Wireguard

[TheUnicornXXL]

Hello,

are there plans to implement wireguard at IPFire?
Special on slow machines like small router this could be a performance boost.

Regards

Stefan

[MichaelTremer]

Hello,

there are currently no plans to integrate Wireguard. There are enough VPN solutions that work. IPsec with IPFire uses the same cipher and throughput will be the same.

-Michael

[TheUnicornXXL]

Every compare I saw shows IP Sec and OpenVPN slower then Wireguard. I think it's the implementation and not only the used cipher.
IPSec, special, is the worst protocol (parallel to VoIP) I ever saw. Incompatible between the most vendors and bad to handle over firewalls and a lot of router.

I implemented IPSec on a world wide network and found a lot of (mostly older) router and firewalls which can't handle this protocol in all versions. This was the reason to implement OpenVPN parallel to IPSec on this network.

Other point is the fast roaming between different networks. With Wireguard this should be no performance problem. OpenVPN and IPSec need at this point too much time.

Wireguard is at a early development stage, but they want to merge it into Linux kernel and a lot of VPN provider implements it now.

I think this are enough points to plan an implementing of Wireguard.

But I hope they will extend Wireguard to use server side UserID and Password and IP as protocol optional.

[MichaelTremer]

Hey,

I see the excitement about WireGuard, but I do not see what it solves what other protocols don't.

It is based on modern cryptography which indeed rare with IPsec, but that is an implementation problem and not a problem of the protocol. OpenVPN and IPsec have loads of other mechanisms for authentication (EAP, SIM, ...) which is not planned for WireGuard and I think that will cause some problems in the Enterprise world.

Indeed it is early right now. We protocol is not even merged into the Linux kernel, yet. I do not understand why it is so hyped because it does not do anything that nobody else can't do. Roaming between multiple networks isn't a big problem. OpenVPN roams instantly. I don't know about IPsec. A new handshake takes less than a second.

Overall I agree that there are too many obstacles in the VPN world. That is cause by shit clients and not enough interest in that area to change anything. The protocols are not an issue. I do not even see why we have to support yet another one. What if the next one comes and claims to solve another problem?

EDIT: About your points being enough arguments about why to support this. They consider the protocol. There is probably nothing wrong with it - I haven't looked at it. But you seem to forget the other side...

[logcabin]

I think WireGuard would be a great addition to IPFire. The code base is small, it's all in-kernel, and has a small attack surface. It's also much faster than OpenVPN. I may be wrong, but I think it will replace both OpenVPN and IPsec in the future. My Linux distribution has already included it in their updates. I've been using it for over a year and it has never crashed. It's very easy to build from source and takes only a minute or two, even on a low-power system.

[nameless]

Why is there so much buzz surrounding WireGuard?

The answer is simple: it offers many advantages over existing VPN protocols, as we’ll show you below. It has even caught the attention of Linus Torvalds, the developer behind Linux, who had this to say in the Linux Kernel Mailing List:

*** " Can I just once again state my love for [WireGuard] and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art." ***
https://restoreprivacy.com/wireguard/

Michael... Thank you gratefully for IpFire... BUT you sometimes seem almost... well... surprisingly passive about security and more accpeting of norms and standards, if compared with security and privacy advocates and groups in the worlds. Why is this??? Has anyone asked this question or is it just us??? Who are you really???

In response to your statement, quote "I do not even see why we have to support yet another one. What if the next one comes and claims to solve another problem?"

In answer to the above ... The IpFire product needs regular operational and strategic capability to self-correct and develop in line with evolving standards and technologies.

At some point, it will also benefit from a professional customer focussed team who can secure funding for business personnel with client management & communication resources and product management and customer support.

It's great that there are guys doing this somewhere somehow... but... at the end of the day... how serious can the public be about trusting them to do this effectively when the IpFire team's "day jobs" keep getting in the way???

Can there please be a published plan to address these things???

[MichaelTremer]

Hello,

I am happy to have the discussion - especially since this is about me now apparently blocking new technology...

Why is there so much buzz surrounding WireGuard?

The answer is simple: it offers many advantages over existing VPN protocols, as we’ll show you below. It has even caught the attention of Linus Torvalds, the developer behind Linux, who had this to say in the Linux Kernel Mailing List:

*** " Can I just once again state my love for [WireGuard] and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art." ***

Linus said that the code looks good. That is a slightly different thing.

https://restoreprivacy.com/wireguard/

Michael... Thank you gratefully for IpFire... BUT you sometimes seem almost... well... surprisingly passive about security and more accpeting of norms and standards, if compared with security and privacy advocates and groups in the worlds. Why is this??? Has anyone asked this question or is it just us??? Who are you really???

In response to your statement, quote "I do not even see why we have to support yet another one. What if the next one comes and claims to solve another problem?"

In answer to the above ... The IpFire product needs regular operational and strategic capability to self-correct and develop in line with evolving standards and technologies.

I do not really get what you are trying to say here. Interesting that I am being criticised for not taking security seriously. I do not really want to answer that. If you think that I am (deliberately) compromising the security of IPFire, then I guess you should probably stop using it. It has something to with trust. I trust the kernel developers to do a good job. You should trust that we are doing a good job. If you think that we do not do this, maybe consider using something else.

That said, of course I want that many people use IPFire. It is also not a dictatorship here. You can also change IPFire in the way that you want it. The source code is available. I do what I believe is right - and I openly discuss that with the whole community; or who ever wants to take part in it.

At some point, it will also benefit from a professional customer focussed team who can secure funding for business personnel with client management & communication resources and product management and customer support.

It's great that there are guys doing this somewhere somehow... but... at the end of the day... how serious can the public be about trusting them to do this effectively when the IpFire team's "day jobs" keep getting in the way???

That already exists. Loads of people are happy with IPFire - where it is and where it is going.

Those who are not are engaging in constructive discourse and try to contribute as much as they can to overcome any shortcomings of IPFire.

Can there please be a published plan to address these things???

No. I am not spending any time on this. I have laid out before why I personally have no interest in Wireguard and that I consider all these claims that it is "faster" just false. We can talk about the technology in depth if you want, but I do not want to waste time on a conversation that is going nowhere.

Instead I regret that I replied to this. I could have done something useful with these 5 minutes that it took me to write this.

So, if you want to add support for WireGuard to IPFire, then work on it. Submit the patches, get it reviewed and approved and dedicate yourself to. maintain it for years. That is what is needed here if you want to make it happen.

-Michael

[ummeegge]

Hi all,
IMHO is Wireguard currently under "heavy development", isn´t it ? Although it seems like a pretty interesting new kid on the block and i´ am willing to go for a try out to build it, make an .ipfire package from it (if i can bring it to life to provide it to you unofficial. Now the interesting question, who wants to give then some intense testing, feedback, implementation ideas, first ideas for a nice structured CGI with some ideas for an easy setup, ..., ?

*** " Can I just once again state my love for [WireGuard] and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art." ***
https://restoreprivacy.com/wireguard/

i don´t see OpenVPN (which i use heavily) nor IPSec as horror, just to give you an quote from your provided link:

Sure, OpenVPN has its issues, but it also has a long track record and is a proven VPN protocol with extensive auditing. While Donenfeld may refer to OpenVPN as “outdated” in various interviews, others may see it as proven and trustworthy – qualities that WireGuard currently lacks.

which is for me a kind of a understandable statement. OpenVPN-2.5.x but also a fast overview over the 3.x development doesn´t seem to me outdated but may you have there more informations why OpenVPN is such a horror ?

Michael... Thank you gratefully for IpFire... BUT you sometimes seem almost... well... surprisingly passive about security and more accpeting of norms and standards, if compared with security and privacy advocates and groups in the worlds. Why is this??? Has anyone asked this question or is it just us??? Who are you really???

Since i do not really know the depths of Wireguard i was looking a little at your posted link and found that one (beneath some other interesting points) in the con´s.

Wireguard lacks dynamic IP address management. The client needs to be assigned in advance a pre-defined VPN IP address uniquely linked to its key on each VPN server. The impact on the anonymity layer is catastrophic

so i´ am not really sure what you mean with 'privacy' there also i thought Wireguard is not yet complete --> https://www.wireguard.com/#work-in-progress so a question comes up for me: Why should this then be released ?

In answer to the above ... The IpFire product needs regular operational and strategic capability to self-correct

Doesn´t it have those capability ?

and develop in line with evolving standards and technologies.

Isn´t it a little too early to speak about a standard related to Wireguard ? Spoken for myself, i am always interested for new technologies and standards so i go for a checkout and if i think it´s a nice one for the community, which i think i am a part of, i try to present my ideas, developments and if there is resonance and interest (mostly here in the forum <--> viewtopic.php?f=50&t=22476 --> viewtopic.php?f=50&t=21954#p120691 <-- if you want to bring on some feedback and testings, corrections, critics you are welcome {sorry for the fast PR-OT}), i bring it on to the developer mailinglist where i always find open minds and good responses even my ideas will not be merged i can always also use it for myself.
Are you know something about IPFire-3.x ?

At some point, it will also benefit from a professional customer focussed team who can secure funding for business personnel with client management & communication resources and product management and customer support.

Sound is good...

It's great that there are guys doing this somewhere somehow... but... at the end of the day... how serious can the public be about trusting them to do this effectively when the IpFire team's "day jobs" keep getting in the way???

Mmhh, counterquestion (sorry for that how serious can the public be about trusting e.g. Cisco ? On the other part i´am with you, it´s really great that there are people out there which do costless jobs for the public may some somehow and somewhere but others which simply do their job. For myself i would also like to shout out a big thanks to all (also to the community) for that .

Can there please be a published plan to address these things???

Are you interested to setup a build environment to build a usable version of Wireguard and publish this here to address your interests in a practical way to the community ?

Just some thoughts from here.

Best regards,

UE

[BeBiMa]

Hi all,
IMHO is Wireguard currently under "heavy development", isn´t it ? Although it seems like a pretty interesting new kid on the block and i´ am willing to go for a try out to build it, make an .ipfire package from it (if i can bring it to life to provide it to you unofficial. Now the interesting question, who wants to give then some intense testing, feedback, implementation ideas, first ideas for a nice structured CGI with some ideas for an easy setup, ..., ?

Good statement!

*** " Can I just once again state my love for [WireGuard] and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art." ***
https://restoreprivacy.com/wireguard/

i don´t see OpenVPN (which i use heavily) nor IPSec as horror,

That's a statement about source status. But pretty writing of software doesn't guarantee correctness. Therefore:

just to give you an quote from your provided link:

Sure, OpenVPN has its issues, but it also has a long track record and is a proven VPN protocol with extensive auditing. While Donenfeld may refer to OpenVPN as “outdated” in various interviews, others may see it as proven and trustworthy – qualities that WireGuard currently lacks.

which is for me a kind of a understandable statement. OpenVPN-2.5.x but also a fast overview over the 3.x development doesn´t seem to me outdated but may you have there more informations why OpenVPN is such a horror ?

In the other points, I just agree with you UE.

Regards,
Bernhard

[ummeegge]

Hi all,

and i´ am willing to go for a try out to build it, make an .ipfire package from it (if i can bring it to life to provide it to you unofficial.

to bring a little butter to the fish here, as already announced, --> https://people.ipfire.org/~ummeegge/wireguard/ is a first very experimental package. This package is only for 64bit systems and it needs a running 4.14.103 Kernel (Core 128 and the upcoming 129 too).
There are no special commands in install.sh nor in uninstall.sh so all needs to be done from scratch, really all ?, OK i tried a first step. Here is what i did so far:

1) Setting up the wg0 device via

Code: Select all

ip link add dev wg0 type wireguard

won´t work and ended up in a

Code: Select all

RTNETLINK answers: Operation not supported

a

Code: Select all

lsmod | grep wire

shows nothing

WireGuard´s ROOTFILE looks currently like this:

Code: Select all

etc/wireguard
lib/modules/4.14.103-ipfire/extra/wireguard.ko.xz
usr/bin/wg
usr/bin/wg-quick
#usr/share/bash-completion/completions/wg
usr/share/bash-completion/completions/wg-quick
#usr/share/man/man8/wg-quick.8
#usr/share/man/man8/wg.8

but the Kernel modul isn´t loaded after installation. If you simply try to load it, dmesg brings the following up:

Code: Select all

[250724.158184] wireguard: loading out-of-tree module taints kernel.
[250724.158921] wireguard: Unknown symbol udp_sock_create4 (err 0)
[250724.158992] wireguard: Unknown symbol udp_tunnel6_xmit_skb (err 0)
[250724.159390] wireguard: Unknown symbol udp_tunnel_sock_release (err 0)
[250724.159437] wireguard: Unknown symbol setup_udp_tunnel_sock (err 0)
[250724.159465] wireguard: Unknown symbol udp_sock_create6 (err 0)
[250724.159572] wireguard: Unknown symbol udp_tunnel_xmit_skb (err 0)

there was the need to load 'udp_tunnel' and 'ip6_udp_tunnel' before --> https://lists.zx2c4.com/pipermail/wireg ... 01199.html which i tried like that:

Code: Select all

modprobe udp_tunnel
modprobe wireguard

<-- which worked on one machine. On another machine this didn´t worked. There i needed:

Code: Select all

modprobe udp_tunnel && modprobe ip6_udp_tunnel
insmod /lib/modules/4.14.103-ipfire/extra/wireguard.ko.xz

to get:

Code: Select all

$ lsmod | grep wireguard                                   
wireguard             229376  0
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             16384  1 wireguard

dmesg:

Code: Select all

[251102.783718] wireguard: WireGuard 0.0.20190227 loaded. See www.wireguard.com for information.
[251102.783724] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

and lsmod:

Code: Select all

$ lsmod | grep wire
wireguard             229376  0
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             16384  1 wireguard

Now it was also possible to setup the device with a:

Code: Select all

ip link add dev wg0 type wireguard

Code: Select all

ip a | grep -A 10 wg

which delivers:

Code: Select all

7: wg0: <POINTOPOINT,NOARP> mtu 1420 qdisc fq_codel state DOWN group default qlen 1000
    link/none

but i think 'wg-quick' do there a better job. Nevertheless i think this one --> https://www.wireguard.com/quickstart/ can be done then ? But this is currently not my business but may your (those who are really interested) turn ?

Let´s see.

Best,

UE