This is great! I love seeing Wireguard spread. I just spent three weeks traveling abroad and installed wireguard on my home server right before I left. It saved me a lot of trouble when I need to get work done "in the US", but even moreso, it was great so that my kids could continue to watch PBS while we traveled, and it was so easy to use on iOs that everyone in the family could make it work for them.
Yeah, I seriously appreciate WG. Allows me to keep all home automation local / non-cloud while still giving me the option of easily controlling and checking elements remotely.
OpenVPN is harder to configure and uses/allows arkane crypto. The same applies to IPsec, just more strongly. WireGuard is more in line with modern cryptographic protocols that we know and love from e.g. instant messaging.
Also lower-latency which is really great for streaming video for example. At least in my case it's the difference between stuttering video and nice stream.
From an operator/user point of view, it's way easier to configure. It only took me maybe an hour or two including reading all the docs and dealing with my special firewall situation to get it set up on the server. Setting it up on the clients only takes about five minutes and then the client literally flicks a switch. No passwords or anything required, because it uses a simple out of band key exchange for the setup.
One of the things I really like about WireGuard is how easy "split tunneling" is. I can define a subnet as available through the interface and only traffic destined for it will be routed.
This is especially helpful for users with metered connections. You don't have to send ALL your traffic, only the ones destined for LAN will get sent.
I'm in a similar position with regards to tinc. I'm willing to grant that wireguard is vastly simplified, easier to configure, and likely better performance. But it doesn't appear to currently support routing through intermediate hosts with opportunistic NAT punching, meaning the presented network won't actually be fully connected. Which I might accept and work around if I didn't already have a better option set up...
If you've got a working OpenVPN setup, then it probably makes sense to just stick with that. I'm guessing the real gains are only to be had when you want to overhaul your setup anyway.
OpenVPN supports client roaming as well, though. The wireguard design is more flexible in that everyone can roam, but taking advantage of that requires userspace daemons that coordinate it. And as far as I can tell, the userspace hasn't been developed to the point of supporting those features yet.
I've sized up its current functionality as useful for replacing OpenVPN, but not yet as a general mesh VPN.
This. I've installed it on Android just because I get a better experience with WiFi switching on when I have a poor signal. And having my SSH connection not break is nice.
I'm definitely happy to see Windows getting closer, but I do think it's important to state up front that this is "pre-alpha" currently. Depending on you use case, that is super important.
The final part of the article mentions this "What is particularly neat is that WireGuard on iOS supports Always-on."
I can only agree. I have WG installed on my iPhone, iPad and use the WG service provided by Mullvad VPN. And it is on all the time since a few months back. I don't experience any connectivity issues, lack of performance or degradation in battery/power consumption. It really just works. Huge thanks to Jason for developing WG as protocol, server implementation and clients.
It's unrelated. pfSense is a FreeBSD derivative; not OpenBSD. FreeBSD already has wireguard-go in ports, but the userspace implementation may not be suitably performant for the kinds of embedded devices pfSense targets.
You can also run in on-demand mode and exclude your home WiFi, which is what I do. Then you'll be connected to the VPN at all times except when you're on the home WiFi.
OpenBSD no longer has lkm, or any loadable kernel module framework. Any kernel implementation would have to be part of the kernel source tree (this one is userland, in ports).
I thought wireguard is kernel-mode software and I disliked it because of that. Interesting, may be there's Linux version of user-mode wireguard. I wonder what's the performance difference between usermode and kernelmode wireguard.
