And if we take a look on openvpn, it overgrown into enterprise monstrosity, huge, slow, goddamn complicated, nearly impossible to audit, full of bugs (some of which inevitably vulns) and bringing ton of dependencies (=more vulns to be worried of). SSL/TLS is a big trouble on its own, as protocol. Getting it right just nearly impossible.

The result is laughable. Say, DPIs can block openvpn in no time - and trying to patch protocol to avoid it would prove a bitch, as you have to grind these stockpiles of code. Still there're plenty of VPN services that did it - so you can have openvpn-like something that isn't openvpn and/or runs some custom "configuration manager" app/script on top of that. So, uh, sorry, but openvpn is weakling when it comes to defending itself from hostility yet very complicated. It also slow, it matters on small devices. SOHO router is very logical place for vpn gateway, securing ALL devices behind it - but it tends to be slow with openvpn. Unfortunate crypto choices + plenty of context switches make it rather unappealing for solution like this.

IPSec ... would be pretty much a snake oil that is also very difficult to setup and often doesn't survives traversing "imperfect" network setups. Wireguard also somewhat shares this problem being UDP - sometimes TCP could be the only option (e.g. corporate firewalls have little reasons to allow UDP).

I'm not discussing project goals as the project leader(s) can always change them on a whim, I'm discussing implementing features that some of the (big) users of this protocol actually need (or will need), which is a fair request and may or may not make sense as a contribution from such big users.

Is this technically feasible or is this something that goes against Wireguard's architecture and therefore not possible even in theory?

this modification (of AzireVPN) is bullshit imho, it's the same as putting the servers under a physical lock and denying also remote access to them so the admins can't see what is happening. Security by obscurity, but with a kernel module doing things that may or may not affect system stability and will probably need mainteneance to still run on newer kernels.

Enough to play innocent to a government perhaps, but not enough to actually protect from a malicious actor.

NordVPN's way seems to involve NAT and afaik that means it adds overhead (less than switching to OpenVPN, but still), but it's at least an integrated solution not relying on a kernel hack.

starshipeleven why would there be a need to upstream this? It is not the goal of wireguard to be a fully private VPN solution. It just wants to be a safe and efficient VPN solution. But that's not well enough for private vpn services, therefor this modification a good solution to use wireguard's functionality in an environment where as much privacy as possible is required.

Whether it's a rootkit like solution doesn't matter if it's intended to be run on the system it's developed for without doing harm or creating backdoors

that AzireVPN literally hacked their own servers to make it impossible to see and log the data. They paid Wireguard dev to do it, but it's a standalone kernel module, not an addition to Wireguard, and I really doubt you can upstream this as it's really a malware-like hack and Torvalds would hit you repeatedly with a stick if you tried.

It's opensource, but it's not really a good solution.

https://www.azirevpn.com/blog/2017-1...y-enhancements
hire Jason to write a rootkit-like module that removes the ability of an ordinary system administrator to query endpoint or allowed-ip information about WireGuard peers and disable the ability to run tcpdump.


"This here is a monkey-patcher that tinkers with the security hooks infrastructure, rootkit-style, in order to intercept netlink messages."
"This module makes no attempt at plugging all holes and leaks, and the current methods used are prone to be buggy at best. Also, this won't work with paravirtualization, since it works primarily by twiddling with cr0; hence this code is also x86/amd64 only. On old kernels, this disables SELinux/AppArmor and does voodoo magic that might murder kittens to discover non-exported symbols. Such magic only works on 64-bit and its success may vary based on which compiler is in use."

zx2c4 this is the second VPN provider that is complaining about the same thing, are there plans (or is it even possible) to address this in Wireguard?

Just asking, not demanding anything.

The different between Azirevpn and NordVPN in the context of Wireguard is that Azirevpn released their changes as open source to the public. So I don't think that completely counts as "their own implementation" as they just removed some specific privacy-unfriendly features for use in a public VPN service. They even hired the Wireguard dev to make those changes so this means it respects the same coding style and ideas of the original WG project, which makes it easy to reimplement those changes with newer versions

Interesting I use NordVPN but also recently started deplying my own Wireguard VPN servers. So NordLynx sounds interesting

What about contributing back those improvements to the original WireGuard project?

Would NordLynx be contributed back or released as Free Software?

Is NordNet contributing anything back to the WireGuard project or making anything open source?

Not a fork.
They added server-side stuff in their own infrastructure to deal with the fact that Wireguard is apparently making assumptions, like that you control all the hardware that is using it.

Other Wireguard providers had to customize with hacks their own server instances https://www.azirevpn.com/blog/2017-1...y-enhancements to make sure that users are not traceable.

The WireGuard protocol alone can’t ensure complete privacy. Here’s why. It can’t dynamically assign IP addresses to everyone connected to a server. Therefore, the server must contain a local static IP address table to know where internet packets are traveling from and to whom they should return. It means that the real IP address of a user must be linked to an internal IP address assigned by the VPN.