Hello,
are there plans to implement wireguard at IPFire?
Special on slow machines like small router this could be a performance boost.
Regards
Stefan
Wireguard
-
MichaelTremer
- Core Developer
- Posts: 5687
- Joined: August 11th, 2005, 9:02 am
Re: Wireguard
Hello,
there are currently no plans to integrate Wireguard. There are enough VPN solutions that work. IPsec with IPFire uses the same cipher and throughput will be the same.
-Michael
there are currently no plans to integrate Wireguard. There are enough VPN solutions that work. IPsec with IPFire uses the same cipher and throughput will be the same.
-Michael
Support the project with our Donation Challenge!
Get Commercial Support for IPFire and more from Lightning Wire Labs!
Get Commercial Support for IPFire and more from Lightning Wire Labs!
-
TheUnicornXXL
- Posts: 45
- Joined: December 17th, 2010, 7:08 am
Re: Wireguard
Every compare I saw shows IP Sec and OpenVPN slower then Wireguard. I think it's the implementation and not only the used cipher.
IPSec, special, is the worst protocol (parallel to VoIP) I ever saw. Incompatible between the most vendors and bad to handle over firewalls and a lot of router.
I implemented IPSec on a world wide network and found a lot of (mostly older) router and firewalls which can't handle this protocol in all versions. This was the reason to implement OpenVPN parallel to IPSec on this network.
Other point is the fast roaming between different networks. With Wireguard this should be no performance problem. OpenVPN and IPSec need at this point too much time.
Wireguard is at a early development stage, but they want to merge it into Linux kernel and a lot of VPN provider implements it now.
I think this are enough points to plan an implementing of Wireguard.
But I hope they will extend Wireguard to use server side UserID and Password and IP as protocol optional.
IPSec, special, is the worst protocol (parallel to VoIP) I ever saw. Incompatible between the most vendors and bad to handle over firewalls and a lot of router.
I implemented IPSec on a world wide network and found a lot of (mostly older) router and firewalls which can't handle this protocol in all versions. This was the reason to implement OpenVPN parallel to IPSec on this network.
Other point is the fast roaming between different networks. With Wireguard this should be no performance problem. OpenVPN and IPSec need at this point too much time.
Wireguard is at a early development stage, but they want to merge it into Linux kernel and a lot of VPN provider implements it now.
I think this are enough points to plan an implementing of Wireguard.
But I hope they will extend Wireguard to use server side UserID and Password and IP as protocol optional.
-
MichaelTremer
- Core Developer
- Posts: 5687
- Joined: August 11th, 2005, 9:02 am
Re: Wireguard
Hey,
I see the excitement about WireGuard, but I do not see what it solves what other protocols don't.
It is based on modern cryptography which indeed rare with IPsec, but that is an implementation problem and not a problem of the protocol. OpenVPN and IPsec have loads of other mechanisms for authentication (EAP, SIM, ...) which is not planned for WireGuard and I think that will cause some problems in the Enterprise world.
Indeed it is early right now. We protocol is not even merged into the Linux kernel, yet. I do not understand why it is so hyped because it does not do anything that nobody else can't do. Roaming between multiple networks isn't a big problem. OpenVPN roams instantly. I don't know about IPsec. A new handshake takes less than a second.
Overall I agree that there are too many obstacles in the VPN world. That is cause by shit clients and not enough interest in that area to change anything. The protocols are not an issue. I do not even see why we have to support yet another one. What if the next one comes and claims to solve another problem?
EDIT: About your points being enough arguments about why to support this. They consider the protocol. There is probably nothing wrong with it - I haven't looked at it. But you seem to forget the other side...
I see the excitement about WireGuard, but I do not see what it solves what other protocols don't.
It is based on modern cryptography which indeed rare with IPsec, but that is an implementation problem and not a problem of the protocol. OpenVPN and IPsec have loads of other mechanisms for authentication (EAP, SIM, ...) which is not planned for WireGuard and I think that will cause some problems in the Enterprise world.
Indeed it is early right now. We protocol is not even merged into the Linux kernel, yet. I do not understand why it is so hyped because it does not do anything that nobody else can't do. Roaming between multiple networks isn't a big problem. OpenVPN roams instantly. I don't know about IPsec. A new handshake takes less than a second.
Overall I agree that there are too many obstacles in the VPN world. That is cause by shit clients and not enough interest in that area to change anything. The protocols are not an issue. I do not even see why we have to support yet another one. What if the next one comes and claims to solve another problem?
EDIT: About your points being enough arguments about why to support this. They consider the protocol. There is probably nothing wrong with it - I haven't looked at it. But you seem to forget the other side...
Support the project with our Donation Challenge!
Get Commercial Support for IPFire and more from Lightning Wire Labs!
Get Commercial Support for IPFire and more from Lightning Wire Labs!
Re: Wireguard
I think WireGuard would be a great addition to IPFire. The code base is small, it's all in-kernel, and has a small attack surface. It's also much faster than OpenVPN. I may be wrong, but I think it will replace both OpenVPN and IPsec in the future. My Linux distribution has already included it in their updates. I've been using it for over a year and it has never crashed. It's very easy to build from source and takes only a minute or two, even on a low-power system.