This is a tool that helps you generate and manage configurations for WireGuard, generate qr code for configuring mobile devices and it even integrates into SAML for authentication.
It's not as fancy as some other VPN management tools but this is an easy way to get WireGuard set up without too much messing with configs
I've been eyeing this, but I'm a bit concerned that this is a code dump, and not a real project.
The project consists of a grand total of 7 commits, which were posted 6 months ago. Since then there's been no activity, and pull requests opened since May have seen no maintainer activity either.
You're right about that but as far as I've seen the project is pretty much feature complete for basic usage and I couldn't find any problems with the code that warranted much work.
The project seems to have stagnated but in its current state it's usable enough. I probably wouldn't expose the web application itself to the outside world anyway (I usually only expose applications to my home + VPN networks) so in the limited context that I use it it's fine.
If you want, you can also use it to generate configs and QR codes once, copy the server config to an independent server and then shut down the application. It doesn't do anything special to WireGuard itself, it just generates config files and QR codes and that's it.
Kind of sad to see such a simple but practical application fall into the abandon ware hole, but such is life when dealing with open source side projects from small companies.
If you manually set read only permissions on the right data folder after generating the configs, you can turn it into a readonly app. You can probably manually connect your own configs to the right user accounts as well but then that's a lot of work for a site that only generates QR codes and download links.
This project isn't much more than a script to generate and manage configs with an optional layer of SAML accounts on top. Especially with WireGuard's simple configuration it doesn't need to do any more than that. There are no security parameters with unsafe defaults, complicated configuration processes, certificate generation and signing process that other VPN systems fall victim to. There's a 6 line config file containing a private key generated by the official WireGuard tool and that's it.
While I've always avoided many complicated openvpn config tools like the plague (that of pfsense for one), I think WireGuard is simple enough to be configured like this.
I wrote a little script that creates the configuration files, and shows a QR code in the terminal to easily add new clients.
The problem I ran into is dynamic IP allocation, without extra logging, or storing the client config files after they’ve been distributed. If I want to avoid assigning a used IP, I need to know what I’ve already given out.
I mocked up a few things then decided the perfect was becoming the enemy of the good. Since I’ll only ever have a few peers, I ultimately just decided randomize the 4th octet, each time I create a new client config. Obviously, this opens me up to a potential conflict in the future (prayers to St. YAGNI for benevolence).
I suppose I could/should be pre-generating all the configs, handing one out at random, then deleting it.
This script[0] gets that part right by having a `lastip` file containing the latest assigned IP, so the script counts up for new clients. You can add a line for qrencode to the end to get the QR[1].
Yes, although it's not very configurable in a Docker environment without editing the Dockerfile yourself (hardcoded IP ranges and all that, though it does assign a new IP to each new profile you generate). You can still modify the Dockerfile if you wish to have more control over things like IP ranges and the DNS server used by clients but you'd have to rebuild the container after modifying.
You will also likely need to make some changes to your iptables and/or sysctl depending on your server config and firewall.
Nothing too shocking per se; you need to do all that with any other kind of VPN as well.
I’ve made a http json service that allocates IPs and configures WireGuard. Not sure if it can be used for this project but here it is: https://github.com/balboah/wireguard-operator
Hosting my Wireguard server on a scaleway instance, I encountered a very slow performance. Some web pages didn't load at all. Server was under no load. Lowering the MTU on the client and the server from 1500 to 1360 solved the problem. FYI
It's worse with VPNs like Wireguard because Wireguard only supports tunneling (e.g. IP in IP), which when you add the authentication header means a minimum of 3x the overhead of a regular connection, whereas IPSec encapsulation without tunneling only requires 2x the overhead (just the additional authentication header). Worse, Wireguard also requires UDP encapsulation (i.e. IP inside UDP+IP), which means 4x the overhead.
To be fair, IPSec tunneling is quite common (unsure if its the predominant mode) because tunneling makes routing easier. And for road warrior setups where the peer is often behind a NAT gateway, IPSec VPNs will also tend to use UDP. In such cases there's no advantage to IPSec.
IPSec is just usually an abysmal inane thing to set up, with defaults from the 90s and an extra bonus of error messages and documentation that just make you cuss. I don't recommend anyone IPSec, whatever it offers, after you spend all the time making sure your configuration is good, is really not worth it if you can do Wireguard or even OpenVPN. Ugh, I'm annoyed just thinking about it again.
The best part is when you find out your phone supports set of parameters A, your tablet set of parameters B and your MacBook set of parameters C.... and there's no intersection between sets.
ipsec is complex because it can be used in a LOT of situations.
can wireguard do tunnel state detection? Can i do a hub and spoke topology with wireguard? or auto-vpn?
ipsec is complex because it is mainly designed as a tunnel protocol with encryption. (site-to-site), compared to the "road warrior" setup wireguard seems more useful for.
Make sure you don’t block ICMP, which is used by Path MTU Discovery [0].
Blocking ICMP may result in black holed connections. I experienced this just like you with websites not working, and with ssh freezing when doing an ll in a directory with a large number of files, or even when starting mc. In my case, an upstream server was blocking ICMP for no good reason (there’s never a good reason to do it permanently, really).
Ehm, make sure you don't block parts of ICMP important in given network circumstances.
Many types of ICMP messages can be very nasty. ICMP and ICMPv6 RFCs actually describe which messages are importatnt and should not be blocked in any networks, which are dangerous and should be restricted, and varieties between.
Cool to see this done by hand. I’m running IPSec on my Edgerouter but am about to redo my home network and lab environment and will likely implement WireGuard.
There’s also a more plug-n-play tool called Algo that is highly spoken of, which automates a lot of this: https://github.com/trailofbits/algo
Algo is pretty cool for setting up an IKEv2 VPN server, but under the hood it uses StrongSwan, which is far more complicated in a code/engineering sense than WireGuard.
That being said, I think Algo is often preferable to OpenVPN and IPSec, especially when supporting macOS/iOS clients.
I know what you mean when it comes to OpenVPN and macOS. But any insight on why you'd prefer Algo over OpenVPN? I've been using the latter for years but would be interested in revisiting that if there are compelling reasons to do so.
Wireguard is just as fast as hardware accelerated IPSec on both the Edgerouter X and Lite. With Openwrt on the Edgerouter Lite Wireguard is ~2x faster than hardware accelerated IPSec on EdgeOS.
They don't give the IPSec parameters. Wireguard uses ChaCha20 for encryption with Poly1305 for authentication. IPSec can use many different combinations of cipher and authentication algorithms. If they were using AES+SHA256 then SHA256 would likely be the bottleneck. AFAIU, Ubiquiti routers use a crypto coprocessor (as opposed to AES-NI and SHA-NI on amd64), which means even if SHA256 was accelerated on the coprocessor it could easily still be too costly. But we don't even know if the MAC was accelerated at all. The implication that "IPSec acceleration" handicaps Wireguard is unfounded.
If those benchmarks were with AES+GCM, then that would definitely be surprising. But the safe bet is that they were using AES+SHA256 (or something other than GCM for the MAC), in which case their benchmarks are not surprising, simply misleading.
IPSec can also do ChaCha20+Poly1305 (at least, OpenBSD's stack can). Any serious comparison should also include IPSec using the same crypto algorithms as Wireguard.
Note that hardware offload only really matters when you're combining fast networks with slow processors. WireGuard on a modern PC CPU will more than saturate gigabit ethernet and the per-packet latency hit is <1ms.
I use wireguard for personal VPN on multiple servers, and to make things a bit easier for provisioning I wrote this simple tool: https://gitlab.com/vsviridov/wg-provision
I'm running WG for some time and it works really well. Was super easy to set up - I did it in like 1-2hrs during a hacker conference last year, so even with blinking led lights all around it was very straightforward.
On the other hand I've yet to achieve sane battery lifetimes on my smartphone with a VPN active. I suspect it's because the VPN needs to reconnect whenever one of my messengers checks for new messages, or similar background services. Anyone have experience how to improve that?
I used to have a phone with a pay for usage data plan and kept mobile data disabled. I kept OpenVPN permanently enabled and it did not affect battery life at all. I then switched to a flat rate 2GB/month plan and now keep mobile data enabled. OpenVPN murders my battery.
The keepalive packets require keeping your phone's radios on. WiFi is pretty low power (<20 milliwatts iirc for the radio) so it has little effect, but mobile data is not low power. Apple & Google have put a lot of work into optimizing the OS to tweak usage to save power and the keepalive packets throw all of that out the window.
If keeping data off is a possibility for you, try that and see if the VPN still affects your battery life. If not, then you will have to set the VPN to only be active on WiFi or manually toggle it on/off whenever you want it.
I think it's the encryption overhead that burns the CPU cycles in turn affecting battery life. Other than that, it could be a bug (not releasing wakelocks, or waking up too frequently, or generally doing too many battery intensive tasks) in the VPN client that drains battery.
I think, on Android at least, IPSec is impl in kernel space so technically a VPN based on that should be more efficient. Wireguard is being upstreamed into Linux, so there's a chance Android picks it up and the efficiency improves.
When I used OpenVPN, the VPN had to keep sending keepalives and periodic key renegotiations to keep the session open. This is fine on a PC, but it keeps waking up the radio hardware on a mobile device which is a real battery drain. It's the same as running an app on the background that constantly polls for data, something Android spent a lot of time on fighting to gain better battery time.
I wouldn't hold my breath for official WireGuard support in the manufacturer Android kernels until some big corporations start relying on it but custom ROMs are able to use kernel modules already[1].
Encryption itself should not be much overhead. WireGuard cryptography is based on ChaCha20. While I haven't encountered any hardware support for ChaCha, it's performance is quite good, so good even that Google is requiring manufacturers of very low power Android devices (running Android 10+ Go) to implement ChaCha-based encryption on budget devices [2].
IPSec tends to use AES, which can be 2x to 4x more performant than ChaCha20 thanks to hardware acceleration. And the power savings may be even greater than the throughput differences.
Should be added that this is highly dependent on the specific hardware. AES is cripplingly slow where accelerators are misconfigured or otherwise unavailable.
If you have a brain larger than your leg, you should consider configuring an IPSec endpoint to save power on your phone.
This did bother me when I was still an OpenVPN server to connect my iPhone while away from my home WiFi. It really did measurably affect battery life. I’ve switched to wireguard since, using on-demand activation so it enables the VPN whenever I leave my home WiFi, and I can only say it has almost no impact on battery life whatsoever. According to the iOS battery stats wireguard accounts for about 3% of total battery usage on working days (vpn active most of the day), which is worth it as far as I’m concerned.
There was a significantly longer delay than expected between Cloudflare announcing the VPN service and it becoming generally available. Cloudflare has attributed much of this delay to overcoming client battery usage issues. Maintaining a balance of acceptable VPN performance and low battery usage is not an easy nut to crack.
Maybe a dumb question, but does anyone sets up their VPN server in the cloud? Could cheapest droplet on DigitalOcean [0] handle traffic for browsing or youtube?
I use a VPS at Hetzner, but a whole lot of traffic sites stop working when I am using the VPN.
I bet in part it is due to the CloudFlare's efforts to "Cleaning up Bad Bots" [1].
In this article under how they detect bots they write:
> Another model allows us to determine whether an IP address belongs to a VPN endpoint, a home broadband subscriber, a company using NAT or a hosting or cloud provider. It’s this last group that “Bot Cleanup” targets.
I suspect when use a VPN hosted on a VPS, you often end up classified as a bot to be cleaned up...
Tried this, you will encounter a ton of sites that assume you are a bot. You will find it annoying to browse quite a few sites. Some will outright refuse to work.
Can you make edits on Wikipedia? I used to be a big contributor there but can no longer easily contribute because they (understandably) blocked all common VPN IP ranges.
No, I run into this with my Linode also. Basically any of the large VPS providers and some of the smallest are well known to other services for being used to automate scraping or other things. Linkedin is a great example of one that (used to anyway, haven't tried in a while) completely block any IP that was known to be from a VPS provider.
Nope, this is pretty common. I found out the hard way that Delta doesn’t allow access to their servers from my cloud hosted VPN, which is shitty considering airports are pretty VPN-heavy locations for me. They don’t seem interested in reconsidering this stance either.
Let's say I buy a /24 IP address block and port it to AWS. My friend Bob and I are both on AWS. Would it be possible to share some of my IP addresses with Bob in a secure way?
I know that VPC peering[0] is possible across separate AWS accounts, what I don't know is that:
1. Whether or not my /24 block is "compatible" with VPC peering or not
2. How to prove to Bob that I'm not potentially MitMing him (assign my /24 block to VPC1, peer with Bob using VPC2, and MitM between VPC1 and VPC2 since they're both under my control). Would creating an IAM user with read-only VPC permissions work for this?
AWS is just an example. I would be happy to do this at any major provider (AWS and GCP are the two I know that allows bring-your-own-ip).
Yes it is, and using routing the IP can arrive everywhere in a tunnel, not just AWS.
You only need a good system administrator. I can get you in touch with friends who specializes in that. They will certainly recommend your /24 to be pointing to a more friendly provider of your choice, like one with a flat rate!
/24 with ASN -> friendly provider -> any ip goes where you want (digital ocean, aws, etc.)
But no, you can't prove you aren't MiM. Who has control of the /24 at any point could (ex: the 'friendly' provider)
IP space is getting pretty pricey these days, unless you want to go IPv6-only. And whatever the evangelists say, that's still to un-realistic for most people.
My wireguard gateway is in the cloud (linode fremont). When I connect to it, the eventual gateway is my home router. If I were to use the VPS as my gateway, then my traffic would be blocked by all sorts of services.
Annoyingly, I have moved, and now have comcast so that brings problems. First, they tamper with DNS traffic. To combat this the resolver is unbound running on the Linode. This creates very occasional problems, usually in the form of a capcha. Additionally, comcast doesn't offer symmetric connections, so my VPN is slower than it should be (1Gbps/30Mbps is such a joke).
Not dumb at all. I'm doing this on a $5 droplet and it's faster than any of the commercial VPN's I'm currently paying for. It's a little less privacy protective than many VPN providers however - Digital Ocean will for example forward DMCA violation nastygrams they receive from content owners.
At least for me on linode, it's less-bad than others I've seen. Google doesn't typically get nasty; I think I can only think of a few sites that are especially bad (linkedin and arstechnica forums are two that come to mind). That probably has to do with me using the same IP for ~2yrs now, so it doesn't have reputation problems.
I got a special deal at a VPS provider for $1/mo for 1vCPU and 256MB RAM. With only Wireguard running, I experience no issues whatsoever. RAM usage is minimal, sub 100MB, I forget the particulars. I added unbound with a huge DNS blacklist and unbound must do some odd indexing or something because that blew it to around 400MB which required a swap drive. But even with that, the performance is more than fine. I notice no discernible performance loss on my phone and from my 1Gbps connection at home, I see speeds that are comparable with saturating the network of the VPS (~200Mbps).
It was a promotional deal and I haven't let the lease on the VPS lapse. I didn't know what to do with it at first, but it was too good of a deal to pass up.
Not quite yet. But also like another user said, DuckDNS
"Note: Starting January 1st, 2020, GCP will charge for VM instance external IP addresses. However, under the Free Tier, in-use external IP addresses will be free until you have used a number of hours equal to the total hours in the current month. Free Tier for in-use external IP addresses apply to all instance types (not just f1.micro instances)."
Instead of an IP, you can use a domain. Then you can use Dynamic DNS to keep that domain pointed at your current IP (essentially, you run a small program on the same computer as the VPN server, that updates the DNS provider every time the IP changes).
But DSVPN requires a server on such network, too, with certain ports accessible from the internet. If you use a cloud server with Wireguard it too can relay traffic between your home client and destination.
Fortunately, UDP will eventually stop being filterable on a functional network, once HTTP/3 becomes widely used. At that point, I'd expect the next round of VPNs to look like HTTP/3 traffic.
I've been curious about VPNs for sometime but unfortunately am still confused by the following questions:
- my ISP can still see all of my traffic because my RPi would talk to my router which has to exit my network at some point, right?
- if I was on the East coast and wanted, say, YoutubeTV to believe I was on the West coast I would need to have my client (laptop, would be cool if I could get my Roku or TV to do this) pointed to my RPi on the other coast. Is that how it works?
1. Yes, other than other things that are self-encrypted eg. HTTPS. You would need to host the VPN somewhere else (eg. Cloud hosting, but that brings issues with many sites having blacklisted your IP range) if you still don't trust your ISP. I imagine this VPN solution is primarily for keeping your home connection's IP address while on a mobile network, or where you're on public wifi and really don't trust the network operator.
2. Yes, but be wary about actually doing this; I can't find any cases but YouTube TV (or the Google session security system itself) might get suspicious about constantly jumping between the east and west coast.
Anyone know roughly where to look for in terms of potential bottlenecks? I’m running my server on an rpi4 and sometimes feel like I’m not getting great speeds to my home VPN server. I did do my due diligence by wiring it directly through Ethernet but I suspect my router (google WiFi) may be slowing things down.
Another thing to check would be to use ethtool to see what speed the raspberry pi ethernet port is reaching with your router.
This wasn't on a pi, but it'll look similar. Look at the Speed: line mostly, it'll say either 100MBit or 1000MBit depending on your router (some still only have 100MBit switches). Also look for Duplex: Full, I've had sometimes a config get set badly where it'll be half duplex and cause speed issues, usually due to a bad cable initially causing errors and bad autodetection.
> % sudo ethtool enp4s0
Settings for enp4s0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: Symmetric
Supports auto-negotiation: Yes
Supported FEC modes: Not reported
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: Symmetric
Advertised auto-negotiation: Yes
Advertised FEC modes: Not reported
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
Does your rpi4 have proper cooling? Unlike all past rpis, the stock cooling on the rpi4 is easily overwhelmed by even slight load, and it drastically slows down in that situation.
Does the case make direct metal to metal contact with all 3 major heat producing chips on the rpi4? IIRC, the chip related to ethernet gets very, very hot in use and not all metal rpi4 cases actually make contact with it.
It looks like it does...maybe I should stick my finger in there. I should probably monitor my CPU history a bit better, I'm just relying on pihole's panel at the moment.
Number one would probably be to ensure the rpi has a good cabled connection to the router (and make sure it uses it instead of WiFi). VPN connections going back and forth over WiFi would slow things down. Next bottleneck would probably be CPU. Check if the CPU is being maxed out or throttled when you’re using the VPN.
I've been using WireGuard for years and it's been great, now I'm looking into some advanced resilient/redundant setups and was wondering whether it's possible or not with WireGuard:
1. I have two unreliable ISP links to the internet. Is it possible to have dual redundancy WireGuard connections to the same server? I.e. each UDP packet is replicated (with the appropriate headers) and a copy sent over each link.
2. My ISP links have heavy throttling at peak hours with heavy packet losses. Is it possible to trade bandwidth for reliability and send each UDP packet twice (with the appropriate headers)? I don't mind halving my maximum theoretical bandwidth; I'd rather have a 1Mb/s reliable connection than a 10Mb/s unreliable connection.
I set up a lightsail instance for 3 dollars with algo. The only configuration in algo I made was that I disabled peer isolation so I can control my home and server appliances from anywhere.
No problem whatsoever with blocked sites. The only weird thing is that I get American YouTube which has quite longer ads. Also it's kind of funny to see ads from the USA. I am an emigrant in Poland and funnily I sometimes tune the portuguese online radio to hear the portuguese ads.
For use to connect to home network drives, I've used ZeroTier https://www.zerotier.com/. I've never had an external IP for home internet, so I always ran in headaches trying to do a home VPN to channel my internet traffic while I'm out and about (and that's why I use a VPN on a VPS for that).
Seconding this recommendation - I've used Nyr's script to deploy OpenVPN a couple of times and it's worked well.
I can also recommend OpenVPN's virtual appliances: https://openvpn.net/virtual-appliances/
They work out-of-the-box and come with a web UI for configuration, if that's your thing.
That said, I've moved on to Wireguard lately and will be unlikely to use OpenVPN for personal VPN networks in the future.
It works really good and is super easy to set up, this was also my first time setting up home VPN, so I didn't have any previous experience, and I still got it working easily.
I run a firewall at home with OPNSense. It has OpenVPN server built in, easily configured from the web interface.
Then you simply copy the .ovpn file from your server (the firewall) to your clients (phones, laptops), and open the file with an OpenVPN client on each device. It contains all info needed for them to connect to your new server.
I literally set one of these up last night with a Pi 4 and the longest step was dd’ing Raspbian Buster Lite to the SD card. Only real gotcha in setup is remember to set up SSH before booting if you’re going headless. Everything else is super easy.
I found an openvpn docker image that simplifies it down to a few commands. That’s what I use at home. Took 5 minutes and my phone can access all my internal services on the road.
That being said I pay the $40 a year for PIA since I torrent all my movies and tv shows. I use that VPN 99% of the time.
if you are running esxi or hyperv you can get an OpenVPN Access Server appliance, its pretty easy to setup and I'm sure you can find a youtube vidya or two to walk you through setting it up. It comes stock with a webui to admin it. 2 simultaneous connections with the free license.
To expand a little bit: it provides an (almost) zero-configuration way to set up a private 'layer 2' network that you can connect your home server to, and any other machines that you want to be able to connect to it or to each other. It handles NAT traversal completely transparently.
In practice, it means that if I have a (say) NFS server connected to a Zerotier network I control, I can connect to it transparently from anywhere from another machine on that network, no matter what NATs / firewalls either machine is behind, even if they change. Perfect for phones, roving laptops, etc. I've gone to a model where I do most of my development (over mosh/tmux) on my home machine, from wherever I happen to be.
+1 for Zerotier. I really like wireguard, but Zerotier is so much easier and quicker to set up from scratch. If wireguard had ACLs and ipam built-in, it probably would probably win me over.
> ZeroTier’s software is open source and free to use for most purposes including personal use, internal use within a business or academic institution, and evaluation for uses that require commercial licensing.
I've long been confused about Wireguard getting all the attention over ZeroTier. ZT is so good at finding a communications path that I had to figure out how to block it from traversing one of my IPSec tunnels.
I usually setup a reverse ssh tunnel from the destination to a VPS I own. For example, you could setup a reverse tunnel to sshd on the destination, exposing sshd of the destination on the VPS, to which I ssh and specfiy the VPS hostname + the reverse tunnel port, which tunnels me ssh the destination host.
Also, if you can't open ports outbound at all, there's https://samy.pl/pwnat/ but it makes things very slow.
Wireguard! And a VPS and HAProxy. You can use Wireguard to do remote port forwarding. Follow a tutorial [0] to expose the home server's port on a VPS. Now use HAProxy to reverse proxy that Wireguard port to the world.
Try a Tor hidden service, configured with the low-latency/lower-privacy settings. It is slower than many of the other solutions, but very reliable and very simple.
Just use softether - free, simple, open source, fast and secure. Best of all it runs on almost any platform you could want to run it on (both server and client!)
You can even bounce off or azure to set up the tunnel when your vpn server is behind a natted firewall. It supports 16-channel connections to max out line throughput even over very long distances between server and client. It can support native windows clients, has openvpn shim for legacy client's on that side. I'm not doing it justice - there's so many features (all gui-configurable) that are supremely thought out.
Truly one of the best examples of free software I can think of.
And what I like about Wireguard is that you can't port scan for it. The protocol is designed in such a way that the wireguard server won't respond unless you know the right key.
I will say I've used softether on 10gbps links and hit 8gbps between two continents and that was nearly impossible with every other solution 5 years ago when I first set it up. It's been running flawlessly since then.
I've ended up using softether for the sstp server support, and my only
complaint with it is that it feels like a second-class citizen from the linux
CLI.
Configuring it is a pain done through their `vpncmd` command which gives you a
shell with custom commands (not very automatable/reproducable)
Logging is also stuck between logging to a file or sending it to a syslog port,
which, with the rise of systemd, leaves it logging to nowhere that journald can
access
It's a pretty solid piece of software, but it definitely feels like it was
developed for windows GUI admins
I've been using OpenVPN on my home pfSense box, it's working pretty good and didn't require I install anything except the OpenVPN app on my phone. Not sure if WireGuard has anything to offer that would motivate a switch.
It's faster. But if you already have a working system that you are happy with it may not warrant a switch. I think it's main strength lies in how easy it is to set up though. First time setting it up from scratch I had a working VPN in less than 5 minutes.
That part really is wonderful. I don’t show it in the guide, but I’ve set up three peers now, and my config file is still just 15 lines long (including headers), and once you wrap your head around what AllowedIPs means in the two different contexts, it’s really easy to read.
As people mentioned already it is much faster. The downside is - there's nothing close to automatic DHCP or something of that nature, you have to effectively hard-code client's IP addresses
It doesn't just claim to be faster; it's clearly, materially, obviously faster, at least in straightforward configurations (which is to say that someone could come up with some weird OpenVPN configuration that makes up the [large] gap, but I haven't see that yet).
As others have said ... it's faster HOWEVER I've had some issues when travelling where OpenVPN wasn't blocked but WireGuard was in some hotels. So I have both, if I can, I use wireguard, otherwise OpenVPN is slower, but does the job.
You’re can choose a port number to run Wireguard on that should pass through all but the craziest firewall. 53 or 443 could work. Or run it OpenVPN’s port 1194.
Only limitation is that it has to be UDP, Wireguard doesn’t support TCP.
443/UDP is used for HTTP/3 (aka QUIC), and is pretty quickly becoming ubiquitous – and OpenVPN also supports UDP, so if the port is open for TCP, it might well also be open for UDP.
WireGuard is supposed to be faster and more reliable. In addition it has a far, far smaller codebase than OpenVPN, which makes it easier to audit and therefor more secure.
WireGuard's codebase is so small because it is lacking many features that the vast majority of people don't need. For the people who do need those missing features, WireGuard is unusable.
FWIW: On a recent trip to China, Wireguard setup on a Digital Ocean VPS was the only VPN to work consistently and reliably throughout. Express VPN was recommended as the "best" for China, but I found it rarely worked.
Thanks for the tip. I have been sourcing for alternatives to ExpressVPN for China. Last year was pretty ok but on a recent trip, it had difficulty connecting 70% of the time and failed in multiple cities inland and on the coast. Seems like I need to setup my own now.
Question: I use wireguard and like it, but have a problem. At work, I can only get out on ports 80 and 443 TCP. I've tried openvpn, but it's a pain, slow, etc. Any better options? My dilemma is stuff like sshuttle, dsvpn, etc. all seems to be linux-only, linux & mac, etc; I need something with windows, linux, mac, and android.
Assuming it's just port blocking, and you're not behind a proxy or DPI, just run a shadowsocks server listening on 80 or 443.
There are good, free clients for Windows, Android and Mac. The client for Android hat will handle both connecting to the shadowsocks server and establishing a local SOCKS proxy, and redirecting regular network requests over that proxy. I'm not sure if the clients for other platforms do that, or if they only work with apps that can use a SOCKS proxy.
They're somewhat complimentary. I've got both running along side each other. Wireguard has much better throughput, but tinc guarantees a fully connected network (each node can reach every other node).
I wish wireguard could accept overlapping AllowedIPs ranges, appear as an L2 interface, and take a nexthop from the system routing table. Imagine multiple hosts each providing egress to each other - tinc can do this topology when setup to act as an ethernet segment. But wireguard is so trivial to setup, it's easy enough to run a parallel instance for each horizon.
Just tried going through this tutorial. I can get traffic to forward through the server just fine, but for some reason, DNS refuses to resolve.
I've tried:
- Having no DNS explicitly specified
- Having unbound DNS server run locally
- Using public facing DNS like 1.1.1.1
And none of them seem to make DNS resolve. Anyone else run into this?
ASUS RT-AC86U with Koolshare firmware (derived from Merlin firmware) has Wireguard binaries, but no GUI configuration for it.
I expect that any Asus router that can run Merlin should allow you to ssh in to install Wireguard. But you might need to cross-compile it on another system, and obviously the lower end models might struggle with CPU usage.
The Koolshare group (whose modified version of Asus Merlin is targeted at folks in China) have stopped development for the RT-AC68U, and IIRC this was before they started working on integrating Wireguard into their builds.
It looks like Asuswrt-Merlin uses different kernel version for different routers (probably because the use the kernel from Asus' own open source releases). I'm pretty sure the kernel for the AC68U is too old to support Wireguard.
KVM VPSs are generally significantly more expensive than OpenVZ, so for side projects where I want a cheap (<$5/mn) plan I've always used the OpenVZ VPSs.
You can use the go implementation of wireguard (wireguard-go). This way you don't need a kernel module. Works for me on a really cheap OpenVZ VPS since months.
https://github.com/subspacecloud/subspace
This is a tool that helps you generate and manage configurations for WireGuard, generate qr code for configuring mobile devices and it even integrates into SAML for authentication.
It's not as fancy as some other VPN management tools but this is an easy way to get WireGuard set up without too much messing with configs