Answered: WireGuard support

[Carphedon]

Dear perfect privacy team,

Are you going to support wireguard in the near future? (https://www.wireguard.com/)

I want to use this on android and linux because it has a lot of advantages but i dont want to switch to another vpn service.

Kind regards

 

[lilboy]

Wireguard wäre schon echt fett Ich habe es derzeit im Testbetrieb auf einem Android Smartphone. Die Performance ist sehr gut!

 

[Fast_Flyer]

Another vote for Wireguard!

 

[PP Werner]

Hi. What are the advantages of Wireguard that you're looking for?

We are still a bit reluctant to Wireguard because the code is still rather fresh and under active construction (see the changelog at https://git.zx2c4.com/WireGuard/) and the need for a nonstandard kernel module.
We value Perfect Privacy over Shinyness

That said, we should have a Wireguard server available for public testing soon.

 

[ItsFe]

Hi. What are the advantages of Wireguard that you're looking for?

Better batterylife (on mobile devices) and better speeds

 

[tlo335]

Battery life in mobile is really important.

+1 for battery life if nothing else is compromised.

 

[bigplayer]

I would be really happy about Wireguard as well.

Why?
There are some Routers which are already able to handle Wireguard and from what I heard the speed must be quiet better than openvpn.

 

[Taprobana]

Hi. What are the advantages of Wireguard that you're looking for?

We are still a bit reluctant to Wireguard because the code is still rather fresh and under active construction (see the changelog at https://git.zx2c4.com/WireGuard/) and the need for a nonstandard kernel module.
We value Perfect Privacy over Shinyness

That said, we should have a Wireguard server available for public testing soon.

Small easily auditable codebase. A proper third-party code & crypto audit has been conducted. Developer is a Linux vulnerability researcher. Significant improvement in speed vis a vis IKEv2. Uses one of the best cryptography standards. Works behind the Chinese Firewall(for now). Will be integrated into Linux kernel in the near future so it must inspire a a modicum of confidence and stability.

Security Analysis of WireGuard from MIT
https://courses.csail.mit.edu/6.857/2018/project/He-Xu-Xu-WireGuard.pdf

But then again, you folks are quite certainly better informed so if there are any downsides & concerns, I for one, would love to learn.

 

[Carphedon]

Hi. What are the advantages of Wireguard that you're looking for?

- Wireguard has a very low impact on battery life.

- Wireguard has ip roaming on both ends. IP addresses can be switched on both ends, without breaking the connection. The device can switch between Wi-Fi, cellular, and other connections without disconnecting/reconnecting. This is a big pro for mobile devices when switching between 4g 3g wifi etc happens a lot.

The need for a nonstandard kernel module.

- WireGuard is likely going to be merged into Linux kernel soon and does work without the module in case it is not available.

That said, we should have a Wireguard server available for public testing soon.

Awesome

 

[tlo335]

Any news? Eager to try wireguard out...

 

[PP Werner]

Hi.

So, we've been looking at Wireguard for a while and to be honest I'm not much impressed, yet.

- there is no dynamic address management, client addresses are hard-coded into the configuration
That means we'd need to register each and every active device and assign it a static address on every server. We'd need to store last login timestamps per device and reclaim "idle" addresses, so users couldn't expect to reconnect a device after a few weeks/month because their addresses would have been reassigned. "Unlimited devices" and "no logging" are not really compatible with Wireguard.

- no userspace-hooks, everything runs inside a kernel module
That means we couldn't offer any of our features on a Wireguard tunnel. TrackStop, NeuroRouting, Random exits etc. rely on VPN addresses being added to and removed from IP sets when a user connects or disconnects.

- we can't verify the battery life claims yet. but maybe we were holding it wrong
Stephan ran some battery tests. Maybe he's using a different Android than everybody else but the results were not that much different between Wireguard and our Android IPsec app.

EDIT: Some details: I tested OpenVPN, built-in IPSec and Wireguard being connected for 24h on a Xperia Compact with Android 7 with medium internet activity (push/pull notifications, twitter running, occasionally loading a website). After 24h all connection methods depleted the battery between 59 and 52 percent. Wireguard was in the the middle. Note this was only a one time run test, so not necessarily reliable. But the difference was so small I did not look further into it so far. -- Stephan

- the hype is great but the code is still young
This may be superstition and there have been bugs found in very old code. But in times of "move fast and break things", we're reluctant to include code that's been explicitly marked "not for production" by the authors and with its core parts still changing rapidly in the kernel of our VPN servers


So, where does that leave us? We're monitoring Wireguard development and are debating whether we should try and implement some of the "missing" features (Wireguard authors may not agree) ourselves. But then we'd run even more experimental code.
It is difficult

 

[tlo335]

Hey Werner,

thanks for the heads up! Good to See you people bring honest about it

 

[Carphedon]

Thank you for your reply Werner. I agree that if wireguard is not compatible with most perfect privacy features and especially the no logging part then it should not be implemented in the current state. Security and privacy > features.

 

[Carphedon]

Hi.
- there is no dynamic address management, client addresses are hard-coded into the configuration
That means we'd need to register each and every active device and assign it a static address on every server. We'd need to store last login timestamps per device and reclaim "idle" addresses, so users couldn't expect to reconnect a device after a few weeks/month because their addresses would have been reassigned. "Unlimited devices" and "no logging" are not really compatible with Wireguard.

One more question, mullvad has wireguard support but claims that they do not log anything of any kind. "no logging of connections, including when one is made, when it disconnects, for how long, or any kind of timestamp".

So if i read you correct this is not possible?

 

[Taprobana]

It probably isn't worth it at the moment. In any case, my trust in PP just increased. Thank you.

 

[Carphedon]

I just wanted to update the thread with a screen shot to show you what the problem is with the perfect privacy VPN app on android and why looking at alternatives or improvemens might be useful.

* This is on my oneplus 6T with medium to high usage.

 

[ItsFe]

I just wanted to update the thread with a screen shot to show you what the problem is with the perfect privacy VPN app on android and why looking at alternatives or improvemens might be useful.

* This is on my oneplus 6T with medium to high usage.

Ewww GPlay services

 

[lilboy]

Mittlerweile stellt WireGuard eine App zum testen für iOS über TestFlight zur Verfügung.

https://www.wireguard.com/install/

TunSafe ist offiziell im AppStore verfügbar und es lassen sich WireGuard Protokolle installieren. KillSwitch ist ebenfalls mit am Start.

Na ja, also meine Erfahrung mit WireGuard sind durchweg positiv. Die VPN Verbindung steht bedeutend schneller als über OpenVPN oder IPSec. Der Datendurchsatz ist viel besser als über OpenVPN und die Connection ist super stabil. Eine Kaskadierung funktioniert auch bestens

Meiner Meinung nach hat WireGuard eine Chance verdient!

 

[ItsFe]

Meiner Meinung nach hat WireGuard eine Chance verdient!

https://www.perfect-privacy.com/blog/2018/10/10/wireguard-vpn-pros-and-cons/

 

[Chernobog]

It’s been six years since your last update on WireGuard. Many VPN providers now support it - has there been any progress or change in your stance on integrating WireGuard into your services?