Announcement

Collapse
No announcement yet.

WireGuard Issues New Module Release, 1.0 Coming With Linux 5.6

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • WireGuard Issues New Module Release, 1.0 Coming With Linux 5.6

    Phoronix: WireGuard Issues New Module Release, 1.0 Coming With Linux 5.6

    WireGuard is to be merged for Linux 5.6 and is already staged in the net-next tree while for those on pre-5.6 kernels going as far back as Linux 3.10, a new out-of-tree module release is now available...

    http://www.phoronix.com/scan.php?pag...Compat-Pre-5.6

  • #2
    From what I've read WireGuard is insecure because it requires a static IP address that can be discovered and utilized to identify users. If that's still the case I can't imagine using it in any kind of real life scenario. Has something changed? Or am I misunderstanding something?

    Comment


    • #3
      Originally posted by muncrief View Post
      From what I've read WireGuard is insecure because it requires a static IP address that can be discovered and utilized to identify users. If that's still the case I can't imagine using it in any kind of real life scenario. Has something changed? Or am I misunderstanding something?
      You should probably do some reading. One side of a VPN connection has to be a known IP address for any type of VPN. As for security, WireGuard would seem to have more security, i.e. probing WireGuard ports will look like nothing is there.

      Comment


      • #4
        https://www.wireguard.com/#built-in-roaming

        Comment


        • #5
          I'm curious about when RedHat will announce their official support of WireGuard.

          Comment


          • #6
            Kernel module support all the way back to 3.10? Wow. Ubuntu 14.04 LTS finished up on kernel 4.4 (via official HWE). That's some good backwards compatibility from the WireGuard devs. Nice to see.

            Comment


            • #7
              Originally posted by cybertraveler View Post
              Kernel module support all the way back to 3.10? Wow. Ubuntu 14.04 LTS finished up on kernel 4.4 (via official HWE). That's some good backwards compatibility from the WireGuard devs. Nice to see.
              That's not new. We've supported 3.10 for years, originally motivated by Android, EdgeOS, and RHEL.

              Comment


              • #8
                Originally posted by zx2c4 View Post

                That's not new. We've supported 3.10 for years, originally motivated by Android, EdgeOS, and RHEL.
                New to me

                It's nice to see. It shows that the Wireguard devs/creators (you included I guess) care about the users.

                Some Open Source software projects produce quite nice stuff, but they never actually focus on the practical details which are important to make their software practical for actual users.

                Comment


                • #9
                  Originally posted by muncrief View Post
                  From what I've read WireGuard is insecure because it requires a static IP address that can be discovered and utilized to identify users. If that's still the case I can't imagine using it in any kind of real life scenario. Has something changed? Or am I misunderstanding something?
                  Others have already mentioned that addresses aren't really static. The other thing to note about this is that you're saying static IPs are "insecure" merely from the perspective of anonymity. In reality, the primary "security" we talk about with VPNs is their security from external monitoring. As in, whether a 3rd party without access to the client or server can snoop on your traffic. And static IPs have little to do with that. Especially since, as we've seen, Wireguard doesn't require static IPs.

                  This kind of security is often enough for most people, who just want to make sure they're not leaking sensitive information (like court or hospital records, business data, or corporate IP) but aren't terribly concerned about hiding who they are. A lot of network security only cares about this. Anonymous traffic is still second fiddle, though it might become far more important in the future depending on how things develop. Or now, depending on where you live and what you do. Reporters and protestors are people that care a lot about this sort of thing even now. And most anonymous traffic leaks aren't from VPN security issues. Most of it is from "anonymous" users doing things that tie their "anonymous" traffic to an identity.

                  That said, having an exclusive IP, a static endpoint, IPv6 leaks or server logs are all ways that servers can deanonymize your traffic during or after the fact. If someone can subpoena records from your VPN provider or secure direct access, having those things drastically reduces the effort required to isolate a user and their traffic and identify them. That's not to say that not having them absolutely prevents you from being identified. Things like IPv6 leaks, WebRTC, cookies and local storage, account tracking and such are other ways in which a malicious actor could de-anonymize you if they've got widespread access and influence.

                  However, those are entities like nation-states (who can silently demand access to most things) or corporate litigants (who can throw money at getting subpoenas from luddite judges in rural areas scared of "hackers" and AG assistance). And if those entities consider you a high-value target, they can generally make significant enough moves to track you down even without all of those weaknesses by getting direct access to your server or VPN service to compromise it. Maybe they'll even create a GUI interface using Visual Basic to see if they can track your IP address. Most people aren't malicious, mischievous or greedy enough to encourage that sort of thing, though. Chances are that nobody cares about all the mp3s you download to do more than send a letter or a subpoena to your ISP.

                  Usually the sneaky sneaks like that tunnel their traffic across multiple borders to complicate and obfuscate things. The idea is that crossing international jurisdictions makes it difficult for one judge or entity to be able to acquire all the information. And if only one of those jurisdictions is actually pissed at you and they don't all get along, it's even more difficult. That's where the script-kiddie meme of being behind seven proxies came from. But if you are a high-value target, it's usually just a matter of time. So just try not to make waves and cause problems. Unless you're being protected by another nation-state who funds you and pretends you don't exist and accuses all inquiries of being "western propaganda" or some other nonsense like that while disappearing all possible leakers. Thanks, Xinhua blackhat wankers.

                  EDIT: fixed preposition

                  Comment

                  Working...
                  X