Urgh, I don’t really have time to do this migration but guess I’m planning it in anyway.
Past me was a lazy bum. But I’m confident that future me is all over this. Time for a nap.
Damn you sir, you didn’t need to call me out with that last paragraph.
No, I know it wasn’t my shoe, but look at how well it fits!
A bit annoying for all the things that don’t support openvpn, like old Synology NAS devices.
You can install a wireguard spk from blackvoid - Wireguard SPK for your Synology NAS.
Oh that’s interesting, though my model isn’t on the list ;(
WG was always so much better anyway.
Not sure about that. I set up a wg vpn server on a system which then became unresponsive whenever wg was fully saturating the network. Turns out there is apparently no way to throttle or prioritize a wg server, the only way I could think of would be to dedicate a vm to solely the wg vpn and throttle that vm in its networking.
I instead switched to openvpn which can simply be throttled via a line in its configuration.Besides that missing feature, openvpn also doesn’t require figuring out the right iptables commands to verbatim paste into its config as startup and shutdown commands. Setting it up was way easier than wg (though openvpn too wasn’t exactly user-friendly).
WG to me seems too clunky and unfinished for more mainstream usage, though I am sure it wouldn’t be an issue for a large commercial user like mullvad that will have no issue with all that.
Well it was written to replace open VPN right? So that makes sense
Don’t let openvpn get a swelled head. Itself it was just a Bender project (“I’m gonna write vtun better; with hookers and beer!”) anyway.
deleted by creator
Good! That shit needs to be phased out.
Because OpenVPN is fiddly to set up and modern Wireguard setups seem to scale well enough.
I’m using Bazzite Linux with KDE, and for me Wireguard setup is copy/pasting several bits of information on multiple settings pages. OpenVPN is just downloading a single config file and inputting my user/pass.
Also, Wireguard disconnects so often, no matter which distro I’m on, that it’s a pain in the butt having to reconnect a few times an hour. Not to mention that I can’t have it set to autoconnect on login, or my internet doesn’t work until I disconnect and reconnect.
Interesting, I also use KDE (on arch btw) and I definitely have had hours-long work sessions with ssh over a wireguard vpn to access my home PC from abroad, so I imagine the issue is probably not on the KDE side of the stack
I remember maybe 12-15 years ago, setting OpenVPN on my TomatoUSB flashed router, invoking all kind of openssl command to generate certificates, keys, signing stuff, setting the router, setting the TAP/TUN clients etc. but once setup it works for years on my laptop, phone, etc.
Now with WG I basically scan on my phone a QR code generated on my Merlin router and that’s it.
Try openwrt, ddwrt is cancer.
What? Why?
merlin has built-in wireguard support??
yes for a long time now
I only have one problem with this. When they say wireguard being crypto opinionated is a good thing. I am weary to agree with that statement entirely.
While it is good for stability (only one stack to support and get right, and to be secure and efficient) I do wonder about overall and future security. Saying “You must use this specific cipher suite because we think it’s the best” is a bit of a dangerous road to take.
I say this just because Curve 25519 is considered a very secure elliptic curve, to the best of my very limited knowledge on this subject. But we had a certain dual elliptic curve pseudo random number generator was pushed as “best practice” (NIST backed) some time ago, which didn’t turn out so well, even omitting possible conspiracy scenarios, it had known weaknesses even before it was recommended. [1]
Since then I’ve generally not been a huge fan of being given one option as “the right way” when it comes to cryptography. Even if it is the “best” it gives one target to try to find a weakness in, rather than many.
I say all this as a wireguard user, it’s a great, fast and reliable VPN. I just have concerns when the choice of using other algorithms and especially putting my own chosen chain together is taken away. Because it puts the exact same target to break on every one of us, rather than having to work out how to break multiple methods and algorithms and multiple combinations.
I think the idea behind opinionated cryptography is not only the idea of “We think this is the best, so you have to use it”, but most importantly it removes all requirements of the protocol supporting cipher negotiation. This makes the protocol much simpler, easier to audit and as a result more secure. And if the cryptography in the protocol ever shows a weakness, then Wireguard v2 needs to be released as a breaking change. See all the SSL/TLS versions
Yep. I entirely agree about the good points. I am just always weary about removing options like this, regardless of intention.
I’d be fine if for example I’m running my own wireguard implementation, I could choose the suite to use, not negotiate anything and ensure my client has the same configuration.
I’d probably not use it, but I like the option, and knowing that anyone that wants to try to break this now also needs to guess what options I’m running.
knowing that anyone that wants to try to break this now also needs to guess what options I’m running.
Unless your security model has you being specifically targeted by advanced threat actors, the most likely scenario is that you’ll be affected by randomly discovered security vulnerabilities and not individuals tailoring an attack for your configuration.
Obfuscation of your configuration doesn’t add much security and using obscure settings could just as easily result in security vulnerabilities of their own. Vulnerabilities which, due to the obscurity of your configuration, may not be discovered by white hats for much longer.
I know that, if wireguard is exploitable, it’s very unlikely to be me that would be targeted. There are larger and more lucrative targets acting as honeypots for everyone else.
No. You are making assumptions about security and ultimately assuming you’re the only one who thought this along the way.
mullvad and windscribe are the only two i support <3
Do you have a stance on IVPN?
I’ve had an active iVPN sub for almost 8 years now. Cannot say anything bad about them whatsoever
why yall need a vpn?
Privacy
And justified paranoia
recently switched from mullvad to ivpn, and the servers are noticeably slower. with mullvad all the servers I used achieved my connections max speed 500 mb/s but on ivpn they usually do 50 - 300, and sometimes i need to switch server because they go down (i use european servers). only reason i switched was because mullvad causes a wakelock on mint cinnamon and it drives me nuts.
Is that a Mint Cinnamon issue primarily?
Some sort of internal error specific to them and their setup. Mullvad should function flawlessly on Mint. I’ve used and installed mint on multiple PCs and all sorts of drives including usbs. The repo for updating mullvad app usually needs corrected but that is it. Mint and Mullvad are solid.
it hasn’t happened on other distros but i have other bigger issues on them so i never could test for a longer period. took me a year to find what caused it and it hasn’t happened since i switched from mullvad. fun bonus: ovpn destroyed my nvidia drivers on mint…
I started on mint years ago and it was an okay foot in the door, but would not recommend to anyone (including beginners). Fedora is my goto for new users these days. I use arch (btw) and have had much more luck on rolling release.
Not gonna try to convince you off Mint, but it does sound like you’re having issues with it.
I’ve been itching to install ultramarine but earlier I’ve had bad times with fedora on my hw. also because i host jellyfin at my home network, i kinda need x11 because i have a little program that keeps my system awake when network traffic crosses a certain threshold, using xdotool. and no, that’s not the cause for the wakelock issue. i know ydotool but no time to get into it in the near future
Bummer. For whatever reason I always get much better speeds on openvpn servers.
Sounds like an issue with your network or routes. By design, WG is faster.
That’s not something you hear very often.
Only the opposite has ever happened for me.
That’s very strange. WireGuard was specifically created in part because of speed limitations.
