Announcement

Collapse
No announcement yet.

We Could See WireGuard Upstreamed In The Linux Kernel In 2018

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • We Could See WireGuard Upstreamed In The Linux Kernel In 2018

    Phoronix: We Could See WireGuard Upstreamed In The Linux Kernel In 2018

    WireGuard is the effort led by Jason Donenfeld to provide a next-gen secure network tunnel for the Linux kernel. Jason has laid out plans and next steps for getting this interesting project merged into the upstream Linux kernel...

    http://www.phoronix.com/scan.php?pag...-November-2017

  • timofonic
    replied
    Okay, too many replies. I reckon I was misinformed, I'm sorry. It seems more interesting now. Thanks a lot of the feedback. I would read more, but I need to stop procrastinating and back to study.

    About bloat: Why? That protocol might not be one protocol, but a family of protocols. Currently there are excesive "de facto" standards (many of them not reverse engineered of it's authors quite reactionary against third party implementations, like WhatsApp), many of them they have inherent aging signs and/or design issues. Why need a VPN for certain situations only? What about using VPNs per default whatever possible?

    TCP/IP? IPv6 solves many things (but not everything! It's still a centralized protocol), but it has a very slow deployment in many countries (like mine). I agree NATs are the problem, but it's a problem that isn't going to disapprear anytime soon, so clever and robust "workarounds" should be made meanwhile. And the current Internet infraestructure is far from perfect even in "first world" countries (the others might be extremely censored, be extremely expensive for the average user and/or become an absolute crap... even using these old analog modems many of us used in the early 80-90s), it has too many holes and ISPs can do extremely horrible things in their networks. It's easy to say that's not the problem of the protocol implementations, but I think in order to become a success it must be robust in this horrible non-Star-Trek-like reality (that's one of the reasons Git got popular, because it seems to work reliably even in the shittiest Internet connection of the universe).

    If WireGuard can become the lower layer of better replacements to specific-purpose "protocols" (they are more than protocols, but I mention it that way to simplify it) than the current used ones: That would be amazing! I want to see that!

    Leave a comment:


  • DavidBrown
    replied
    Originally posted by s.ivanov View Post

    While OpenVPN CAN work over TCP it is not the default nor recommended setup
    Personally, I would recommend use TCP/IP with OpenVPN. Whether you like NAT or not, it is very common - and it can be a real pain for UDP. With TCP/IP, you have no problem with clients inside NAT networks or other complications - and on the server side, if your server is behind a NAT router all you need is a simple TCP port forward. I have run OpenVPN TCP connections over nested ssh tunnels and other OpenVPN links - it all works flawlessly.

    Yes, UDP is more efficient - and when it works, it works well. But when you move off a simple local network, UDP might work - but it might quickly become a PITA.

    So for me, a new VPN technology that is UDP only is a waste of time. It is maybe a replacement for horrors like IPSec, but not for the flexibility of OpenVPN. Make it support UDP and TCP - then you've got something really useful. For simple setups you can then use UDP for efficiency, and for complex setups you can use TCP for better routability.

    Leave a comment:


  • Mangix
    replied
    In addition to being simpler, it is wat faster than openVPN. Check out the benchmarks page.

    Leave a comment:


  • pal666
    replied
    Originally posted by timofonic View Post
    I think there's not need of just a VPN protocol, but a resilient networking connection protocol able to be used for X, SSH-like, Wayland and whatever shit you may want to.
    such protocol exists, it is called tcp

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by timofonic View Post
    So what's the advantage of WireGuard over OpenVPN? Is it just because WireGuard is a cooler name?
    Vastly reduced codebase (easier to review and keep bug-free), and higher performance so you can deploy it in embedded systems too (currently OpenVPN sucks in embedded, you get like 30 Mbit/s even on powerful dualcore ARM expensive routers, which is not a really acceptable speed for serious usage, like tunnelling filesharing protocols like SMB and friends).

    Is WireGuard so exciting or just overhype?
    If you need a VPN, yes it is exciting. If you want a kitchen-sink-type magic protocol that solves all Linux problems, no.

    WTF? SSH can sometimes become an ass to configure, specially if over NAT.
    Everything is an ass to configure over NAT, but the issue is NAT.

    If you want to connect directly to something, it needs to be exposed somehow as it needs to be accessible from outside the NAT, you can't change basic networking.

    I think there's not need of just a VPN protocol, but a resilient networking connection protocol able to be used for X, SSH-like, Wayland and whatever shit you may want to.

    And please kill obsolete baud crap of terminals! SSHFS sucks too! NFS sucks too! New protocol for both terminals, file sharing/transfer/NAS and Wayland, maybe based on 9P or whatever! Something not only shiny, but functional, robust, stable, easy to configure, usable even on the crappiest network and powerful.

    Is WireGuard that protocol? I'm damn sceptic.
    No it is not, Wireguard is just a easy to use/configure and light VPN.

    You have no idea of what you are talking about here, a protocol able to support both internal and external uses, VPN, file sharing, display, console and SSH is going to be a bloated mess of crap.

    Leave a comment:


  • ngkaho1234
    replied
    Originally posted by timofonic View Post
    WTF? SSH can sometimes become an ass to configure, specially if over NAT. X redirection sucks too.
    In short, WireGuard aims to make authentication of two (or more) peers as easy as using ssh's public key authentication.
    Last edited by ngkaho1234; 11-12-2017, 04:20 AM. Reason: Not only two peers

    Leave a comment:


  • zx2c4
    replied
    timofonic - Rather than speculation or relying on oversimplified forum responses, if you want, you can read about WireGuard, in order to develop an informed opinion. These resources might help a bit:

    - The front page has a big conceptual overview: https://www.wireguard.com/
    - The paper has the most detailed description: https://www.wireguard.com/papers/wireguard.pdf
    - The barebones description of the protocol is here: https://www.wireguard.com/protocol/
    - Some notes and a link to a paper on its formal verification are here: https://www.wireguard.com/formal-verification/

    Reading these will give you the most thorough information in order to determine why WireGuard exists and whether that existence is justified.

    If that's a bit too much reading for something you don't necessarily even care about, that's fine too. The tl;dr is that this is a lot simpler to use than previous VPN setups and gives better security and performance. It might not be the reality-changing alien-technology multi-purpose solves-all-your-problems all-spice everything-protocol you were hoping for though, since it's just trying to do secure tunnels. But it does do one thing, and hopefully it does that one thing decently enough. It could create the basis for other people creating the big things you have in mind on top of it.

    Leave a comment:


  • timofonic
    replied
    Originally posted by s.ivanov View Post

    While OpenVPN CAN work over TCP it is not the default nor recommended setup
    So what's the advantage of WireGuard over OpenVPN? Is it just because WireGuard is a cooler name?

    I did read about roaming features, those remind me of MoSH and IPv6 features.

    Is WireGuard so exciting or just overhype?

    WireGuard aims to be as easy to configure and deploy as SSH.
    WTF? SSH can sometimes become an ass to configure, specially if over NAT. X redirection sucks too.

    I think there's not need of just a VPN protocol, but a resilient networking connection protocol able to be used for X, SSH-like, Wayland and whatever shit you may want to.

    And please kill obsolete baud crap of terminals! SSHFS sucks too! NFS sucks too! New protocol for both terminals, file sharing/transfer/NAS and Wayland, maybe based on 9P or whatever! Something not only shiny, but functional, robust, stable, easy to configure, usable even on the crappiest network and powerful.

    Is WireGuard that protocol? I'm damn sceptic.
    Last edited by timofonic; 11-11-2017, 06:47 PM.

    Leave a comment:


  • s.ivanov
    replied
    Originally posted by pal666 View Post
    openvpn uses tcp
    While OpenVPN CAN work over TCP it is not the default nor recommended setup

    Leave a comment:

Working...
X