| ▲ | nocman 20 hours ago |
| "With traditional solutions (such as OpenVPN / IPSec) starting to run out of steam" -- and then zero explanation or evidence of how that is true. I can see an argument for IPSec. I haven't used that for many years. However, I see zero evidence that OpenVPN is "running out of steam" in any way shape or form. I would be interested to know the reasoning behind this. Hopefully the sentiment isn't "this is over five years old so something newer must automatically be better". Pardon me if I am being too cynical, but I've just seen way too much of that recently. |
|
| ▲ | vlovich123 20 hours ago | parent | next [-] |
| Seems like you just haven’t been paying attention. Even commercial VPNs like PIA and others now use Wireguard instead of traditional VPN stacks. Tailscale and other companies in that space are starting to replace VPN stacks with Wireguard solutions. The reasons are abundant, the main ones being performance is drastically better, security is easier to guarantee because the stack itself is smaller and simpler, and it’s significantly more configurable and easier to obtain the behavior you want. |
| |
| ▲ | _joel 19 hours ago | parent | next [-] | | I use and advocate for wireguard but I don't see it's adoption in bigger orgs, at least the ones I've worked in. Appreciate this situation will change over time, but it'll be a long tail. | | |
| ▲ | vlovich123 18 hours ago | parent | next [-] | | It’ll take a little bit of time. But for example Cloudflare’s Warp VPN also uses Wireguard under the hood. So while corp environments may take a long time to switch for various reasons, it will happen eventually. But for stuff like this corp IT tends to be a lagging adopter, 10-20 years behind the curve. | | |
| ▲ | byhemechi 10 hours ago | parent [-] | | Warp actually uses MASQUE (UDP/IP over QUIC) by default | | |
| ▲ | vlovich123 8 hours ago | parent [-] | | I hadn’t realized they changed the default. It originally was Wireguard but you’re right - they added MASQUE as a tunnel option and it’s the default. |
|
| |
| ▲ | BuildTheRobots 17 hours ago | parent | prev | next [-] | | Bigger orgs for the most part use whatever vpn solutions their (potentially decade old) hardware firewalls support. Until you can manage and endpoint a Wireguard tunnel on Cisco, Juniper, Fortigate (etc) hardware then it's going to take a while to become more mainstream. Which is a shame, because I have a number of problematic links (low bandwidth, high latency) that wireguard would be absolutely fantastic for, but neither end supports it and there's no chance they'll let me start terminating a tonne of VPNs in software on a random *nix box. | |
| ▲ | danudey 19 hours ago | parent | prev | next [-] | | If you use Kubernetes and Calico you can use Wireguard to transparently encrypt in-cluster traffic[1] (or across clusters if you have cluster mesh configured). I wonder if we'll see more "automatic SDN over Wireguard" stuff like this as time goes on and the technology gets more proven. Problem is IIRC if you need FIPS compliance you can't use Wireguard, since it doesn't support the mandated FIPS ciphers or what-have-you. [1]https://docs.tigera.io/calico/latest/network-policy/encrypt-... | | |
| ▲ | _joel 18 hours ago | parent [-] | | sure, but I mean "road warrior" client. Typical, average company VPN users. Ironocally getting a technology like wireguard in k8s is easier than replacing an established vendor/product that serves normal users. |
| |
| ▲ | ted_dunning 16 hours ago | parent | prev | next [-] | | The anti-FIPS position of the wireguard implementors is a big problem for adoption. | | |
| ▲ | sheepybloke 12 hours ago | parent [-] | | Exactly. We've looked at using Wireguard at my company, but because it can't be made FIPS compliant, it makes it a hard sell. There is a FIPS Wireguard implementation by WolfSSL, interestingly enough. |
| |
| ▲ | awakeasleep 19 hours ago | parent | prev [-] | | Yeah itll be running out of steam not only when regulators _understand_ wireguard, but when its the recommendation and orgs need to justify their old vpn solution |
| |
| ▲ | mort96 5 hours ago | parent | prev [-] | | OpenVPN makes SNAT relatively trivial, from what I can tell. So I can VPN into a network, use a node on the network as my exit node, and access other devices on that network, with source-based NAT set up on the exit node to make it appear as if my traffic is coming from the exit node. Wireguard seems to make this much more difficult from what I can tell, though I don't know enough about networking to know if that's fundamental to wireguard or just a result on less mature tooling. | | |
| ▲ | Hikikomori 3 hours ago | parent [-] | | WG is no different really, but you'll have to set it up yourself unless you use a client like tailscale. WG is just bare bones and you're supposed to use a proper client. Add SNAT rule, enable forwarding, add allowedIPs to WG config. | | |
| ▲ | mort96 2 minutes ago | parent [-] | | Right, so my understanding is essentially correct. OpenVPN makes it trivial to set up a VPN which lets you access a remote LAN, without having to involve third-party SaaS products like Tailscale. |
|
|
|
|
| ▲ | wmf 19 hours ago | parent | prev | next [-] |
| I wouldn't say they're running out of steam (they never had any) but OpenVPN was always poorly designed and engineered and IPSec has poor interop because there are so many options. |
| |
| ▲ | jbverschoor 18 hours ago | parent [-] | | Unfortunately (luckily?) I don’t have enough knees about IPsec, but usually things make a lot more sense once you actually know the exact architecture and rationale behind it | | |
|
|
| ▲ | tw04 17 hours ago | parent | prev | next [-] |
| IPSec isn’t running out of steam anytime soon. Every commercial firewall vendor uses it, and it’s mandatory in any federal government installation. WireGuard isn’t certified for any federal installation that I’m aware of and I haven’t heard of any vendors willing to take on the work of getting it certified when its “superiority” is of limited relevance in an enterprise situation. |
|
| ▲ | IntoEquanimity 19 hours ago | parent | prev | next [-] |
| Interestingly tried out just now on one of my devices and Wireguard VPN speed was 5x faster on same configuration to OpenVPN. |
|
| ▲ | smcleod 18 hours ago | parent | prev | next [-] |
| OpenVPN has both terrible configuration and performance compared to just about anything else. I've seen it really drop off to next to no usage both in companies and for personal use over the past few years as wireguard based solutions have replaced it. |
| |
| ▲ | shadowpho 17 hours ago | parent [-] | | Same here. With openvpn my somewhat modern cpu takes out a whole core @100% at like 200 megabits/s. With WireGuard I instead max out the internet bandwidth (400 megabits/s) with like 20% cpu usage if that. I really don’t understand why. We have AES acceleration. AES-NI can easily do more bps… why is openvpn so slow? |
|
|
| ▲ | IlikeKitties 20 hours ago | parent | prev | next [-] |
| Wireguard is slowly eating the space alive and thats a good thing. Here's a very educational comparison between Wireguard, OpenVPN and IPSec. It shows how easy wireguard is to manage compared to the other solutions and measures and explains the noticeable differences in speed: https://www.youtube.com/watch?v=LmaPT7_T87g Very recommended! |
|
| ▲ | 19 hours ago | parent | prev [-] |
| [deleted] |
