Ask / Submit
16

[wish] Wireguard

asked 2018-03-31 17:43:15 +0200

cy8aer gravatar image

updated 2018-05-31 08:20:53 +0200

molan gravatar image

It would be nice to have Wireguard (https://www.wireguard.com) implemented for all Sailfishos devices. Wireguard is a very modern vpn system running in kernel mostliy and because of chacha20 for payload this is very fast without hardware acceleration.

Because there are endpoint implementations for e.g. openwrt and edgerouters this would be a cool alternative to openvpn.

Wireguard needs kernel modules and a user space program.

[Update] additional information at easterhegg 18 (in german...):

https://pretalx.eh18.easterhegg.eu/eh18/talk/BFFC3X/

https://media.ccc.de/v/BFFC3X

[Update] And when you do it, implement it for v6 too.

edit retag flag offensive close delete

Comments

*acceleration

Edz ( 2018-03-31 17:46:16 +0200 )edit
1

@Edz: too early for writing right english today ;-)

cy8aer ( 2018-03-31 17:53:04 +0200 )edit

i dont know it. but another open source alternative to openvpn- id vote for that.

kaktux ( 2018-04-01 12:24:43 +0200 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2018-05-28 13:38:49 +0200

ghling gravatar image

I totally agree, it would be great to have support for Wireguard. Building the user space program shouldn't be a big issue since the source is available, but since Wiregurad needs kernel modules, there really are only two options here:

  • The modules are built into the official SFOS kernel: Definitely the better way to go, since it means Wireguard is available for all users. However, I'd imagine it is not easy to get Jolla into adding the modules to the kernel. I'd recommend adding the topic to the next Community Meeting and discussing it there.
  • Custom-build kernels: Probably the easier option, as it can be done by anyone. But it also means that it probably will reach few users (who are willing to replace their official kernel) and requires trust towards the person compiling the kernel or bigger efforts building your own one.

Nevertheless, I also want to state the information from the official Wireguard website:

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change.

So while it's certainly a good idea asking Jolla for implementation (as stated above: add it as topic for the next community meeting), it may be a good idea to wait until Wireguard reaches a stable (and reviewed) state.

edit flag offensive delete publish link more

Comments

I now tried it out: Edgerouter, linux road warrior notebook. The main problem today is the support in - say - desktop environments. you need to set it up by your own. But when it is running it is building up very fast, your cpus are happy and it simply works. You need to know what you are configuring (allowed ips are a bit confusing - or not??) and if this would be hidden in the network manager, connman, whatever ui - maybe with qrcode key exchange - than it would be fine for every day usability.

The android app (I did not get it working...) says that there is also a fuser space version available?

cy8aer ( 2018-05-28 13:52:21 +0200 )edit

This does not change the fact that Wireguard is still in development. Speed and usability is an important factor, I agree with you there. But the most important issue is security which you can one assume after the security and code audits were completed. I'm sure the Wireguard team is doing a great job, but everyone can make mistakes, that's why audits exist. But in the end, what good is a VPN which is fast and easy to use when it's security is broken (e.g. due to a faulty implementation) and the traffic can be decrypted by an attacker?

ghling ( 2018-05-28 15:42:40 +0200 )edit

sic! Security is needed...

cy8aer ( 2018-05-28 16:21:57 +0200 )edit

The thing is, however, that the userspace interfaces aren’t very likely to change since the overall design and configuration is simple. So whether or not the official kernels will ship with a WireGuard module anytime soon, implementing support for it in the GUI should not be hard. NetworkManager added support for it recently while it still can’t deal with OpenVPN properly after all these years. Quite telling :)

And as far as security is concerned, I trust the WireGuard developers more than I trust anybody who believes that having x.509 as part of a design is a good idea. It’s very hard to screw up WireGuard’s configuration, and that also goes for its inner workings: It only uses one set of crypto primitives in one specific configuration, and changing these means changing the protocol version. It avoids complexity, which makes it much easier to use, review and audit.

WireGuard is also much better suited for use with unstable mobile connections than any other VPN protocol I know of, and it doesn’t eat your battery.

lachs0r ( 2018-09-10 14:51:37 +0200 )edit
Login/Signup to Answer

Question tools

Follow
7 followers

Stats

Asked: 2018-03-31 17:43:15 +0200

Seen: 677 times

Last updated: May 29 '18