No announcement yet.

NordLynx: NordVPN Builds New Tech Around WireGuard

  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by EarthMind View Post
    The different between Azirevpn and NordVPN in the context of Wireguard is
    that AzireVPN literally hacked their own servers to make it impossible to see and log the data. They paid Wireguard dev to do it, but it's a standalone kernel module, not an addition to Wireguard, and I really doubt you can upstream this as it's really a malware-like hack and Torvalds would hit you repeatedly with a stick if you tried.

    It's opensource, but it's not really a good solution.
    hire Jason to write a rootkit-like module that removes the ability of an ordinary system administrator to query endpoint or allowed-ip information about WireGuard peers and disable the ability to run tcpdump.

    "This here is a monkey-patcher that tinkers with the security hooks infrastructure, rootkit-style, in order to intercept netlink messages."
    "This module makes no attempt at plugging all holes and leaks, and the current methods used are prone to be buggy at best. Also, this won't work with paravirtualization, since it works primarily by twiddling with cr0; hence this code is also x86/amd64 only. On old kernels, this disables SELinux/AppArmor and does voodoo magic that might murder kittens to discover non-exported symbols. Such magic only works on 64-bit and its success may vary based on which compiler is in use."


    • #12
      starshipeleven why would there be a need to upstream this? It is not the goal of wireguard to be a fully private VPN solution. It just wants to be a safe and efficient VPN solution. But that's not well enough for private vpn services, therefor this modification a good solution to use wireguard's functionality in an environment where as much privacy as possible is required.

      Whether it's a rootkit like solution doesn't matter if it's intended to be run on the system it's developed for without doing harm or creating backdoors


      • #13
        Originally posted by EarthMind View Post
        starshipeleven It is not the goal of wireguard
        I'm not discussing project goals as the project leader(s) can always change them on a whim, I'm discussing implementing features that some of the (big) users of this protocol actually need (or will need), which is a fair request and may or may not make sense as a contribution from such big users.

        Is this technically feasible or is this something that goes against Wireguard's architecture and therefore not possible even in theory?

        this modification a good solution
        this modification (of AzireVPN) is bullshit imho, it's the same as putting the servers under a physical lock and denying also remote access to them so the admins can't see what is happening. Security by obscurity, but with a kernel module doing things that may or may not affect system stability and will probably need mainteneance to still run on newer kernels.

        Enough to play innocent to a government perhaps, but not enough to actually protect from a malicious actor.

        NordVPN's way seems to involve NAT and afaik that means it adds overhead (less than switching to OpenVPN, but still), but it's at least an integrated solution not relying on a kernel hack.


        • #14
          Originally posted by aksdb View Post
          Great. WireGuard is simple enough that every VPN provider now spins their own incompatible fork. So we end up with no proper NetworkManager integration or even no Linux support at all, even though the underlying protocol would PERFECTLY allow it.

          (Another developer who just went down that road is Blokada.)
          And if we take a look on openvpn, it overgrown into enterprise monstrosity, huge, slow, goddamn complicated, nearly impossible to audit, full of bugs (some of which inevitably vulns) and bringing ton of dependencies (=more vulns to be worried of). SSL/TLS is a big trouble on its own, as protocol. Getting it right just nearly impossible.

          The result is laughable. Say, DPIs can block openvpn in no time - and trying to patch protocol to avoid it would prove a bitch, as you have to grind these stockpiles of code. Still there're plenty of VPN services that did it - so you can have openvpn-like something that isn't openvpn and/or runs some custom "configuration manager" app/script on top of that. So, uh, sorry, but openvpn is weakling when it comes to defending itself from hostility yet very complicated. It also slow, it matters on small devices. SOHO router is very logical place for vpn gateway, securing ALL devices behind it - but it tends to be slow with openvpn. Unfortunate crypto choices + plenty of context switches make it rather unappealing for solution like this.

          IPSec ... would be pretty much a snake oil that is also very difficult to setup and often doesn't survives traversing "imperfect" network setups. Wireguard also somewhat shares this problem being UDP - sometimes TCP could be the only option (e.g. corporate firewalls have little reasons to allow UDP).
          Last edited by SystemCrasher; 25 August 2019, 02:48 PM.