WireGuard VPN review: A new type of VPN offers serious advantages

If you aren&#x27;t using WireGuard yet, do. Setting it up is super easy, I wrote a guide for common setups:<p><a href="https:&#x2F;&#x2F;www.stavros.io&#x2F;posts&#x2F;how-to-configure-wireguard&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.stavros.io&#x2F;posts&#x2F;how-to-configure-wireguard&#x2F;</a>

Unfortunately WireGuard is UDP only, so I can&#x27;t even use it to get out through the university wifi firewall. 80 &#x2F; 443 on TCP only.<p>At least OpenVPN, for all the criticism the article throws at it, has the configurability to pass through the various strange firewall rules that exist in the real World. Waiting eight seconds for negotiation isn&#x27;t a big deal when the new and shiny &#x27;replacement&#x27; doesn&#x27;t have a hope of working.

Having been running WireGuard in my router for a couple of months now I have to say it&#x27;s just the first ever VPN to offer no bandwidth penalty and a very easy setup. Now I have IPv6 through the VPN, all traffic from the house is routed through anonymous servers and I&#x27;ve had no problems with the connection dropping. Very nice work here.

Is Wireguard stable and ready for general use? The Wireguard devs seem to think it&#x27;s not:<p><a href="https:&#x2F;&#x2F;www.wireguard.com&#x2F;#about-the-project" rel="nofollow">https:&#x2F;&#x2F;www.wireguard.com&#x2F;#about-the-project</a><p><i>Work in Progress</i><p><i>WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We&#x27;re working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with &quot;0.0.YYYYMMDD&quot;, but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.</i>

Why can&#x27;t we have IPSec + IKEv2 everywhere as originally intended as part of IPv6. No &quot;VPN&quot; necessary.

Linus is also a huge fan of wireguard overall: <a href="http:&#x2F;&#x2F;lkml.iu.edu&#x2F;hypermail&#x2F;linux&#x2F;kernel&#x2F;1808.0&#x2F;02472.html" rel="nofollow">http:&#x2F;&#x2F;lkml.iu.edu&#x2F;hypermail&#x2F;linux&#x2F;kernel&#x2F;1808.0&#x2F;02472.html</a><p>Praise like this from him is rare.

Does anyone know if any commercial VPN providers implement WireGuard yet on iOS? &gt; &quot;An iOS app is available in the WireGuard repository, but as it isn&#x27;t in the App Store yet. It&#x27;s probably not going to do you any good unless you&#x27;re an iOS developer yourself.&quot;<p>The article references code for iOS apps but also states that &quot;it needs to be baked right into the kernel for that to happen.&quot;. Would iOS apps also need the iOS Kernel (say iOS 12.x or iOS 13.x) to include WireGuard to take advantage of some of the speed advantages over OpenVPN?

Is there any &quot;easy&quot; algo-like setup? I&#x27;ve checked but all of them still seem to involve a lot of steps. I could do it but I&#x27;d prefer if there&#x27;s some quick start to test it out.

I wonder how it works in ChromeOS, anyone tried it? I had OpenVPN working for a while, but the debugibility of it was pretty low, it was a pain to set up. I was always turning it on and off, unlike my Linux laptop where it would just always be on and working. That&#x27;s using the built in OpenVPN, not an android app. I wonder if setting it up in the &quot;ChromeOS centrally managed&quot; mode would help any?<p>I&#x27;m really using my chromebook a lot these days at home, but wish I had a better VPN option for it.

&gt; Waiting for Windows support is going to put WireGuard out of reach for many users for another few months.<p>Haven&#x27;t tried it yet but Mullvad.net just released a VPN app for Windows:<p><a href="https:&#x2F;&#x2F;mullvad.net&#x2F;en&#x2F;blog&#x2F;2018&#x2F;8&#x2F;14&#x2F;official-release-new-mullvad-vpn-app-windows&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mullvad.net&#x2F;en&#x2F;blog&#x2F;2018&#x2F;8&#x2F;14&#x2F;official-release-new-m...</a>

Recently we had to decide what to use and went with IPSec instead of WireGuard. Any reasons to reconsider and switch to WG? Thanks.

If you&#x27;d like to run a memory-safe-ish implementation of WireGuard, apparently there is a working Go version: <a href="https:&#x2F;&#x2F;www.wireguard.com&#x2F;xplatform&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wireguard.com&#x2F;xplatform&#x2F;</a>

Tried it but couldn&#x27;t make it work.<p>When someone provides instructions to set up a WireGuard server on my Linux server and a client on my Android, I might just buy into that &quot;easy setup&quot; story.

I love the Android client. OpenVPN used to consume some 25% of the battery life. With wireguard it&#x27;s next to nothing and it&#x27;s very very quick to connect. Great stuff!

Regarding the whole-protocol versions instead of mix and match negotiation: is there a reason that wouldn&#x27;t have worked for TLS? At least technologically; I&#x27;m sure it was a non-starter politically.<p>I&#x27;m just wondering if there are any actual downsides to this scheme. It seems like such an obviously good idea that I&#x27;m second-guessing myself.

What bothers me in the Article, the official documentation and almost all guides for wireguard is that they ignore ipv6 completely. They either result in a leaking vpn or bad working one where all ipv6 connections fail.

&quot;SipHash24 for hashtable keys&quot;<p>Someone can correct me, but I would prefer Tabulation Hashing to SipHash, even though SipHash is by DJB. Tabulation Hashing offers optimal guarantees and performance, and it&#x27;s much simpler.

Automatic roaming seems to be the killer feature that nobody has noticed - I know IPsec has this to a degree but Wireguard looks like it works much faster.

I don&#x27;t like that it is running in the kernel. Running in userspace makes everything more secure and I&#x27;m fine with little less bandwith.

From a security perspective, what happens if the wireguard key is passed to another user?<p>How would you implement MFA in a wireguard system?

Is supporting EAP planned? Like EAP-IKEv2, which can use passwords for authentication and session keys, RFC3748 ?

I don&#x27;t know much about the fundamentals of networking and security, just asking - can a Linux server with WireGuard installed to be able be detected by GFW (the Great FireWall) and thus get the IP address blocked?<p>On the other hand, I couldn&#x27;t wait for the Windows client.

So the control program is just &quot;wg&quot;. We only have one namespace for commands so using a two-letter combination for something as obscure as controlling VPNs is not very clever. Two-letter combinations should be left to user aliases and core things like cp, ls, df.

I feel I gotta mention Tinc <a href="https:&#x2F;&#x2F;www.tinc-vpn.org" rel="nofollow">https:&#x2F;&#x2F;www.tinc-vpn.org</a> The article mentions it&#x27;s existence but then ignores it...<p>It is as easy to use as WireGuard and has two advantages over wireguard. 1. It will automatically mess, and find the best path. 2. It has a far wider range of platforms supported than wireguard.

4096 bit keys, comparison, aah. Sounds like the crypto stuff is really badly off in this article. Key length alone doesn&#x27;t practically mean anything. Classic VPN lies and hype.