>named BoringTun
>written in Rust
>runs entirely in userland
>designed for portability
What does Jow Forums think about this?
phoronix.com
blog.cloudflare.com
github.com
New Open Source WireGuard Implementation From Cloudflare!
Brayden Bailey
Other urls found in this thread:
Colton Powell
Last I heard wireguard devs were warning people not to rely on it yet as it's still new. How far has it come since then?
Nathan Reed
Mullvad VPN offers it and it works great. I primarily use OpenVPN still because it's new but I have confidence it can replace it in a few years.
Sebastian Ward
Shadowsocks or wireguard?
Ryder Rivera
WireGuard requires logs by design, making it inherent garbage. It must be thrown away and redone from scratch.
Jackson Clark
I like drivers in userspace.
Carson Richardson
explain, how does it require logs
Leo Morgan
>2. WireGuard privacy concerns and logs
restoreprivacy.com
Caleb Martin
Ok, I've imagines a something different by "logs". This does not mean history of traffic.
Austin Cooper
>rust
Samuel Kelly
You realize that the primary purpose of a VPN is not to hide you from downloading torrents, right?
That VPN is simply a convenient way for companies to monetize this service, but that you actually solely rely on the good faith of a for-profit organization to protect you?
That legit businesses have a day-to-day use of a VPN for their employees, especially with homeworking growing?
Thomas Morales
let's not forget that Wireguard was designed and programmed by one based guy
Kayden Jones
Not to mention he sent me SIX WireGuard stickers!!!
Juan Butler
>wireguard
stop shilling this botnet
Samuel Roberts
real life example:
My uni pays an access to various scientific journals, libraries, and services. uni's IP range has an access to those and they remotely provide it to students through VPN to uni's network. Similarly some uni's servers are only accessible from their IP range.
Hunter Flores
Two different purposes. Pick one that suits you.
Joshua Allen
Restoreprivacy also spread FUD about TOR solely because of their sponsorship by certain VPN companies
Jayden Gomez
The original implementation is in C, if that’s more your taste
Sebastian Baker
Me too. That’s what caught my eye about this project
Levi Garcia
I hadn't heard about that, and now I'm angry. While it's always good to be wary of using services like tor and noting the inherent bandwidth and latency that comes with using it, vendors taking shit about it to shill their "secure and trustworthy" vpn bullshit is modern cancer
Daniel Cook
90% of it was “lol gubmint made it therefore it’s botnet.” So was SELinux and most of our encryption algorithms. Not an argument.
Definitely have some skepticism about security and privacy, but don’t fall for privacy theatre
Hudson Gomez
You didn't even read it did you? These are quotes from multiple vpn providers saying the same thing.
Luke Powell
Doesn't seem like you read it yourself. Fixed IP address management doesn't have anything to do with logging although it is an interesting concern.
Jackson Brown
>"not usable without logs"
Am I interpreting that wrong?
Kevin Robinson
I also don't know what they mean by this. The authentication is based on keys and IP address is just for additional filtering, you can put complete range there.
But there could be something with sessions - since the protocol is stateful, you should not be able to use multiple devices with same key at once, thus additional info in needed to be stored; that could be IP address. But I did not read the protocols specs yet; could be temporal session keys generated on handshake as well.
Really no idea, but more reasons to dig deeper into implementation for me.
Jaxon Butler
>written in Rust
All new security holes, great.
#[allow(non_snake_case)]
definitely rust, lol
Brayden Mitchell
So it literally just tells you the IP address if who is currently connected?
That's not a problem. In fact, I do client-side monitoring via ss(8) to laugh at the "hackers" trying to bruteforce root.
It also keeps the tunnel from timing out.
Alexander Morales
Error logs are fine. You WANT to know if someone is brute forcing accounts, so you can pipe those into something like fail2ban.
Tyler Ramirez
Probably still can't integrate with Network Manager to modify resolv.conf. Enjoy your DNS leaks.
Anthony Long
Jayden Richardson
lurk more, faggot
Nicholas Scott
Still waiting for in kernel wireguard…
Nathaniel Morgan
No windows client no fuck given
Hunter Perez
No reason to use this on linux. Afaik it's 20 to 40% slower than the kernel module.
Christian Smith
Alright let's unpack this.
>But when it comes to WireGuard the default behaviour is to have endpoint and allowed-ip visible in the server interface
This requires root on the server (actually CAP_NET_ADMIN.) Any VPN requires the IP of the peer to be stored somewhere in memory. If you have root then you can read that memory. Hiding the IP in the interface is therefore security by obscurity.
>WireGuard has no dynamic address management
Neither does IP. They are ignoring that dynamic address management can easily be implemented on top of wireguard just like DHCP is implemented on top of IP.
>In addition, we would have to store the last login timestamp for each device in order to reclaim unused IP addresses.
Incorrect. You can simply not reclaim the addresses as long as the customer is paying. This is what mullvad does.
>Specifically, last public IP of user would be saved on the sever used to connect to and it can’t be removed within a day as per our current privacy policy.
The IP of the peer can be removed at any time by executing a single command.
>Wireguard client does not verify the server identity
This is simply a lie. All packets sent between wireguard peers are encrypted and authenticated. If the packets sent by the server do not authenticate, they are dropped.
Don't use AirVPN. They clearly don't know what they are doing.
cont.
Jeremiah Ramirez
cont.
>TCP support is missing (third party or anyway additional code is required to use TCP as the tunneling protocol, as you suggest, and that’s a horrible regression when compared to OpenVPN)
>there is no support to connect Wireguard to a VPN server over some proxy with a variety of authentication methods.
All of this is supported. The corporate slaves at AirVPN simply don't understand the Unix philosophy.
I can today tunnel wireguard over tcp, over http, over https, over quic, over openvpn, oper ipsec, etc. All of this is easily possible because of the simple design of wireguard that does not require such things to be part of the core protocol.
------------
Use Mullvad. They are aware of the lack of dynamic address assignment but instead of trying to force it into the protocol itself, they are engaging with the community to create a standard protocol on top of wireguard for this purpose.
Carter Phillips
>no dynamic IP address managemtn, client's IP needs to be assigned in advance
client is identifier by his public key
>client does not verufy the server identity
the model assumes pre-shared public keys, thus client knows server's public key, thus client verifies server's identity
>TCP support is missing
VPNs are catastropic over TCP which just forward. VPN-over-TCP needs to literally parse every single packet statefully. See sshuttle for an example of such approach.
(I wonder how QUIC works and if it solves issues TCP has.)
Elijah Johnson
Basically this. I'm self-hosting Wireguard on a VPS and it works flawlessly but I am using fixed IP addresses despite knowing I don't have to. I haven't messed with it otherwise.
Dominic Robinson
The virgin user space implementation vs the Chad kernel module.
Noah Clark
Same thing as Shadowsocks implementation by Google - barely customizable wraparound for complete retards. Stick with vanilla.
>runs entirely in userland
And how's that better?
Justin Fisher
>Rust
DROPPED
Caleb Jackson
Why do you hate fearless concurrency?
Angel Flores
I don't support ANTIFA commies. fuck Rust.
Ayden Wood
Ok but why do you hate fearless concurrency?
Henry Mitchell
>imagine unironically using this bloat called NetworkManager
Jace Robinson
kernel wireguard is the original wirguard, retard