"It's just as easy as SSH!" and "Ok, set up your iptables rules...." do not go together. Wireguard might be easier than OpenVPN, but it's still prohibitively difficult to set up, and especially to use in a client computing scenario (i.e. I'm on a desktop machine, and want to connect/disconnect this VPN frequently)
I tried streisand / wireguard setup awhile back (MacOS to DO server). It worked great until I tried to disconnect (it would save the old WG settings in my connection tables and then just keep me completely disconnected from the internet). Anyone know if this is improved? Is there any easy way to get wireguard setup on macos and connect to a DO server?
It's much better although seems to occasionally still happen (DNS settings, for some reason). Homebrew is probably the easiest way to get the client going from scratch with the least effort.
having played with wireguard I can definitely say that it takes something that used to be complicated and makes it trivial (ie setting up a vpn server).
it almost feels too easy compared to the openvpn monstrosity.
now that they have an iphone app (in beta) I switched to using it everywhere and not looking back.
I picked up WireGuard yesterday, and within an hour, I had my server and 4 clients setup. Freaking gravy.
And this morning, I connected to the bus WiFi, I turned on WireGuard, and kept a constant connection throughout my commute to work. It just works so well.
I could never do that with my OpenVPN connections.
Today was my iPad. But I've ran my laptop before many times. This is an express bus, with only a couple of stops and runs mostly on the interstate for 25 miles.
It says you get about a Gbit of throughput. That isn't bad but I wonder if that is simply because the processing isn't or can't be efficiently paralleled.
You might be able to make several of these connections between 2 machines and trunk/bond them on each side into a combined interface for even more throughput. 10Gbe and 40Gb fiber cards are getting pretty cheap.
> It says you get about a Gbit of throughput. That isn't bad but I wonder if that is simply because the processing isn't or can't be efficiently paralleled.
The encryption is parallelised, Jason Donenfield talks about how the parallelism is designed in most of his talks about WireGuard.
Effectively the problem is that network processing is done using "flows" and generally you want to pin a single flow to a single CPU -- but that would result in bad performance (especially if related packets were encrypted on separate CPUs). So instead, WireGuard pretends to support hardware packet offloading -- so the rest of the net infrastructure figures out what packets are related and gives WireGuard a coalesced packet which can then be split and encrypted in one go.
I guess 20 years as a sysadmin and systems programmer make me a little jaded but you wouldn't convince me to pick up a new VPN based on it being OpenSSH-alike. I'd prefer a pure TLS/SSL or IPSEC solution that fits either paradigm.
If I want ssh-alike I'll harden my ssh and PAM configuration and use ssh (+ tunneling/forwarding and socks5).
It's already absolutely fantastic compared to any other solution I can think of (_especially_ OpenVPN, which requires generating a bunch of x.509 certs).
This article has a ton of steps which aren't even WireGuard specific like server firewall rules.
The actual configuration of WG is basically 'generate a private and public key on server and client, stick it in a config file, run wg-quick up, done'.
I don't know, I really like the idea of wireguard but I had a pretty tough time setting it up (and had to give up after an hour)... more like I didn't have the time.
I think I wasn't doing something right, though, since I was getting very weird errors that I wasn't able to google. Also I think my issue was like more with the macOS client rather than the server.
I think Wireguard is still at the same level that git was about 10 years ago: powerful, elegant, but absolutely not user-friendly. But nobody is claiming that it is (same with git).
I suspect in the next couple of years, you'll see an explosion of really nice tools to make this setup even easier than it is now.
Until then, I'll keep fiddling and try to get wireguard running on my macOS client/ubuntu server setup.
It would be so huge if they made this a first-class citizen (and if it doesn’t require admin rights). I worry that leaving it as an afterthought will cause unixisms to creep in and then a Windows version becomes impossible.
Hello Jason could you please give an estimated availability date for the Windows client and a valid link to the section of your repo/website where someone can follow the progress? I have searched extensively for any info on the schedule. road map, estimated availability for this and have had no luck finding any info about this very important client for Wireguard. I have been patiently waiting for this and holding off on other Windows VPNs but need something very soon. Thanks for your help.
I've been trying out Wireguard with IVPN (https://ivpn.net/) and so far I'm impressed. Very quick tunnel setup (especially important on mobile iOS devices) and great performance afterwards.
The author is setting up NAT w/ the iptables rule in the POSTROUTING chain that does `-j MASQUERADE`. With that rule in place, combined with `allowed-ips 0.0.0.0/0` on the wireguard client, the client can tunnel all their IP traffic through the server as opposed to just having a private subnet setup between the two endpoints.
