Why do people think Wireguard is a botnet?

what a nice argument low IQ retard, Wireguard is FOSS and its implementation is based on Noise protocol. It uses x25519 for key agreement, chacha20-poly1305 for authenticated encryption which has 256-bit security level while being much faster than AES especially on ARM-based devices, periodic rekeying, it is stateless and flexible enough that it doesn't give a shit about endpoint IPs (i.e. support for roaming without disconnections), it has a linux kernel implementation that will be merge with the mainline kernel next year.

Give me 1 real security expert that advises against it, and not some VPN recommendation website managed by a loq IQ retard who makes a living by shilling for "xVPN" company

I am still waiting, retards

openvpn logs too dickhead

The only reason to still use OpenVPN is if you live in a shithole country where you can't get internet speeds above 200Mbit/s

OpenVPN = 200Mbit/s limit
WireGuard = 1000Mbit/s limit

If you have gigabit internet you choose WireGuard, plain and simple.

>Give me 1 real security expert that advises against it, and not some VPN recommendation
Even the VPN companies think it's a good idea, lol.
PIA's not ready to roll it out yet, but they're working on it and financially backing it
privateinternetaccess.com/blog/2018/01/private-internet-access-proud-supporting-wireguard-project/
Nord is further along, working on custom tools for it
nordvpn.com/blog/nordlynx-protocol-wireguard/

I'm not against using it, it's just that even its own developers advise against using it for anything serious at this point due to bring in beta

i don't think it's a botnet but i'm not very interested in using it until it's been audited
this is very good, but the end result is key here
a lot of VPN usage doesn't care too much about b/w capabilities, especially not over 200Mb/s. average Jow Forums users and consumers may care about this, but the "important" uses of VPN are organizing dissent in countries like china and hardening private networks so remote users can do DB work, rdp, ssh, etc

Another point to make: the websites
Take a look at Wireguard's site.
wireguard.com/
Plain site that explains what the thing does, how to get it, and how to use it.

Now look at OpenVPN's site:
openvpn.net/
What am I even looking at? "Choose your VPN solution"? It's a VPN software. Why does there need to be a separate 'solution' for all these someone else's computer providers? Ok I'll just try the get link at the top. "Purchase License"? So I have to buy this bloated shit? Oh wait no I don't. The fuck is going on here?

Literally based Free Software vs corporate Open Source in a nutshell.

AirVPN explains here why they wont use the WireGuard protocol. Pretty much your IP will be left behind on the server after you disconnect which is not good for anybody worried about privacy.

airvpn.org/forums/topic/43824-just-wanted-to-add-my-5-cents/

>operating VPN servers with any form of storage

stupid argument obviously coming from someone with high school degree at best. VPNs are advertised by those scummy companies run by real-estate tier corrupt and greedy managers as something totally different from what "Virtual Private Network" actually means

Wireguard is the future of VPNs no matter how much corporate paid shills scream. I've even seen it to be used as a service mesh infrastructure (like istio and linkerd)

ok Jason, calm the fuck down

Logging has nothing to do with the reason why VPNs were invented. People who only know VPNs as something hosted by someone else belong on /v/ and not Jow Forums

no I am not, faggot. I just happen to know enough about cryptography and networking to understand that Wireguard is the right implementation of a VPN

bitcoin is still in beta
neovim is still in beta
fail2ban is still in beta
sshuttle is still in beta
meson is still in beta
tor is still in alpha
clamav is still in beta
dash is still in beta
compiz is still in beta
putty is still in beta

the linux kernel version is pretty much stable, support on other OSs is not.

reading this, the Staff is full of bullshit.

VPN companies are full of these security experts with high school degrees shamelessly lecturing more confidently about what's secure and what's not than Daniel Bernstein himself

Don't know desu, I use it almost exclusively. Its simple, fast as hell, has both a kernel and a userspace implementation, has a nice Android client etc. Literally no reason not to use it.

Isn't that bothersome as compared to just using tinc? Wireguard isn't that comfortable for mesh networking at this point, is it?

BTW: Is anyone here successfully using git.zx2c4.com/wg-dynamic ?

anyone know a good wireguard provider? im thinkin om mullvad abit

> imagine being this stupid.
This is not a limitation of OpenVPN. Plenty of people have no issues with this, although it is going to require your client run on a cpu with AES-NI, or the arm equivalent.
Wiregaurd is great for things like a corporate VPN. Bad if you need anonymity features. I think people have already mentioned that it is difficult to run without logging but also (from airvpn boards):
> Wireguard lacks dynamic IP address management. The client needs to be assigned in advance a pre-defined VPN IP address uniquely linked to its key on each VPN server. The impact on the anonymity layer is catastrophic;
> Wireguard client does not verify the server identity (a feature so essential that it will be surely implemented when Wireguard will be no more an experimental sofware); the impact on security caused by this flaw is very high;
> TCP support is missing (third party or anyway additional code is required to use TCP as the tunneling protocol, as you suggest, and that’s a horrible regression when compared to OpenVPN);
> there is no support to connect Wireguard to a VPN server over some proxy with a variety of authentication methods.

Wireguard is actually excellent for implementing mesh networks. Just add the peer public key and its allowed IP range and you're connected to it. It has been explored for implementing service meshes by very big companies

Why did that faggot trademark the name? It absolutely ruins the image of the software.
It's still great and I'll be looking to switch asap once it's slightly complete, but that really makes it look like I'm about to download bloated, corporate trash.

Thanks for letting us know you have 0 reading comprehension.
Oh, please do refute it technically. Can't wait for your response.

>Wireguard lacks dynamic IP address management
I double dare you explain why this is less secure than static IP allocation
>Wireguard client does not verify the server identity
really? REALLY? do you know how does ECDH work? do you know how does key exchange fucking work?
>TCP support is missing
and that's good, only a double digit IQ retard would see that TCP over TCP is a good thing. Wireguard is stateless, it's basically encrypted IP packet over UDP. If you have roaming device or get disconnected for any other reason, you're still "connected" to the wireguard network anyway.
>there is no support to connect Wireguard to a VPN server over some proxy with a variety of authentication methods
what kind of nigger-tier nonsense is this? why do these retards are allowed to express nonsense as if it were some concrete argument?

also see this
gravitational.com/blog/announcing_wormhole/

>I double dare you explain why this is less secure than static IP allocation
Good luck using a different IP lol.
> >Wireguard client does not verify the server identity
Holy shit how fucking stupid are you. ECDH has nothing do with this, just fucking leave
> and that's good, only a double digit IQ retard would see that TCP over TCP is a good thing. Wireguard is stateless, it's basically encrypted IP packet over UDP. If you have roaming device or get disconnected for any other reason, you're still "connected" to the wireguard network anyway.
> less features good!
Okay at least now I know what kind of NEET retard you are.

>Good luck using a different IP lol.
it's the private network IP not your external IP, faggot
>Holy shit how fucking stupid are you. ECDH has nothing do with this, just fucking leave

It has everything to do with it, retard. Wireguard uses handshake based on Noise protocol to verify that both parties verify each other in 1RTT

see section 5.4, fucking nigger-tier retard
wireguard.com/papers/wireguard.pdf

also TCP over TCP is not a feature, it's been proved countless times to be a very retarded idea, the correct method for tunneling is to transport IP packets over UDP and let endpoints kernels manage the TCP state machines instead of stacking multiple state machines over each other with their corresponding timers. Just fucking learn to google instead of embarrassing yourself, low IQ retard

no more argument, retard? now you know you got BTFO and you have no idea what you're talking about

It was *literally* made for a botnet to phone home. The guy didn't like the existing options for the machines he hacked and wrote his own stack.

Not him, but: ECDH is for exchanging (or rather, generating) a session key. It doesn't do any sort of verification/authentication. That can be done afterwards.

I know, I wanted to say that the Noise protocol handshake uses ECDH along with other steps that include hashing and KDF in order for both parties to verify each other.

but ECDH can be used for authenticated on a secure channel.

>but ECDH can be used for authenticated
*for authentication

Thanks. But on the surface, this doesn't seem practically usable. Some alpha software developed primarily to work with some company's proprietary k8s stack with little activity months ago.

Is there something more wg style simple and reasonably mature by wg standards?

but now it's open source, so how does that make you feel?

>> Wireguard lacks dynamic IP address management.
wireguard is not solving IP address management. manage your own IPs using the myriad of other secure options available, but we are NOT going to bloat wireguard with things that are not part of the problem wireguard is solving

Eh, what? Given that WG establishes a virtual IP network, it really should be able to allocate IP addresses. The vast majority of uses of IP works with dynamically allocated addresses.

just write a manager. the point of WG is to get packets securely from one peer to any other peer

wg itself is nothing more but a kernel-space tunnel currently implemented as a module but in a few month will be a standard linux kernel component, its power that it is very unix-y and you can build anything upon it with simply shell commands

Ah I can see it now.
>CVE 2020-20-09: Remote Code Execution in WireGuard IP allocator. Critical.

plus WG is formally verified. any new stuff will also need to be formally verified before a 1.0. an IP allocator may have a lot of states, and possibly a lot of wishy washy logic inherent of multiple platforms. just let the native OS's IP stack handle that shit via scripts, or some other application; leave WG out of it. i don't want my linux experience to suck just because windows also sucks.

this is a linux kernel bug in versions older than 4.5, not wireguard's fault

based linux bro

even the pre alpha windows version of wireguard works fucking great

mullvad or cryptostorm

Okay, why is it not disassociated from IP then, using some generic form of ID?

Since it uses IP, it should have a way to allocate them dynamically.

because Wireguard is already disassociated with external or i.e. endpoint real IPs. It then needs to know where to route the packet to according to the peers list. So if the packet destination is for example 10.0.0.2, then it searches the list of peers to see which endpoint has the corresponding public key and endpoint IP in order to route that IP packet to that endpoint.

This clean design allows you to literally have countless concurrent VPNs and the packet is routed according to the corresponding endpoint destination

>why does a random poster on a taiwanese glass blowing forum think X is a botnet

Maybe consult reddit where people have post history and their posts get challenged by actual devs and engineers who might work with the project.
Maybe consult the LKML where people are complimenting it?

I see no one who has aFUD on actual secure protocols to det real identity saying it's a botnet.
Sounds more like the VAULT leaks where it shows that (((LIGHTNING BUGS))) like to plant FUD on actual secure protocols to deter people into the less secure option *cough* openvpn *cough*

Anyways carry on I seem to be having some form of a cold.

Attached: 1568327693225.png (395x395, 91K)

wtf was that?

>their staff is full of BS. Doesn't say why or how

Attached: image.jpg (600x569, 56K)

read

create your own

Bad idea

>this hypothetical CVE is a bug
u wot mate?

Without counting library dependency, therefore, misleading diagram.

This. I've been using it the day builds became available and never had a single problem with it. It's already much better (and also better looking) than that OpenVPN piece of shit.

The only thing that seems to not be working anymore for me in the latest update is having multiple tunnels active at the same time. The second tunnel simply disconnects before the other one connects. Not sure if that's by design (since it shuts down gracefully), but I remember this working at one point in an older version.

>muh dynamic IP addressing
wg-dynamic soon. probably.

It works really well, I use it between my home LAN and my laptop whenever I'm not home.

Works well on gigabyte LANs too. I use it for all connections to my NFS NAS so that I don't need to worry about random bullshit on my network (e.g. computers/phones of house guests) snooping on my files.

I own the server...

That's fine but if you are using a paid VPN you don't want your IP left behind after you disconnect. Of course if the server is running on RAM only this isn't a big deal.

bump

Just use SMB3 with encryption turned instead of painful NFS with a shitty workaround

no

Just use SSHFS

SSHFS is not practical when you want to access the file system from many devices inside the VPN. NFS on VPN is a very good idea to access your files from anywhere

openvpn logs too dickhead

It can be configured not to. Wireguard can't be

only a low IQ retard would think that disabling logs would save him if he does something illegal or make him generally any more private or anonymous.

VPN companies are a scam that sell the wrong security points to brainlets. Learn how cryptography and networking work and you will simply understand that these companies are a scam

Dude its vpn software that uses "chacha" and "salsa" encryption that were both written by a jew.

Yes those are really the names.

>SSHFS is not practical when you want to access the file system from many devices inside the VPN.

Care to explain why?

back to Jow Forums, retard, djb's algorithms probably secured the shit you just wrote in your browser.

4channel doesn't use encryption by default moron.

why should you give and distribute SSH keys that have access to the entire server for every device that jsut needs to read or write some remote directory or file system? SMB and NFS are more suitable for such things

his chacha20-poly1305 is included in TLSv1.2 and TLSv1.3 which run the entire internet you low IQ nigger

Find one site that uses chacha for TLS encrypted streaming.

I'll wait lol.

low IQ retard, you are fucking using it right fucking now on this fucking domain if you're on Chrome latest version. Most domains behind cloudflare are using this cipher suite of all suites ffs.

lol you can't name one site using it can you.
That's what I thought faggot.

nigger I just said you're using it right fucking now on 4channel.org you low IQ nigger

But that's false.

ctr+shift+i and go to "security" tab. I have no more time to argue with you retard. It's the same cipher on facebook.com, google.com for me right now on Chrome 77 linux

Bullshit post a screenshot.
Its not used for any of my connections at all.

I can not post pics because your nigger mods geoblocked my entire country. And even if I was able you would still claim I fabricated it, honestly I don't care, just fuck off retard.

I absolutely will claim you fabricated it.

Because google's https uses fucking QUIC and AES not fucking chacha lmfao.

cipher suites work on both TLS and DTLS. It has nothing to do whether you use QUIC or HTTP2 and It is chacha20-poly1305 for me with GQUIC. On firefox beta it's ECDSA-P256

>Now look at OpenVPN's site:
I can't, it doesn't work without JavaScript.

Do you think stating random shit proves that these sites are using chacha?

You are fucking hilarious.