Originally posted by cndg
View Post
Oh god. Time to feed the trolls.
1. TCP: tunneling over TCP is a terrible idea with lots of performance loss. UDP is widely considered the only way to do this on the modern internet. There are plenty of other tools for slow terrible TCP tunneling if that's what you need for particular restrictive networks etc.
2. You can put it on port 443 if you want. "wg set wg0 listen-port 443" is the command.
3. Kernel space is not considered a bad thing when it comes to network tunnels that do high performance crypto and integrate well with the operating system.
4. It does have perfect forward secrecy. https://git.zx2c4.com/WireGuard/tree/src/noise.c#n320 As you can see there, an ephemeral is mixed in. I think I have a pretty decent grasp on the crypto involved, and if you'd like more discussion of the core of the handshake, you can always read the noise spec itself ( noiseprotocol.org ).
5. It uses statically preshared public key pairs, just like SSH. Other additional layers of auth can be layered on ontop (in userspace) if that's your fancy.
6. This actually does run on Android. For the others, a cross platform client is in the works.
Go away, troll.
Comment