Hacker News new | past | comments | ask | show | jobs | submit login

Cool to see this done by hand. I’m running IPSec on my Edgerouter but am about to redo my home network and lab environment and will likely implement WireGuard.

There’s also a more plug-n-play tool called Algo that is highly spoken of, which automates a lot of this: https://github.com/trailofbits/algo




Algo is pretty cool for setting up an IKEv2 VPN server, but under the hood it uses StrongSwan, which is far more complicated in a code/engineering sense than WireGuard.

That being said, I think Algo is often preferable to OpenVPN and IPSec, especially when supporting macOS/iOS clients.


Algo does a fine job of setting up WireGuard, which is what you should use if you can.


I know what you mean when it comes to OpenVPN and macOS. But any insight on why you'd prefer Algo over OpenVPN? I've been using the latter for years but would be interested in revisiting that if there are compelling reasons to do so.


I think Algo is just a setup script, not a VPN itself?


FYI WireGuard is pretty slow on the Edgerouter compared to IPSec. I assume IPSec has a hardware offload and WireGuard does not.


According to https://an.undulating.space/post/181227-er_alternate_firmwar...

Wireguard is just as fast as hardware accelerated IPSec on both the Edgerouter X and Lite. With Openwrt on the Edgerouter Lite Wireguard is ~2x faster than hardware accelerated IPSec on EdgeOS.


They don't give the IPSec parameters. Wireguard uses ChaCha20 for encryption with Poly1305 for authentication. IPSec can use many different combinations of cipher and authentication algorithms. If they were using AES+SHA256 then SHA256 would likely be the bottleneck. AFAIU, Ubiquiti routers use a crypto coprocessor (as opposed to AES-NI and SHA-NI on amd64), which means even if SHA256 was accelerated on the coprocessor it could easily still be too costly. But we don't even know if the MAC was accelerated at all. The implication that "IPSec acceleration" handicaps Wireguard is unfounded.

If those benchmarks were with AES+GCM, then that would definitely be surprising. But the safe bet is that they were using AES+SHA256 (or something other than GCM for the MAC), in which case their benchmarks are not surprising, simply misleading.

IPSec can also do ChaCha20+Poly1305 (at least, OpenBSD's stack can). Any serious comparison should also include IPSec using the same crypto algorithms as Wireguard.


I’d love to see benchmarks on an ER-4/6/8, especially with gigabit WAN availability becoming more common.


Yes, IPSec is supported for HW offload:

https://help.ubnt.com/hc/en-us/articles/115006567467-EdgeRou...

Disappointed to hear the performance hit with WireGuard. I was planning on trying it out, but I think I'll wait.


Note that hardware offload only really matters when you're combining fast networks with slow processors. WireGuard on a modern PC CPU will more than saturate gigabit ethernet and the per-packet latency hit is <1ms.


Well for some of their routers its false advertising. On the edgerouter x ipsec offload for client vpn have been broken for more than a year.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: