WireGuard support

Discussion in 'Services - Questions & Answers (Q&A)' started by Carphedon, Jul 9, 2018.

  1. C

    Carphedon New Member

    Dear perfect privacy team,

    Are you going to support wireguard in the near future? (https://www.wireguard.com/)

    I want to use this on android and linux because it has a lot of advantages but i dont want to switch to another vpn service.

    Kind regards
     
    ItsFe likes this.
  2. l

    lilboy New Member

    Wireguard wäre schon echt fett :) Ich habe es derzeit im Testbetrieb auf einem Android Smartphone. Die Performance ist sehr gut!
     
    ItsFe likes this.
  3. F

    Fast_Flyer New Member

    Another vote for Wireguard!
     
    ItsFe likes this.
  4. PP Werner

    PP Werner Staff Member

    Hi. What are the advantages of Wireguard that you're looking for?

    We are still a bit reluctant to Wireguard because the code is still rather fresh and under active construction (see the changelog at https://git.zx2c4.com/WireGuard/) and the need for a nonstandard kernel module.
    We value Perfect Privacy over Shinyness :)

    That said, we should have a Wireguard server available for public testing soon.
     
    Taprobana and ItsFe like this.
  5. ItsFe

    ItsFe Member

    Better batterylife (on mobile devices) and better speeds
     
  6. t

    tlo335 New Member

    Battery life in mobile is really important.

    +1 for battery life if nothing else is compromised.
     
  7. b

    bigplayer Member

    I would be really happy about Wireguard as well. :)

    Why?
    There are some Routers which are already able to handle Wireguard and from what I heard the speed must be quiet better than openvpn.
     
  8. T

    Taprobana New Member

    Small easily auditable codebase. A proper third-party code & crypto audit has been conducted. Developer is a Linux vulnerability researcher. Significant improvement in speed vis a vis IKEv2. Uses one of the best cryptography standards. Works behind the Chinese Firewall(for now). Will be integrated into Linux kernel in the near future so it must inspire a a modicum of confidence and stability.

    Security Analysis of WireGuard from MIT
    https://courses.csail.mit.edu/6.857/2018/project/He-Xu-Xu-WireGuard.pdf

    But then again, you folks are quite certainly better informed so if there are any downsides & concerns, I for one, would love to learn. :)
     
    ItsFe and bigplayer like this.
  9. C

    Carphedon New Member

    - Wireguard has a very low impact on battery life.

    - Wireguard has ip roaming on both ends. IP addresses can be switched on both ends, without breaking the connection. The device can switch between Wi-Fi, cellular, and other connections without disconnecting/reconnecting. This is a big pro for mobile devices when switching between 4g 3g wifi etc happens a lot.

    - WireGuard is likely going to be merged into Linux kernel soon and does work without the module in case it is not available.

    Awesome :)
     
    Last edited: Sep 5, 2018
    bigplayer likes this.
  10. t

    tlo335 New Member

    Any news? Eager to try wireguard out...
     
  11. PP Werner

    PP Werner Staff Member

    Hi.

    So, we've been looking at Wireguard for a while and to be honest I'm not much impressed, yet.

    - there is no dynamic address management, client addresses are hard-coded into the configuration
    That means we'd need to register each and every active device and assign it a static address on every server. We'd need to store last login timestamps per device and reclaim "idle" addresses, so users couldn't expect to reconnect a device after a few weeks/month because their addresses would have been reassigned. "Unlimited devices" and "no logging" are not really compatible with Wireguard.

    - no userspace-hooks, everything runs inside a kernel module
    That means we couldn't offer any of our features on a Wireguard tunnel. TrackStop, NeuroRouting, Random exits etc. rely on VPN addresses being added to and removed from IP sets when a user connects or disconnects.

    - we can't verify the battery life claims yet. but maybe we were holding it wrong
    Stephan ran some battery tests. Maybe he's using a different Android than everybody else but the results were not that much different between Wireguard and our Android IPsec app.

    EDIT: Some details: I tested OpenVPN, built-in IPSec and Wireguard being connected for 24h on a Xperia Compact with Android 7 with medium internet activity (push/pull notifications, twitter running, occasionally loading a website). After 24h all connection methods depleted the battery between 59 and 52 percent. Wireguard was in the the middle. Note this was only a one time run test, so not necessarily reliable. But the difference was so small I did not look further into it so far. -- Stephan

    - the hype is great but the code is still young
    This may be superstition and there have been bugs found in very old code. But in times of "move fast and break things", we're reluctant to include code that's been explicitly marked "not for production" by the authors and with its core parts still changing rapidly in the kernel of our VPN servers


    So, where does that leave us? We're monitoring Wireguard development and are debating whether we should try and implement some of the "missing" features (Wireguard authors may not agree) ourselves. But then we'd run even more experimental code.
    It is difficult :)
     
    Last edited by a moderator: Sep 10, 2018
    Taprobana, Carphedon and ItsFe like this.
  12. t

    tlo335 New Member

    Hey Werner,

    thanks for the heads up! Good to See you people bring honest about it :)
     
  13. C

    Carphedon New Member

    Thank you for your reply Werner. I agree that if wireguard is not compatible with most perfect privacy features and especially the no logging part then it should not be implemented in the current state. Security and privacy > features.
     
  14. C

    Carphedon New Member

    One more question, mullvad has wireguard support but claims that they do not log anything of any kind. "no logging of connections, including when one is made, when it disconnects, for how long, or any kind of timestamp".

    So if i read you correct this is not possible?
     
    Taprobana likes this.
  15. T

    Taprobana New Member

    It probably isn't worth it at the moment. In any case, my trust in PP just increased. Thank you.
     
  16. C

    Carphedon New Member

    I just wanted to update the thread with a screen shot to show you what the problem is with the perfect privacy VPN app on android and why looking at alternatives or improvemens might be useful.

    * This is on my oneplus 6T with medium to high usage.
     

    Attached Files:

  17. ItsFe

    ItsFe Member

    Ewww GPlay services
     
  18. l

    lilboy New Member

    Mittlerweile stellt WireGuard eine App zum testen für iOS über TestFlight zur Verfügung.

    https://www.wireguard.com/install/

    TunSafe ist offiziell im AppStore verfügbar und es lassen sich WireGuard Protokolle installieren. KillSwitch ist ebenfalls mit am Start.

    Na ja, also meine Erfahrung mit WireGuard sind durchweg positiv. Die VPN Verbindung steht bedeutend schneller als über OpenVPN oder IPSec. Der Datendurchsatz ist viel besser als über OpenVPN und die Connection ist super stabil. Eine Kaskadierung funktioniert auch bestens

    Meiner Meinung nach hat WireGuard eine Chance verdient!
     
  19. ItsFe

    ItsFe Member