back to article But why that VPN? How WireGuard made it into Linux

Maybe someday – maybe – Zero Trust will solve many of our network security problems. But for now, if you want to make sure you don't have an eavesdropper on your network, you need a Virtual Private Network (VPN). There's only one little problem with commercial VPNs: many of them are untrustworthy. So, what can you do? Well, …

  1. John Robson Silver badge

    And there are public options to make the setup even easier than that...

    tailscale makes wireguard utterly trivial to deploy, and as mentioned the dedicated interface makes firewalls trivial to write and update.

  2. Deanamore

    WireGuard is by far the best VPN I've worked with and, since mid 2018, have implemented it for companies, friends and use it myself for ephemeral, region specific VPN's in the cloud. Being forced to use OpenVPN at my current job feels like being told to use PuTTY on a Windows laptop because they don't let anyone install their own Linux distro. I imagine that the reason most companies won't be interested though i because nobody likes to touch the VPN server once it's running and works so it's easier to keep forking out money for OpenVPN licenses or simply having the costs absorbed by your monthly AWS bill.

    1. Anonymous Coward
      Anonymous Coward

      @Deanamore - Your analogy is flawed

      According to your line of thought, you'd gladly install a Linux machine only to use SSH client to connect to a Linux server, am I correct ?

      1. John Robson Silver badge

        Re: @Deanamore - Your analogy is flawed

        Erm - there are differences between putty and having a real terminal which can do all sorts of remote automation...

        I often run loops to connect to a bunch of machines (which can't necessarily talk to each other) and run a similar command on each.

        1. badflorist

          Re: @Deanamore - Your analogy is flawed

          alias command=other_command (on Windows I think you have to use mklink or something goofy)

          1. Deanamore

            Re: @Deanamore - Your analogy is flawed

            A terminal emulator isn't the same thing as a shell. Windows is an impediment for productivity for me which is why I used the analogy and needing to customise my default work environment just to get a semblance of the real thing simply reinforces that.

            1. EnviableOne Silver badge

              Re: @Deanamore - Your analogy is flawed

              WSL2 with powershell 7+ if you're serious about a hybrid environment.

        2. DrewWyatt

          Re: @Deanamore - Your analogy is flawed

          I tend to use ClusterSSH for that (cssh)

      2. Deanamore

        Re: @Deanamore - Your analogy is flawed

        Yes. If I need to interact with Linux then I want an actual shell rather than a terminal emulator.

  3. Adam Trickett
    Linux

    Seems to work okay

    I've been running it a home between my computers in the house and a tiny hosted virtual server in a data centre for about a year or so. Works perfectly well when I want my machines at home to appear to be in a different geographic location, and for my phone or a mobile system away from the house, when I want to check something at home.

    As it stands for a small user it's pretty perfect and no more or less complicated than SSH to set up. Obviously once you have a lot of systems it doesn't have all the bells and whistles of OpenVPN, but then for a lot of small simple use cases it's pretty good. It also appears to be quite a bit more efficient than OpenVPN, which may be an issue if you're stuck with rubbish ADSL connections...

    1. John Sager

      Re: Seems to work okay

      Same here. I've been running it for several years for mail and sometimes proxy when out & about on both phone & laptop. It replaces completely the kludgy port forwarding over SSH that I used to use. The only annoyance I had to solve on my laptop was split DNS so I could look up over the VPN for names on my home network. Systemd-resolved wouldn't do it the way I needed so I canned that & went back to dnsmasq.

  4. Robigus
    Thumb Up

    Painless

    I run it in a Docker container on an RPi4 at home and in an X86 VPS - Very effective. The clients for Android/iPhone/Linux and MacOS work well too.

    Colleagues inform me that it was trivial on Windows too. Unless looking for particularly arcane use cases, what's not to like?*

    * Rhetorical. Don't bother.

    1. Thought About IT

      Re: Painless

      It's good to go on a Pi 3 as well. I haven't had the chance to try it from outside the UK, to check if it is detectable by iPlayer etc.

      1. John Robson Silver badge

        Re: Painless

        Think you're good - it's a pure exit node, so if you are bouncing off a pi at your house then you are at your house as far as the BBC is concerned.

  5. Data Mangler
    Thumb Up

    Works well

    Have it running on an RPi4 also running PiHole. Family have it set up so their phones use the PiHole for DNS. It's very effective in blocking ads etc. while out and about.

  6. Androgynous Cupboard Silver badge

    ZeroTier One for the VPN

    I have to shout out to ZeroTier one - I think I first saw it mentioned on the Reg a few years back. Fast forward to today and I run it on every device I have, on multiple OSs, and then promptly forget about it. I don't notice it when I move between home and office - everything works, including multicast traffic.

    It just works and I don't have to think about it is pretty much the highest praise I can offer.

    1. mattaw2001

      Re: ZeroTier One for the VPN

      Wait until marketing insists you have to stare at their logo for 30s before the application loads for "branding reasons".

  7. LDS Silver badge

    "with your private key and your peers' public keys"

    Yes, and that makes its "simplicity" a pain in the ass when you have to manage far more complex setups. The cryptography may be very good, but everything else makes it really unmanageable even for moderately complex setups and needs. Sure, as usual someone else will add layers and layers of other stuff to overcome that, making everything as brittle as possible. But that's today's IT fashion.

    1. Anonymous Coward
      Anonymous Coward

      Re: "with your private key and your peers' public keys"

      Exactly, it's fine for small use cases, personal use, but when using it in an enterprise environment with 100s to 1000s of users, requiring access profiles, it is piss poor, requiring scripts and various other software piled on top. Then it's 'ease of use' goes out the window.

      1. mpi

        Re: "with your private key and your peers' public keys"

        Core Unix software philosophy: "Do one thing and do it well".

        wg isn't a user database, it's a a VPN. Period.

        Everything else that OpenVPN etc. do canbe built on top of it.

        1. Anonymous Coward
          Anonymous Coward

          Re: "with your private key and your peers' public keys"

          What has an access profile have to do with it having a user database?

          VPNs, have access profiles, allowing restrictions of sources, for example the logging in user, with destination systems/ networks. This can be done via the user logging in, the user within a group / groups, stored in an external ldap system, wireguard has no ability to do this.

          Why, because wireguard isnt a user VPN, its the equivalent of a site to site VPN or a tunnel with pre-shared keys, so a piss poor end user VPN for remote access within an enterprise.

          Has no local user profile config setup, configuring of the routes, when needed to be changed the user logging on needs to be an admin.

          Wireguard needs to currently keep its own 'user database' of pre-shared keys

          The windows client is / was the last time i looked, poorly done, requiring write access in program files, per system, not per user. With the reason given by the developer incorrectly being you shouldn't change the permissions in app data, and its difficult to get right. But hey its fine to change them in program files, where you should never be given write permission (why there is redirection for old crappy software written before there was a difference in user rights).

          1. mpi

            Re: "with your private key and your peers' public keys"

            >wireguard has no ability to do this.

            It doesn't have to.

            It provides a solid foundation to build other things on top of it, making the simple use cases simple out-of-the-box, and empowering developers of more complex solutions to build on an efficient base.

            This is unix philosophy at its best, and as time has proven, it is a vastly useful (and successful) approach.

            1. LDS Silver badge

              "This is unix philosophy at its best"

              This is the Unix philosophy at its worst. Build brittle systems with layers and layers cobbled one upon another without a unified design - with bad error management as well.

              Good maybe with the simple mainframes with their little resources in the 1970s - truly ugly fifty years later on far more powerful and complex systems.

  8. Anonymous Coward
    Anonymous Coward

    WireGuard is awesome, I'll give him that. The one nice thing about IKEv2 though, is that it's built into most OSs out there already, so you don't have to install yet another client.

    I'm using IKEv2 (OpenBSD's iked) with WireGuard as a failback. I haven't had to use the failback in over a year, luckily.

  9. ayay

    WireGuard is the best

    I have mentioned this somewhere else here, but I need to repeat it every time I can, because WireGuard is the best.

    My mom has a circa-2014 router (TP-Link WDR4300) running OpenWRT. I do need to VPN there every once in a while.

    Being OpenWRT, I was able to use OpenVPN. But... it. was. a. dog. Bandwidth was TERRIBLE.

    Of course, the damn thing was not state of the art in 2014. I got it on sale, clearance even, so there it is.

    Yet, with WireGuard, it's almost like I am there. It flies.

    The same goes for my phone, laptop, pretty much all devices that roam around with me, yet are always connected to my network. It is robust... and fast. And secure.

    Yes, there's a little fiddling around to get it all set up, as it usually happens with Linux and friends. After that, though, it just goes on and on, and you leave nothing on the table. Resource efficient, secure, simple. Gets your stuff VPN'd in, makes sure that site-to-site VPN you need is iron-clad and speedy. I could go on and on!

  10. Kevin McMurtrie Silver badge

    Shocking because it works

    I tested it out and found it to be the very first VPN that actually tunnels anything through VPN. Most of them don't tunnel IPv6 either because they can't support it or because the correct configuration can't be derived from the documentation. Traffic goes right around the VPN client. WireGuard is crude to configure but the simplest documentation for getting started work with IPv4 and IPv6.

  11. Ian Johnston Silver badge

    The Linux kernel has a VPN built in? Why don't they just go the whole hog and fold LibreOffice in as well?

    1. mpi

      Since this is Linux, I guess it is possible to compile the kernel without wireguard if so desired. On systems where it is implemented as a kernel-modeule, it can simply be deactivated by root.

    2. Anonymous Coward
      Anonymous Coward

      I think that you are confusing the kernel with Emacs :-)

  12. Salts

    Tailscale based on wireguard

    As mentioned in the first post take a look at https://tailscale.com/ which is built on top of wireguard. You get 20 devices free and $50 gets you a further 80 for home/hobbyist users. I have one of my home servers set up as an exit node. This means when out and about can push everything through my home internet, you can also bring up VM's in the cloud quickly install and use that as an exit node from a region of choice. The DNS service means you can access home servers via name. It really has a lot going for it and is available on most mac/windows/linux/andriod platforms. Don't get me wrong wireguard is awesome, but, tailscale IMHO takes it to the next level.

  13. Povl H. Pedersen

    Wireguard

    I think one important reason for Wireguard existing in the first place is that the Raspberry Pi series are one of the few ARM boards that does NOT do hardware crypto. So wireguard was written to get decent VPN performance on the RPi.

    I use TV boxes instead, cheaper, faster, and with built-in MMC memory. And they can do hardware crypto, so no reason for me to sacrifice 1 CPU core for VPN when I can run it in hardware crypto.

    WG was not written to negotiate encryption algo,

    WG has its place. I use it in containers. But it is wasted if you have hardware crypto.

    1. noel.hibbard

      Re: Wireguard

      Povl H. Pedersen, could you elaborate on these "TV boxes" you speak of that are good replacements for a RPi? I see lots of Android TV boxes on Amazon which I assume you are talking about. I suspect some can be reloaded with Linux and some can't. Sounds like a nightmare to me to not know for certain if a random TV Box off Amazon will even be usable. The RPi is basically turn key and wildly available. I hate finding solutions that require a specific device made by some Chinese company no one has ever heard of and then a year later you can't buy it anymore.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022