Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (2024)

tptacek on Oct 4, 2019 | parent | context | favorite | on: Vulnerabilities exploited in VPN products used wor...

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer without fussy interactions with a Unix shell (that then also needs to be accounted for in a security model), has higher performance, is practically bulletproof in terms of keeping connections alive, and gets you direct access to whatever resources you've provisioned the network to provide.

I wouldn't ding someone using SSH tunnels (carefully), but in a de novo design, I would always recommend WireGuard first.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (2)

labawi on Oct 6, 2019 | next [–]

>> If all of my remote access can be done via ssh {+ local/remote forwarding}..

> WireGuard .. has higher performance ...

Note there are circ*mstances where ssh port forwarding (-L, -R, -D) is faster than any L2/L3 vpn because it breaks TCP connections in two segments, so any flaky retransmission causing issues are localized, RTTs are smaller, TCP ramp-up is faster, etc.

On the other hand, ssh tun/tap forwarding will almost certainly be slower.

If you are connecting over a flaky wifi/2g/3g connection, possibly to a flaky/distant counterpart, and have performance issues, I would recommend trying (L4 is it?) ssh/socks or even http forwarding via a stable middle host.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (3)

zokula on Oct 5, 2019 | prev | next [–]

Wireguard does not have better performance or is faster verses Openvpn in any independent Benchmark released up to now.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (4)

pm7 on Oct 5, 2019 | parent | next [–]

I was just benchmarking routers in VM. I also tested Openvpn vs Wireguard. Results:

 Openwrt 18.06.4 32-bit wireguard: 645 Mbit/s ping 1.1ms openvpn: 164 Mbit/s ping 1.2ms Openwrt 19 (snapshot r11159) 64-bit: wireguard: 1.16 Gbit/s ping 1.1ms openvpn: 230 Mbit/s ping 1.2ms pfsense 2.4.4-p3 (amd64): openvpn: 115 Mbit/s ping 1.2ms

It was tested by moving traffic between two virtual bridges, Debian>router>Debian, on KVM (libvirt), CPU E3-1270, kernel:4.19.0-4-amd64 #1 SMP Debian 4.19.28-2 (2019-03-15) x86_64

1 core, 2GB per VM

iperf3 -t 60

 Settings: Wireguard: defaults OpenVPN: no compression, udp, tun, defaults

I would also note that I setting wg took about 5-10 minutes while setting openvpn took about an hour.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (5)

tjoff on Oct 5, 2019 | parent | prev | next [–]

Sure there are, many threads about wireguard include performance comparisons to openvpn. Most home routers that can install both see a significant increase (I saw about 3-4x if I remember correctly).

Also see the endless discussions on how to deliver 100 Mbit/s for single connections on OpenVPN. It is absolutely insane, you have to spend many hundreds of dollars on hardware to have a fighting chance. And even if you get hardware acceleration that doesn't help nearly as much as you'd expect. And aside from cost the power consumption required for such hardware is very prohibitive for most.

Meanwhile my phone (first gen. Pixel (so three generations behind)), over wifi, gets at least 60 mbit/s over wireguard to a weak home router and then out to internet.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (6)

ubercow13 on Oct 5, 2019 | parent | prev | next [–]

Do any independent benchmarks show it to be no faster?

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (7)

FDSGSG on Oct 5, 2019 | parent | prev | next [–]

Yeah, but nobody cares. OpenVPN is horribly slow and wireguard isn't, there's no point in comparing these two.

You wouldn't have an independent benchmark comparing a GTR and a semi truck.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (8)

labawi on Oct 4, 2019 | prev [–]

> WireGuard .. is practically bulletproof in terms of keeping connections alive

Try switching between IPv4 and IPv6 networks, or reaching a peer on non-default/primary network on Windows.

Not denying it would usually have better connectivity than TCP based ssh.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (9)

akerl_ on Oct 5, 2019 | parent | next [–]

As an anecdotal point, I’ve been using always-on WireGuard (using a setup that’s essentially a fork of Algo) on my iPhone, iPad, and MacBook for months, via the native clients for each. I routinely hop between countries, SIM cards, WiFi networks, etc. I hit issues with Apple’s built-in captive portal detection (which has to kick in so it gives me the captive portal outside of the always-on VPN), but the WireGuard tunnel itself has been pretty much solid.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (10)

xyzzy_plugh on Oct 4, 2019 | parent | prev [–]

Where do you encounter IPv6 in the wild?

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (11)

labawi on Oct 4, 2019 | root | parent | next [–]

There were multiple complaints on the mailing list about roaming not working on IPv4/v6 transitions. I believe it was mobile vs. wifi.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (12)

emj on Oct 5, 2019 | root | parent | prev | next [–]

I've come across it on Wifi hotspots as well for some reason, it felt like the were deployed by a telecom company (cellular being most common way for non tech people to use IPv6 on my sites).

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (13)

AceJohnny2 on Oct 5, 2019 | root | parent | prev [–]

Cellular networks.

Cellular networks abroad.

Yes. WireGuard is cryptographically superior to SSH, attaches at a network layer... (14)