Oh god. Time to feed the trolls.

1. TCP: tunneling over TCP is a terrible idea with lots of performance loss. UDP is widely considered the only way to do this on the modern internet. There are plenty of other tools for slow terrible TCP tunneling if that's what you need for particular restrictive networks etc.

2. You can put it on port 443 if you want. "wg set wg0 listen-port 443" is the command.

3. Kernel space is not considered a bad thing when it comes to network tunnels that do high performance crypto and integrate well with the operating system.

4. It does have perfect forward secrecy. https://git.zx2c4.com/WireGuard/tree/src/noise.c#n320 As you can see there, an ephemeral is mixed in. I think I have a pretty decent grasp on the crypto involved, and if you'd like more discussion of the core of the handshake, you can always read the noise spec itself ( noiseprotocol.org ).

5. It uses statically preshared public key pairs, just like SSH. Other additional layers of auth can be layered on ontop (in userspace) if that's your fancy.

6. This actually does run on Android. For the others, a cross platform client is in the works.


Go away, troll.

A 3 year warranty means they would lose massive amounts of money if a lot of their devices died before the 3 year period ended, much like Microsoft and the first generation Xbox 360.

From your story it sounds like they simply cheaped out on their NAS and paid the price. I know you're probably not at liberty to disclose which NAS it was so I can't use that information in discussing different brands, but surely there's a difference between them. A cheap no-name brand will be more of a wildcard than someone who does their engineering in-house like Intel.

Large corporations may not have been the best choice of words. The point was if you cheap out on critical infrastructure then you can expect it to fail. I don't think I ever said anything on the contrary.

If you remove the fan there's 100% certainty it will not fail either, but expecting 10-15 years of service out of a NUC is just dumb.

Not really, a properly designed power brick isn't that much more expensive to mass produce but the engineering effort costs money. If you care about proper isolation, heatsinking, mechanically securing your components and don't overrate the output current you can have a plenty reliable PSU for decades (assuming you don't mess up ordering quality electrolytic capacitors).

That makes more sense. But still you have the issue of a non-redundant PSU immediately failing and a redundant PSU failing one half at the time. The difference being that the system will stay up to finish the work with a redundant PSU. Cheap or not is a secondary issue in that case.

If you're going to make a point out of acquiring a separate power brick then why would you complain about the supplied brick in the first place?

Let me go back and find the first post I replied to post for you:

To which I replied:

Do you see how the original response specifically only addressed the point of x86 machines being "power-hungry, bigger, usually requires fans and ATX PSUs"?

I don't like the tone of this sentence but I never claimed consumer grade hardware is more reliable than business grade hardware. If that was true then why would I pay for multiple ThinkPad T-series laptops when there are much cheaper laptops with much higher specs?

"a lot"=! "all"
I don't know and I don't care of what % of devices is good for Intel's plans of sales, what I want is a device that does not break as for embedded usage it's not a good idea to do otherwise.

I said it was a 8-bay NAS device, there is no "cheap 8-bay nas".
It was a good brand, so none had to shout death threats on the phone to get their customer support to accept the RMA and they paid shipping and all. The device broke while under warranty and got fixed, that's more than what happens with the average consumer product, where I know quite a few unhappy campers that bought 700$ gaming screens and Asus is still refusing to repair them when under warranty when it is a FUCKING KNOWN issue.
And the reseller is also playing dumb and refusing the EU warranty (when it's technically illegal to do so, but they know none will sue as we aren't in the USA).

Quit being a Intel fanboy, it's getting on my nerves. Intel does not excel in its OEM products, their core businness is making ICs, not boards.

Which is the same I said. You seem to not understand that the NUC is "cheaping out" when outside consumer segment.

The fact that a brand makes also high-end parts does not mean the low-end parts don't suck, or that they aren't rebrands of some other OEM (this is pretty common with the cheap PSU lines of the usual gaming brands in PCs for example).

That's not an issue, that's "working as intended". Placing redundant PSUs makes sense only if you cannot have fully redundant systems (like 2 boards instead of one, each with its own independent PSU)

Because you said the supplied power brick is good because you think that Intel in their wisdom thought that giving server-grade PSUs to a consumer device was a good idea.

Yes, we went futher tho, and I said why NUCs aren't a terribly good idea too.

Then stop answering to my posts. I'm talking of small-medium businness here.
At home you can use whatever and it will be fine, even a tower PC has less chances to blow up than you can even imagine.
It's when you try to say consumer hardware has any bearing outside of consumer segment that you're wrong.

Because pure hardware specs aren't anywhere near all in a laptop, especially in a businness-oriented one that is going to see a lot of medium CPU use and a lot of physical abuse.
Cooling system (not just fan, the whole system), chassis, stronger surface materials in places that will see the most tear, ports (docking stations maybe) and so on. Maybe spill-proof keyboard too, whatever.
Ah yeah, the battery. Only mobile workstations and SOME gaming laptops get decent long-endurance batteries. And Apple devices too.

Oh come on, you're smart enough to know "cheap" in this context refers to the lower price segment of the relevant market.

I've found it's usually much more effective to refer to local law rather than EU law if possible. Many countries have equivalent laws still in place from the pre-EU era.

That's ridiculous, I'm definitely not an Intel fanboy. I much prefer AMD but that doesn't mean I can't recognize the quality of Intel products.

Intel thinks it's good enough for business use.

You do not seem to know FSP is an OEM, the customers of which inlude brands like Antec, OCZ and SilverStone. They're also a direct competitor to Delta in the business PSU market. They have every reason to aim for outperforming other brands.

True, but you never mentioned redundant systems.

No, I said the PSU would probably outlive the computer. Meanwhile you implied you replace power bricks with Delta made ones, to which I suggested you could do the same with a NUC.

You were the one who limited the discussion to exclusively business use. Also Intel still makes business oriented NUCs, something you refuse to even aknowledge.

That's no excuse for being hostile.

Yes, you are discussing small-medium business. I'm not but I'm still trying to address your points from a mixed market perspective. I've been around long enough to have a very good idea of what ATX PSUs can and can't handle and while I agree they are generally of significantly higher quality than power bricks it has no bearing in this discussion.

For the last part, go up two quotes and read that again.

You seem to have misunderstood, I only buy ThinkPad T-series laptops. Except for a single Dell they are the only laptops I've had which survive past the 3 year mark. The other ones have worn out hinges, failed cooling systems and in the case of the only HP laptop I've ever had a molten chassis.

Apple laptops are jokes though, keep them out of this.

What part of "there is no cheap" you did not understand? Only good brands make 8-bay NASes at all.

Still requires a lawsuit, which is more expensive than just taking the loss.

They are entitled to state what they want, it's not an embedded device, but a immobile laptop as far as components go.
If for "businness use" you mean embedded use, there are cadres of boxes already for that that.

Still does not change the fact that low-end FSP can be crap or not.

Which is BS as the ATX PSU and hard drives are statistically the devices that see the most attrition as the PC ages.
Anyway this is something you can notice on large numbers, it is not likely you will get a part that will fail, but it is possible so I was just saying that you should not trust it truly important stuff, as they do fail

Still a immobile laptop.

Yes, because that's the only thing where reliability has any kind of effect. On consumer hardware is irrelevant.

Heh, what was I saying about laptop-grade components? That said, you probably got unlucky with that.

Aw come on. They are overpriced, but quality is high. At least on par with other laptops in the high price segment.


All that said, we are likely going to have a look at these things here in the near future to use instead of aging PC Engines and other embedded stuff. http://www.phoronix.com/scan.php?pag...uLab-Fitlet-RM

At first glance it looks like nice selection of protocols and crypto primitves and overall it seems to be well above of OpenVPN and somesuch. Sorry, but use of SSL itself and OpenSSL in particular is a major security issue. Thse things can't be secure unless are being used by experts in crypto. Which isn't about most OpenVPN users obviously. Yes, ppl, just setting up OpenVPN the way nobody could pwn you some dumbass ways you do not even expect to exists takes quite a lot of understanding of underlying crap.

At very least,
- It meant to be fast. OpenVPN is quite slow due to user mode. Especially annoying if you run it on slow MIPS router, etc.
- Good selection of algos. Sorry, but SSL is shit, it could be used in a very insecure manner. Attackers could abuse it all imaginable ways, like trying to downgrade protocol version, etc. Standard ECs could be backdoored by NSA. On other hand, 25519 curve is a creation of independent cryptographers, long known for their achievements. Even SSH these days is okay with 25519, poly1305 and Salsa20. They are quite fast and quite reliable and very unlikely to be backdoored by NSA, unlike NIST curves which appeared under shady circustances and were never investigated thoroughly by independent cryptographers.
- Is a kernel facility, hence fast.
- Really small code. Good luck to read OpenSSL or OpenVPN code, these are horrible overgrown monsters.
- Does not attempts to lock one on backdoored x86 crap mumbling some BS about AES-NI and somesuch. Good crypto should run reasonably everywhere, be it my MIPS router or ARM SBC or old laptop lacking AES-NI.

No, I'm not going to buy newer Intel hardware. Especially for anything dealing with VPN, dammit. Buying backdoored "managed" hardware is stupid. Buying backdoored HW to protect traffic is criminally stupid and worth of "honorable mentions" on DarwinAwards at very least, as recognition of really strong, exceptional stupidity of such individuals.

I bet someone in China has found a way to make an 8-bay NAS. Either way if you get the very cheapest one it will probably be inferior in some way to the priciest one. It's hardly a universal rule that cheaper is worse, I'm just referring to the bad ones usually being cheaper than the good ones (although several exceptions exist). This can be things like cherry-picking good capacitors or more thorough QA practices.

Take for instance Puget Systems, which makes consumer tower PCs. It's the wrong market, I know, but I'm using them as an example because their practices are widely documented. Each computer goes through very intensive performance testing whilst being monitored by thermal imaging to make sure every part is dissipating the heat properly and to test system stability. If any test fails or any component underperforms they pull the computer apart again, swap out the suspected part and start over.

This costs a lot of money because it's very labor intensive, the parts themselves are relatively cheap but a lot of research and planning goes into each machine. This is all to make sure what they ship will work reliably. In mass production it's unreasonable to do this by hand, but equivalent automated testing can still be performed if the market demands it. This is why some seemingly identical machines carry completely different price tags and that's where your business gear becomes relevant. It may not differ much in design but it definitely differs in testing.

Not with resellers, simply citing the laws and making a good case out of why they apply can be enough to make them accept the item for warranty repair. From their reaction I draw the conclusion that they don't want to go through a lawsuit either. When representing a business that tactic may not work in the same manner, but for consumers it usually works just fine.

There are uses for non-embedded business computers as well.

Not in theory but in practice I would rather pick an FSP than a cheap no-name brick. If those were the only options I'm pretty sure you would too.

I was talking about the FSP power brick and the Intel NUC. By outlived I was referring to the NUC becoming obsolete before the power brick fails.

True, but that means it doesn't have the same design restrictions as a laptop.

But it's not the only scenario where a better tunneling protocol would be needed. For instance in phones, where both processing power and the battery is limited. Keeping the cores downclocked and sleeping makes a huge difference. Personally I would be interested in a lower overhead as well, just because I have fairly decent processors on my computers doesn't mean I want to waste performance.

This line of thinking that we have so much power anyway and don't need to care about efficiency anymore is why we need several gigabytes for a flipping web browser today. Trust me, if I could still browse the web somewhat properly with Lynx I would.

I've seen many stories about consumer HP laptops being absolute thermal disasters. They seem to stand out in the market as the ones most likely to fail due to the poor cooling.

The Dell was a consumer laptop as well but it held up fine for 6 years of everyday use, after which the hinges became a bit too worn out. The good old IBM T60 on the other hand is still like new despite close to a decade of almost daily use, unfortunately that machine is currently retired in favor of a newer machine due to it's lack of performance.

I wouldn't call a laptop with a thermal design based around sufficient throttling as "high quality". When I run scientific calculations I want performance, not the ability to fit it in a document envelope (has this ever really been useful for anyone or are they just participating in the Apple fanboy rituals?). This is evidenced by the frequently ridiculed extra battery underneath my T530, but at the end of the day I can keep working while everyone else scrambles for extension cords.

I agree, that looks like some really nice hardware.

When I read the main page of the website and particulary the cryptokey routing section, I have a question. Is wireguard resolving the problem of overlapping networks ?

What do you mean for "overlapping networks"?
VLANs usually take care of what I think is "overlapping networks".

With OpenVPN when you have some clients with the same private network (example: 192.168.0.0/24) and when you want to access to this private network there are some routing problems.

That's what I call network overlapping.