What's new

WireGuard worth the risk ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JoeBee

Regular Contributor
Hi I see many jumping on the new kid of the block WireGuard protocol but came across a good read here:

https://restoreprivacy.com/wireguard/

Despite the back and forth debate between many top VPN providers especially Mullvad, Azire, Nordvpn and AirVPN, AirVPN state that they will not use their Customers are testers and just like the article said its not recommended. I personally rate Airvpn and mullvad right on the top so this competitive drama is nuts to see.

Do you feel its still safe to use WireGuard with Mullvad, Azire and other WG supporting providers or do you feel it's a pass for now ?
 
Folks worrying over the efficacy of cryptographic protocols might be better off using different technology to begin with.

If a person does something like stream pirate content to Kodi, or download the occasional movie, it is highly unlikely the copyright owner is going to go to much effort to track them down. The lowest hanging fruit may get snagged, but in general, if you avoid having your IP show up in honeypot torrents, you are fine. If it does show up, you risk getting a nastygram from your ISP that might threaten to disconnect your internet connection if you get caught six or seven more times in the next week.

On the other hand, if you are a Christian missionary in Iran who is using social media to spread the word of Christ, you have more to concern yourself with. And if you are involved in government espionage and have to contend with cyber-warfare military matters, you have another set of challenges.

In short, you need to assess the risk and plan accordingly. Use the proper tool for the job. Know your enemy. Another cliché here.

What follows is a history lesson that I will enjoy typing more than you will enjoy reading.

VPNs became relevant when T1s and internet access became less expensive than the packet switching and frame relay and dedicated PRI lines that were commonly used at the time. A methodology was needed to connect remote locations across the uncontrolled internet, and a VPN is ideally suited to take the place of a dedicated line by making it dedicated logically, by using encryption. VPNs were never designed to provide privacy, they provide security, which is a different thing. Any privacy lent by a VPN is incidental to the intended purpose.

People quickly started realizing that we could leverage things like VPNs and SSH forwarding to glean a little privacy for little things like obscuring web surfing from our employers, and we could use them to bypass firewall restrictions (Napster on the OC48!) and a whole cottage industry selling VPN service for privacy sprung up like mushrooms on the forest floor after a good rain. And most of those boomers aren't the good kind. Many will come back on you. But that is a different story.

The point here is that VPNs work fine as a disguise, and they do provide a degree of security. But if you are starting to seriously worry about whether people like Linus Torvalds are correct when they praise Wireguard, then you are either worrying too much, or you have a much bigger target on your back than most people participating in torrents. And if it is the latter - if you are in Iran converting Taliban - for the love of Jesus, start using Tor or I2P. Those are the ONLY public solutions designed for actual anonymity.

TL;DR:
Steal TV? Wireguard = Good.
Protecting corporate data? Wireguard = Good.
Planning an assassination? Maybe you need more.

Don't use a screwdriver as a hammer.
 
This guy ^ understands Commo OpSec.


Sent from my iPhone using Tapatalk
 
Folks worrying over the efficacy of cryptographic protocols might be better off using different technology to begin with.

If a person does something like stream pirate content to Kodi, or download the occasional movie, it is highly unlikely the copyright owner is going to go to much effort to track them down. The lowest hanging fruit may get snagged, but in general, if you avoid having your IP show up in honeypot torrents, you are fine. If it does show up, you risk getting a nastygram from your ISP that might threaten to disconnect your internet connection if you get caught six or seven more times in the next week.

On the other hand, if you are a Christian missionary in Iran who is using social media to spread the word of Christ, you have more to concern yourself with. And if you are involved in government espionage and have to contend with cyber-warfare military matters, you have another set of challenges.

In short, you need to assess the risk and plan accordingly. Use the proper tool for the job. Know your enemy. Another cliché here.

What follows is a history lesson that I will enjoy typing more than you will enjoy reading.

VPNs became relevant when T1s and internet access became less expensive than the packet switching and frame relay and dedicated PRI lines that were commonly used at the time. A methodology was needed to connect remote locations across the uncontrolled internet, and a VPN is ideally suited to take the place of a dedicated line by making it dedicated logically, by using encryption. VPNs were never designed to provide privacy, they provide security, which is a different thing. Any privacy lent by a VPN is incidental to the intended purpose.

People quickly started realizing that we could leverage things like VPNs and SSH forwarding to glean a little privacy for little things like obscuring web surfing from our employers, and we could use them to bypass firewall restrictions (Napster on the OC48!) and a whole cottage industry selling VPN service for privacy sprung up like mushrooms on the forest floor after a good rain. And most of those boomers aren't the good kind. Many will come back on you. But that is a different story.

The point here is that VPNs work fine as a disguise, and they do provide a degree of security. But if you are starting to seriously worry about whether people like Linus Torvalds are correct when they praise Wireguard, then you are either worrying too much, or you have a much bigger target on your back than most people participating in torrents. And if it is the latter - if you are in Iran converting Taliban - for the love of Jesus, start using Tor or I2P. Those are the ONLY public solutions designed for actual anonymity.

TL;DR:
Steal TV? Wireguard = Good.
Protecting corporate data? Wireguard = Good.
Planning an assassination? Maybe you need more.

Don't use a screwdriver as a hammer.
not distilled enough :p .
A VPN does not fully protect you, as you still have your browser, which is why a proxy is needed.
If you use a proxy, you can go with SSL to have a secure line, but irregardless of VPN or proxy, the server will always be visible to your ISP meaning that your ISP knows you visited it. However you can chain proxies and VPNs. Proxies have the additional benefit of being able to manipulate your requests, something VPNs cant do.

If you need to be covert, a proxy does a better job.
If you need to be anonymous, a proxy does a better job.
If you just need secure connectivity between 2 spots to extend the network, use a VPN.
I've used a public VPN before, it leaked a lot of users who were on the same network.

Now getting back to the point, wireguard vpn is worth it. i havent tried it, but they are less arrogant than ubuntu and openVPN, thats why when i can i am switching to wireguard. Its not just a question of which is faster or more secure, but when your options are limited, wireguard is better than openVPN.
 
i havent tried it, but they are less arrogant than ubuntu and openVPN, thats why when i can i am switching to wireguard. Its not just a question of which is faster or more secure, but when your options are limited, wireguard is better than openVPN.
So you're saying that WireGuard is "better" because you think the OpenVPN developers are arrogant.
 
not distilled enough :p .
A VPN does not fully protect you, as you still have your browser, which is why a proxy is needed.
If you use a proxy, you can go with SSL to have a secure line, but irregardless of VPN or proxy, the server will always be visible to your ISP meaning that your ISP knows you visited it. However you can chain proxies and VPNs. Proxies have the additional benefit of being able to manipulate your requests, something VPNs cant do.

If you need to be covert, a proxy does a better job.
If you need to be anonymous, a proxy does a better job.
If you just need secure connectivity between 2 spots to extend the network, use a VPN.
I've used a public VPN before, it leaked a lot of users who were on the same network.

Now getting back to the point, wireguard vpn is worth it. i havent tried it, but they are less arrogant than ubuntu and openVPN, thats why when i can i am switching to wireguard. Its not just a question of which is faster or more secure, but when your options are limited, wireguard is better than openVPN.
Nope. Neither a proxy or VPN are anonymous. Both redirect, but neither provide true anonymity. Even a botnet with a rotating proxy chain is not anonymizing, only more thoroughly obfuscating.

I will explain the distinction in more detail if you like, but in short, only Tor and I2P provide more than a cloak.

Edited because apparently spellcheck thinks botnet means BITNET...
 
Last edited:
Nope. Neither a proxy or VPN are anonymous. Both redirect, but neither provide true anonymity. Even a botnet with a rotating proxy chain is not anonymizing, only more thoroughly obfuscating.

I will explain the distinction in more detail if you like, but in short, only Tor and I2P provide more than a cloak.

Edited because apparently spellcheck thinks botnet means BITNET...
not even Tor as most nodes on Tor networks are government/intelligence owned, a weakness of Tor. You also cant pick your nodes on Tor.
You can pick your nodes with VPN and proxies. I did not say they are fully anonymous either but lets say you are doing espionage, and you want to hide yourself from the target, a VPN will do you no good for that, a proxy will as a proxy hides you from the target, as proxies can be made (even customised if you are a coder, much much faster than making a new kind of VPN), to manipulate your requests and packets however you so please..

No for hiding from ISP, SSL is already a tunnel, as whether you use VPN or proxy, the first node is always visible to the ISP. Tor is no different from a VPN or proxy only that you cannot pick your nodes, and with a proxy, you can actually set up your own around the world easily to deploy custom code Many routers also run nginx so if you have compromised routers you can install php on them and upload your custom proxy, something you cannot do with Tor.
 
So you're saying that WireGuard is "better" because you think the OpenVPN developers are arrogant.
more than that, its not mainstream so no one bothers to block it when blocking all VPNs.
Better in a few ways, openVPN is already blocked in some places, wireguard isnt.
Less arrogant support means if theres something you cannot solve, you will get an answer rather than "do it their way"
Because they are less arrogant, that means they will go further when developing it rather than stagnated development.
 
more than that, its not mainstream so no one bothers to block it when blocking all VPNs.
Better in a few ways, openVPN is already blocked in some places, wireguard isnt.
I find this a strange logic. WireGuard is "better" because hardly anyone is using it. Surely it's only a matter of time...

But in my (limited) experience VPN services are blocked by their IP address not whatever protocol happens to be used.
 
I find this a strange logic. WireGuard is "better" because hardly anyone is using it. Surely it's only a matter of time...

But in my (limited) experience VPN services are blocked by their IP address not whatever protocol happens to be used.
only public ones, but many who use it create private tunnels. For example lets say you know someone over the internet, you could from a tunnel with that guy say from china using wireguard so that guy can bypass the country's restrictions and monitoring.
Wireguard isnt that hardly used, just that more effort is spent into blocking the 4 regular types of VPN and also openVPN due to their age and that they have the highest number of uses. If wireguard is able to keep to the demand, it would then be impossible to block wireguard should it use the same profile as an existing essential service requred for the internet to work. Its also decently secure that its definitely a consideration too. Other alternative is IKE.
 
Since we're dealing with security products here, people should keep in mind that while the OpenVPN code went through two audits over the past few years, the Wireguard code still hasn't been properly audited.

It doesn't mean that the Wireguard isn't solid/secure, just that it hasn't been proven so yet.
 
Since we're dealing with security products here, people should keep in mind that while the OpenVPN code went through two audits over the past few years, the Wireguard code still hasn't been properly audited.

It doesn't mean that the Wireguard isn't solid/secure, just that it hasn't been proven so yet.
And one would think that at only ~4,000 lines of code, versus the 600,000+ lines that is OpenVPN, WG wouldn't take that long to get some kind of official auditing completed and publicized... but of course it's much more complex than that for all the obvious reasons. Still, it would be nice to get a few sanctioned bodies and/or unbiased third parties to vet the thing. Maybe within 2020?

TL;DR - It would also be nice if they could somehow come up with a way to make WG more AAA-friendly, so it could be more easily used in a directory-based, business environment. One can wish, can't they? :)
 
And one would think that at only ~4,000 lines of code, versus the 600,000+ lines that is OpenVPN, WG wouldn't take that long to get some kind of official auditing completed and publicized... but of course it's much more complex than that for all the obvious reasons. Still, it would be nice to get a few sanctioned bodies and/or unbiased third parties to vet the thing. Maybe within 2020?

TL;DR - It would also be nice if they could somehow come up with a way to make WG more AAA-friendly, so it could be more easily used in a directory-based, business environment. One can wish, can't they? :)

It's probably still an expensive project considering this is open-source and not from a company with financial backing. In the OpenVPN case, two audits were sponsored, one of them by the PIA folks, can't remember who sponsored the second one (might have been paid directly by the commercial branch of OpenVPN)
 
thanks for all the input, its an interesting read and discussion, for now I will stick to openvpn but I may dabble with WG soon !
 
PIA VPN has a beta FW to test wireguard for windows 10
 
the Wireguard code still hasn't been properly audited.
In their mailing list.

WireGuard had a brief professional security audit. The auditors didn't find
any vulnerabilities, but they did suggest one defense-in-depth suggestion to
protect against potential API misuse down the road, mentioned below. This
compat snapshot corresponds with the patches I just pushed to Dave for
5.6-rc7.

It may not a high-level, in-depth audit, but it is good news.
 
Last edited:
not distilled enough :p .
A VPN does not fully protect you, as you still have your browser, which is why a proxy is needed.

What do you mean?

I understand this much. Even if commercial VPNs do what they claim to do by not keeping any logs and not reading or storing the user’s data, they still don’t provide anonymity because they do different things depending where in the data link the observer is. They partially pseudonymize the identity of the user at the destination address by changing the user’s IP address, but they don’t obfuscate the fingerprint, which is a major weakness that almost renders their service useless. They do obfuscate the destination address for the ISP and make the content unreadable by encrypting the data during transfer, but they can’t do anything to stop the user from revealing personal information to the people at the destination address – either directly or by using the same computer with and sometimes without a VPN.

What you are writing seems a bit more advanced.


If you use a proxy, you can go with SSL to have a secure line, but irregardless of VPN or proxy, the server will always be visible to your ISP meaning that your ISP knows you visited it. However you can chain proxies and VPNs. Proxies have the additional benefit of being able to manipulate your requests, something VPNs cant do.


Do you mean this:


And this:


if the communications link operates continuously and carries an unvarying level of traffic, link encryption defeats traffic analysis.



Are you saying the VPN’s encrypted data can be obfuscated via SSL, somehow beating the ISP’s traffic analysis, and therefore not draw any attention to the fact somebody is using a VPN in a country where it’s illegal to use a VPN?

Can you give a practical example?
 
Last edited:
What do you mean?

I cannot pretend to speak for System Error Message, he is a particularly smart person and can explain himself just fine. But what I *think* that he meant by "...you need a proxy too" is that a proxy diverts away from the VPN connection itself, which obscures you from the VPN provider.

In other words, if your VPN is a corporate connection to your work, then obviously it isn't private or anonymous, it is just (hopefully) secure. And if you are using a commercial VPN service for privacy, your connection is still not obscured from the VPN provider, regardless of what they say. You are relying on that provider's history of resisting subpoenas and the like and kinda crossing your fingers. In a way, you are using the VPN provider *as* a proxy, and using something else in between those two connections may make it more complex to locate you.

The rest of what he is saying about Tor being government controlled, and about not being able to pick your own nodes, I do not understand. There are absolutely malicious actors running exit nodes, and many are likely state sponsored, but you can configure nodes in torrc.
 
Don't use a screwdriver as a hammer.

hilarious stuff - thx... what you don't know can will hurt you today if you try hard enough and 'just believe'... old p2p 1.544 T1/E1 lines (and bonded+) at $2K plus a month weren't fast but they were capable of being made robust... Are we learning yet? - seems not... thanks again for a fun nostalgic reality read...
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top