Wireguard

Help on building IPFire & Feature Requests
Post Reply
TheUnicornXXL
Posts: 45
Joined: December 17th, 2010, 7:08 am

Wireguard

Post by TheUnicornXXL » January 2nd, 2019, 3:23 pm

Hello,

are there plans to implement wireguard at IPFire?
Special on slow machines like small router this could be a performance boost.

Regards

Stefan

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5677
Joined: August 11th, 2005, 9:02 am

Re: Wireguard

Post by MichaelTremer » January 2nd, 2019, 5:22 pm

Hello,

there are currently no plans to integrate Wireguard. There are enough VPN solutions that work. IPsec with IPFire uses the same cipher and throughput will be the same.

-Michael
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

TheUnicornXXL
Posts: 45
Joined: December 17th, 2010, 7:08 am

Re: Wireguard

Post by TheUnicornXXL » January 2nd, 2019, 6:08 pm

Every compare I saw shows IP Sec and OpenVPN slower then Wireguard. I think it's the implementation and not only the used cipher.
IPSec, special, is the worst protocol (parallel to VoIP) I ever saw. Incompatible between the most vendors and bad to handle over firewalls and a lot of router.

I implemented IPSec on a world wide network and found a lot of (mostly older) router and firewalls which can't handle this protocol in all versions. This was the reason to implement OpenVPN parallel to IPSec on this network.

Other point is the fast roaming between different networks. With Wireguard this should be no performance problem. OpenVPN and IPSec need at this point too much time.

Wireguard is at a early development stage, but they want to merge it into Linux kernel and a lot of VPN provider implements it now.

I think this are enough points to plan an implementing of Wireguard.

But I hope they will extend Wireguard to use server side UserID and Password and IP as protocol optional.

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5677
Joined: August 11th, 2005, 9:02 am

Re: Wireguard

Post by MichaelTremer » January 2nd, 2019, 6:43 pm

Hey,

I see the excitement about WireGuard, but I do not see what it solves what other protocols don't.

It is based on modern cryptography which indeed rare with IPsec, but that is an implementation problem and not a problem of the protocol. OpenVPN and IPsec have loads of other mechanisms for authentication (EAP, SIM, ...) which is not planned for WireGuard and I think that will cause some problems in the Enterprise world.

Indeed it is early right now. We protocol is not even merged into the Linux kernel, yet. I do not understand why it is so hyped because it does not do anything that nobody else can't do. Roaming between multiple networks isn't a big problem. OpenVPN roams instantly. I don't know about IPsec. A new handshake takes less than a second.

Overall I agree that there are too many obstacles in the VPN world. That is cause by shit clients and not enough interest in that area to change anything. The protocols are not an issue. I do not even see why we have to support yet another one. What if the next one comes and claims to solve another problem?

EDIT: About your points being enough arguments about why to support this. They consider the protocol. There is probably nothing wrong with it - I haven't looked at it. But you seem to forget the other side...
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

logcabin
Posts: 1
Joined: January 13th, 2019, 4:56 pm

Re: Wireguard

Post by logcabin » January 13th, 2019, 5:06 pm

I think WireGuard would be a great addition to IPFire. The code base is small, it's all in-kernel, and has a small attack surface. It's also much faster than OpenVPN. I may be wrong, but I think it will replace both OpenVPN and IPsec in the future. My Linux distribution has already included it in their updates. I've been using it for over a year and it has never crashed. It's very easy to build from source and takes only a minute or two, even on a low-power system.

Post Reply