1. 74
  1.  

  2. 23

    WireGuard is so much better than any other VPN solution I’ve tried: Not only in regard to performance, which shines when I look at connection stability, latency and overhead (the main reason being that connections are stateless). The much more crucial point is that WireGuard is so easy to setup (literally <12 lines of config on server and client get you started). I would’ve never dared to do this with OpenVPN, but I’ve successfully set up a “real” VPN, meaning I linked multiple computers into one private network, allowing me to access my local machines from wherever I am, savely guarded from surveillance and other actors.

    WireGuard is a prime example of what we always promote at suckless.org: One doesn’t need an enterprise-ready solution to be productive or solve problems. Enterprise-ready often means bloated, full of legacy cruft and hard to setup (as it becomes peoples’ jobs to set it up). I’m not saying that WireGuard was trivial to reimplement, but just looking at the interfaces it provides it is damn simple, and that’s how every software should be.

    1. 5

      The much more crucial point is that WireGuard is so easy to setup (literally <12 lines of config on server and client get you started)

      NixOS users can also configure it declaratively: https://nixos.wiki/wiki/Wireguard

      I’ve been using Wireguard for more than a year now, in order to serve web apps that run on my home machine. I use a small DigitalOcean VM with nginx that proxies through wireguard.

      1. 1

        Wow, that’s brilliant! How bad is the added latency?

        1. 2

          I did not measure it, but you can check it out for yourself by accessing one of my apps: https://slownews.srid.ca/ (just ignore that JS overhead, as that is compiled from Haskell using GHCJS).

      2. 5

        I love WireGuard and use it every day, but I really do wish it had a shitty TCP mode so that I could use it on public Wi-Fi networks that block UDP. I understand performance would be bad, but a slow VPN beats one you can’t use every single time.

        1. 2

          Could you maybe rig up something with socat or similar as a TCP<->UDP proxy on each endpoint as a band-aid? I guess it might take a bit of extra work to delimit UDP message boundaries if the protocol depends on those…

          1. 2

            I mostly want this on my iPhone, so first-party support would be ideal. The WireGuard iOS app is great, btw.

        2. 3

          Thanks for the nice words. I’ve always thought highly of suckless.org, so that means a lot.

        3. 9

          Using WireGuard on a daily basis on my Linux and iPhone. It really is hard to describe how much better of an experience it offers, compared to OpenVPN. For instance, the connections are more reliable and durable; latency is low and you can understand the software.

          1. 5

            I’m surprised at all the complaints about OpenVPN. I have pretty good experiences with it. Wireguard is surely an improvement, but OpenVPN was already pretty OK IMHO

            1. 3

              It’s been a few years since I had anything to do with OpenVPN so my memory might be a bit skewed.

              I guess the main reason is that OpenVPN is initially more complicated to set up compared to Wireguard. Which, if one needs only a very simple setup, can be cumbersome. OpenVPN, on the other hand, offers quite a few more features. For example, when it comes to authentication. Not just keys per device but user auth against LDAP etc etc.

            2. 3

              How this compare with tinc?

              1. 7

                So I was a heavy tinc user for years and was a big fan, but have since made the switch to WireGuard. I’ll try and do a quick summary from memory (plz don’t hurt me if I get some slightly wrong). WireGuard has no meshing capabilities (currently) and does not have the concept of the meta-protocol that tinc does. So there is essentially no configuration pushed from the servers and no runtime configuration that can happen with WireGuard. Where in my testing WireGuard did a lot better was in speed, use of ip(1) configuration, stateless connections, a really thorough analysis of the protocol (whereas tinc 1.1 has a cool protocol but has been in beta hell for ages), a Go implementation as well as the Linux in kernel.

                Based on the TODO it looks like a lot of those features are actually planned to be there. Realistically I had a few different use cases for both and I think WireGuard fit the traditional VPN structure better while tinc allows for some more wild configurations.

                1. 2

                  Don’t know if you might mean something else with meshing then me, but I have a 60+ node wireguard network, which is a full-mesh … every node directly talks to every other node, like they would if they shared a local area network.

                  1. 2

                    I do mean something different. tinc has discover-ability in order to create it’s mesh. Essentially a node does not need to know about another node and as long as one of the nodes authorizes a new node it can discover and find out about the others and immediately start routing to it through the network.

              2. 3

                I’d love to try WireGuard instead of OpenVPN at work, but we have a compliance requirement for two-factor auth which as far as I can tell (after a very brief skim of their web site) is impossible in WireGuard. Am I wrong about that?

                1. 5

                  You’re right, although I’d also argue that WireGuard didn’t authenticate users at all. It authenticates machines to one another.

                  1. 1

                    This is correct and also has held us up from using it at work. I’m not sure if this is something that he considers completely outside of scope and conflicting with the design, or if its just something that hasn’t been done yet.

                    1. 1

                      Yeah, you could have the wireguard keys decrypted through a 2FA system, I guess, but there’s no tooling for that.

                    2. 3

                      Is there any ongoing project to wrap WireGuard in HTTP/3 with fallback to HTTP/2?

                      1. 3

                        I guess the main use-case would be to circumvent restricted network environments?

                        1. 2

                          I don’t think there is any benefit doing this, you are sacrificing the latency and performance of wireguard. :(

                        2. 3

                          Great news.

                          Apparently I’m the only person who has had nothing but problems with WireGuard, but nevertheless I’m looking forward to try it again when I need it. :)

                          1. 2

                            This post inspired me to try using WireGuard rather than OpenVPN to connect to my VPN provider (Mullvad), and I immediately noticed a noticeable speed improvement.