| ▲ | geoctl 16 hours ago |
| WireGuard-over-QUIC does not make any sense to me, this lowers performance and possibly the inner WireGuard MTUs. You can just replace WireGuard with QUIC altogether if you just want obfuscation. |
|
| ▲ | nine_k 15 hours ago | parent | next [-] |
| It's not about performance, of course. It's about looking like HTTPS, being impenetrable, separating the ad-hoc transport encryption and the Wireguard encryption which also works as authentication between endpoints, and also not being not TCP inside TCP. |
| |
| ▲ | geoctl 14 hours ago | parent [-] | | You can just do that by using QUIC-based tunneling directly instead of using WireGuard-over-QUIC and basically stacking 2 state machines on top of one another. | | |
| ▲ | bb88 14 hours ago | parent [-] | | TCP over Wireguard is two state machines stacked on each other. QUIC over Wireguard is the same thing. Yet, both seems to work pretty well. I think I see your argument, in that it's similar to what sshuttle does to eliminate TCP over TCP through ssh. sshuttle doesn't prevent HOL blocking though. | | |
| ▲ | geoctl 13 hours ago | parent [-] | | TCP over WireGuard is unavoidable because that's the whole point of tunneling. But TCP over WireGuard over QUIC just doesn't make any sense, neither from performance nor from security perspective. Not to mention that with every additional tunneling layer you need to reduce the MTU (which is already a very restricted sub-1500 value without tunneling) of all inner tunnels. |
|
|
|
|
| ▲ | sauercrowd 14 hours ago | parent | prev [-] |
| Probably simplifies their clients and backends I'd imagine? |
