates/</a>)
Now I really want to know when raspbian will get linux kernel 5.6. The most recent version of raspbian came out in February 2020 and uses linux kernel 4.19, which came out in late 2018.<p><a href="https://en.wikipedia.org/wiki/Linux_kernel_version_history" rel="nofollow">https://en.wikipedia.org/wiki/Linux_kernel_version_history</a>
Very exciting news, indeed! Finally WireGuard is in the Linux kernel 5.6 onwoards (will arrive soon in the next few days for those who are on rolling releases).<p>I've been using WireGuard to replace IPsec (strongSwan - the whole stack is way too complex, plus client configuration issues, outweighs the benefits) and OpenVPN (latency, bandwidth / performance is the biggest complaint) for remote access and mainly encrypting traffic from/to terminal devices when accessing the Internet via unknown hops/routes/path.<p>On the other hand, WireGuard is simple (cryptokey routing), modern, elegant, easy to configure & use, fast, and most importantly, reliable over the past 2.5 years, now even better without DKMS headaches ;-)<p>WireGuard clients for iOS (works as good as strongSwan for Android - which I missed a while ago) in terms of 1. on-demand 2. roaming between networks 3. power consumption / overhead. macOS and Windows ones also work very well.<p>Problems: WireGuard does not scale well when used for global overlay network use cases (nebula does a much better job for this purpose). Another issue for VPN providers: each client has a static IP configuration, which contradicts with privacy and surveillance, curious to see how Cloudflare's 1.1.1.1 solves the problem.<p>Last but not least: WireGuard protocol is easy to block. Therefore, I look forward to seeing obfuscation plugins / extensions for WireGuard, it will serve a much bigger purpose for people who live under censorship/surveillance (e.g. inside GFW) so as to protect privacy and get back their rights to access the `real` Internet.<p>Many thanks to Jason and the WireGuard team behind the scene!
Any ideas how to get a client-server style VPN setup with WireGuard working with IPv6 so that it keeps working even if the public IP address of your VPN server changes? The configurations I've seen assign a statically configured IP address to a client. This works fine with NATted IPv4, but with IPv6, addresses are "public", so the client must basically know the prefix of the server to be able to configure a sane address, and if that changes, the configuration must be changed by hand.
Does anyone know of a decent bash-script (or even self-hosted page) that one could use to administer wireguard?<p>Could go very far with trivial functionality, such as listing, adding, removing users and download a config file/qr-code.
Could WireGuard be a good choice for server-to-server encryption instead of TLS? (for example between a TLS terminating load balancer to the application servers)
This is <i>really</i> good news.<p>I've used a ton of VPN over the years, even some I wrote myself, and I've never seen anything that comes close to wireguard in terms of: ease of use, speed, cleanliness of code.<p>The world just got a whole lot secure and flexible.
For anyone wanting to set up WireGuard with the Pi-hole DNS blocker: I would advise <a href="https://github.com/racbart/wireguard-pihole" rel="nofollow">https://github.com/racbart/wireguard-pihole</a>. Just a simple shell script. No Docker or Kubernetes required. I installed it on the cheapest DigitalOcean VPS, and it has been running without issues for over a month now. (About 6 phones of me and my friends, and a few desktops are using it.)
<a href="https://arstechnica.com/gadgets/2020/03/wireguard-vpn-makes-it-to-1-0-0-and-into-the-next-linux-kernel/" rel="nofollow">https://arstechnica.com/gadgets/2020/03/wireguard-vpn-makes-...</a> is a related article.<p>(Via <a href="https://news.ycombinator.com/item?id=22731279" rel="nofollow">https://news.ycombinator.com/item?id=22731279</a>, but no comments there.)
This is good to hear. There is a lot of trendy junk that people seem to want in the linux kernel. I've been waiting for WireGuard to prove itself before I give it a shot.
Do I understand correctly? You use WireGuard to set up your own VPN servers? Doing this is a lot more expensive than buying a VPN subscription, but it can be more secure if you know what you're doing, right?