OpenVPN DCO Looks Like It Might Be Ready For Linux 6.14 To Speed-Up VPN Performance

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • intelfx
    replied
    Originally posted by DavidBrown View Post

    OpenVPN has vastly more features than Wireguard. Of course that leads to the risk of flaws from the bigger code base, complexity, configuration errors, etc. But it also leads to many more possibilities and use-cases. Some of its advantages are:
    • It supports TCP/IP transport as well as UDP. While UDP is inherently lower overhead, TCP/IP is vastly easier to use over complex NAT routers, other tunnels, and complicated network setups.
    • It can handle IP address allocation, routing, passing control information and network settings to clients.
    • You can have client certificates and/or passwords, and various other forms for authentication.
    • It is widely supported on off-the-shelf routers from a variety of vendors, including many small and reasonably priced types.
    • It is well supported on Windows as well as Linux (and Android, Mac, and lots of other things). (Obviously Linux or BSD are your normal choice for the server end. Clients should use whatever the client wants to use.)
    • For most client users, you only need the appropriate OpenVPN software and a single configuration and certificate file from the server administrator. It is particularly good for non-technical Windows users - the gui is simple and clear, and "connect" and "disconnect" lets them attach to the remote network with all routing, DNS, etc., in place.
    Wireguard is nothing more than a secure, remote virtual Ethernet cable - it is a secure tunnel solution, not a VPN. Sometimes that's all you need, and that's great. But generally you need a lot more than that. With Wireguard, you are on your own for every other aspect of the VPN - writing ifup/ifdown scripts, iptables and route setups, figuring out a way to handle IP address allocation, etc. Or you use one of countless one-person github projects that handle things for you and hope that the project will still exist in a year or two. Perhaps a dominant "official" VPN suite will emerge using Wireguard as the tunnel and covering all the other aspects of setting up and running a VPN, making it a solid alternative. That would be nice. But until then, Wireguard is only a good option for very technical users or for site-to-site setups (configured and controlled by qualified administrators - no mere users in sight).
    Yup, exactly this.

    Leave a comment:


  • bug77
    replied
    Originally posted by NeoMorpheus View Post
    So im curious, which advantages has OpenVPN over Wireguard these days that would make someone choose it?
    I don't think this is about advantages. OpenVPN is everywhere, an improvement for OpenVPN will improve life for a lot more users than an improvement for Wireguard will.

    Leave a comment:


  • DavidBrown
    replied
    Originally posted by NeoMorpheus View Post
    So im curious, which advantages has OpenVPN over Wireguard these days that would make someone choose it?
    OpenVPN has vastly more features than Wireguard. Of course that leads to the risk of flaws from the bigger code base, complexity, configuration errors, etc. But it also leads to many more possibilities and use-cases. Some of its advantages are:
    • It supports TCP/IP transport as well as UDP. While UDP is inherently lower overhead, TCP/IP is vastly easier to use over complex NAT routers, other tunnels, and complicated network setups.
    • It can handle IP address allocation, routing, passing control information and network settings to clients.
    • You can have client certificates and/or passwords, and various other forms for authentication.
    • It is widely supported on off-the-shelf routers from a variety of vendors, including many small and reasonably priced types.
    • It is well supported on Windows as well as Linux (and Android, Mac, and lots of other things). (Obviously Linux or BSD are your normal choice for the server end. Clients should use whatever the client wants to use.)
    • For most client users, you only need the appropriate OpenVPN software and a single configuration and certificate file from the server administrator. It is particularly good for non-technical Windows users - the gui is simple and clear, and "connect" and "disconnect" lets them attach to the remote network with all routing, DNS, etc., in place.
    Wireguard is nothing more than a secure, remote virtual Ethernet cable - it is a secure tunnel solution, not a VPN. Sometimes that's all you need, and that's great. But generally you need a lot more than that. With Wireguard, you are on your own for every other aspect of the VPN - writing ifup/ifdown scripts, iptables and route setups, figuring out a way to handle IP address allocation, etc. Or you use one of countless one-person github projects that handle things for you and hope that the project will still exist in a year or two. Perhaps a dominant "official" VPN suite will emerge using Wireguard as the tunnel and covering all the other aspects of setting up and running a VPN, making it a solid alternative. That would be nice. But until then, Wireguard is only a good option for very technical users or for site-to-site setups (configured and controlled by qualified administrators - no mere users in sight).

    Leave a comment:


  • fitzie
    replied
    Originally posted by edxposed View Post

    Wireguard limited itself to chacha20 instead of a scalable encryption design for the sake of some embedded ewaste, so it's already lost from the start
    i think of it more as an experiment. Jason obviously studied ipsec/ssl and the disaster that was both from downgrade attacks and configuration issues and made the decision to fix the algos in. at some point he will have to support newer algos and we'll see how that is handled then. I was resistant at first, but it's a fair decision to decide to make when you've seen all the end user crypto mistakes as he has.

    Leave a comment:


  • tomeq82
    replied
    Originally posted by NeoMorpheus View Post
    So im curious, which advantages has OpenVPN over Wireguard these days that would make someone choose it?
    Manageability and user experience. Raw Wireguard setup is of little real use. Without any programmed/scripted/automated overlay it is just more of proof of concept. Just take a look how does it cope with endpoints behind NAT, what requires it to be operable in such scenario etc. etc.

    Don't trust the hype that the Wireguard is "easy to use" or "easiest VPN on the market". It is definitely not.

    Leave a comment:


  • lyamc
    replied
    Originally posted by NeoMorpheus View Post
    So im curious, which advantages has OpenVPN over Wireguard these days that would make someone choose it?
    DHCP-type IP Address assignment vs Static-only assignment
    Layer 2 (tap) and Layer 3 (tun) support vs just Layer 3
    And a lot of other management capabilities


    Originally posted by NeoMorpheus View Post
    So im curious, which advantages has OpenVPN over Wireguard these days that would make someone choose it?
    First you need to make sure you're comparing apples and oranges. OpenVPN supports TCP and UDP. Some people opt for TCP which will be slower than UDP. As latency increases, TCP throughput falls through the ground.

    Aside from that it should make it much more competitive with Wireguard. If you choose Wireguard for the increased throughput, that just means (to me) that you don't need most of what OpenVPN offers. I'm saying this as someone who mainly uses Wireguard.

    Leave a comment:


  • zparihar
    replied
    How will the be speed increase compare to WireGuard?

    Leave a comment:


  • edxposed
    replied
    Originally posted by NeoMorpheus View Post
    So im curious, which advantages has OpenVPN over Wireguard these days that would make someone choose it?
    Wireguard limited itself to chacha20 instead of a scalable encryption design for the sake of some embedded ewaste, so it's already lost from the start

    Leave a comment:


  • Raka555
    replied
    Originally posted by NeoMorpheus View Post
    So im curious, which advantages has OpenVPN over Wireguard these days that would make someone choose it?
    Ease of use.
    It is very easy to setup an openvpnAS server +LDAP and let people help themselves.

    Wireguard is great for site-to-site VPN, but managing users is a pain. Delivering their private key securely can be challenging.
    To ask non-tech savvy people to create their own config and send you the publc key ... well ... uhm...
    I cringe at the thought of rolling out wireguard at large scale.

    Plain openvpn that you manage yourself probably don't have a lot of advantages except maybe that it can do L2 VPN, which wg can't to my knowledge.
    Last edited by Raka555; 04 December 2024, 02:11 PM.

    Leave a comment:


  • intelfx
    replied
    Originally posted by NeoMorpheus View Post
    So im curious, which advantages has OpenVPN over Wireguard these days that would make someone choose it?
    We discussed this in the last thread about OpenVPN DCO.

    TL;DR: management capabilities. If you need anything other than a dumb data pipe with pre-shared keys and pre-configured IP addresses, WireGuard is of zero help.

    Leave a comment:

Working...
X