| ▲ | GotaTun -- Mullvad's WireGuard Implementation in Rust(mullvad.net) |
| 205 points by km 3 hours ago | 44 comments |
| |
|
| ▲ | Hakkin 2 hours ago | parent | next [-] |
| I definitely noticed the performance boost on my Pixel 8, for some reason it seems to really not like wireguard-go, it struggled to pull even 100mbps, maybe something unoptimized on Google's custom hardware. With the new GotaTun version I can pull 500mbps+, though unfortunately it also seems to have introduced a bug that randomly prevents the phone from entering a deep sleep state, so occasionally my battery will randomly start draining at 10x normal speed if I have it enabled until I reboot. |
| |
| ▲ | vjerancrnjak an hour ago | parent | next [-] | | Same behavior on raspberry pi 5. Might be just lack of arm optimizations. | |
| ▲ | Hasnep an hour ago | parent | prev [-] | | Oh, this is the reason the Mullvad app on my Pixel 6a was suddenly able to connect in less than a second where before it would take 5-10 seconds, nice! |
|
|
| ▲ | turblety 2 hours ago | parent | prev | next [-] |
| Nice, I love WireGuard. I ended up building WrapGuard [1] to run applications without root access to the host and choose Go to write it in. I don't really know Rust, but does it make more sense for firmware/networking type software? Is there even a difference? 1. https://github.com/puzed/wrapguard |
| |
| ▲ | chjj an hour ago | parent | next [-] | | Very cool project. Is it always an LD_PRELOAD or can it function as a standalone SOCKS proxy similar to wireproxy? | | | |
| ▲ | skylurk 2 hours ago | parent | prev | next [-] | | Pick the devil you know, as they say. | |
| ▲ | maxmcd an hour ago | parent | prev | next [-] | | I believe you are making use of gVisor’s userspace TCP implementation. I’m not sure if there is something similar in Rust that would be so easy to set up like this. | | | |
| ▲ | unrealhoang 2 hours ago | parent | prev [-] | | from TFA, the main advantage would be for embedded (as a library) use case, FFI with Go is harder. |
|
|
| ▲ | mintflow 30 minutes ago | parent | prev | next [-] |
| For the similar reason I do not using any go based proxy code in my MintFlow app, and use rust to implement some proxy protocols. But my app’s wireguard is natively implemented by fdio vpp plugin, so it’s based on C. |
| |
| ▲ | Bigpet 12 minutes ago | parent [-] | | I would not have guessed that iOS allows enough access to APIs to implement anything vpp-based. Very cool to see. I also enjoyed working with vpp (for the brief 6 months that I had with it). |
|
|
| ▲ | nevi-me 2 hours ago | parent | prev | next [-] |
| If anyone working on the implementation is here, was it not possible to upstream your changes to BoringTun? The blog mentions some changes but doesn't go into detail on that aspect. |
| |
| ▲ | embedding-shape 2 hours ago | parent [-] | | I'm guessing because BoringTun has been in a state of "currently undergoing a restructuring" for something like 3 years by now, I'm guessing Mullvad wasn't too keen to maybe/maybe not be able to contribute, and much more prefer being in 100% control of their own implementation. As someone who wants to see Wireguard succeed and in even wider use, this move makes sense from that perspective too. The more implementations we have available, the more we can trust that the protocol is secure and stable enough. Personally I also have about 100x more trust in Mullvad than Cloudflare both in terms of security but more importantly privacy, but that's just the cherry on top. |
|
|
| ▲ | alias_neo an hour ago | parent | prev | next [-] |
| Is there any way to switch to this implementation for generic WireGuard users? I tried downloading their Android app, but it's not generally usable for people who host our own WireGuard, which is fair enough. |
| |
|
| ▲ | imcritic 2 hours ago | parent | prev | next [-] |
| I wish they would improve wireguard-the-protocol as well: wireguard doesn't stand a chance against gov/isp blocks. |
| |
| ▲ | razighter777 2 hours ago | parent | next [-] | | That's more of a job for an encapsulating protocol. (shadowsocks or similar) Wireguard isn't designed to be obfuscating alone. It's just a simple l3 udp tunnel with a minimal attack surface. | | |
| ▲ | Hendrikto an hour ago | parent [-] | | > It's just a simple l3 udp tunnel Wait, isn’t UDP L4? Am I missing something? | | |
| ▲ | gwehrli an hour ago | parent | next [-] | | Wireguard is a L3 VPN that uses UDP (L4) for tunneling. Thats probably what was meant. | |
| ▲ | eurg an hour ago | parent | prev [-] | | Yes, but it tunnels arbitrary IP packets encapsulated in UDP. |
|
| |
| ▲ | DANmode an hour ago | parent | prev | next [-] | | Known Limitations WireGuard is a protocol that, like all protocols, makes necessary trade-offs. This page summarizes known limitations due to these trade-offs. Deep Packet Inspection WireGuard does not focus on obfuscation. Obfuscation, rather, should happen at a layer above WireGuard, with WireGuard focused on providing solid crypto with a simple implementation. It is quite possible to plug in various forms of obfuscation, however. tl;dr Read the docs. | | | |
| ▲ | tvshtr 2 hours ago | parent | prev | next [-] | | There are forks of wg because of this. Like amnezia-wg | | | |
| ▲ | tetris11 2 hours ago | parent | prev [-] | | Anywhere I can read more about this? |
|
|
| ▲ | intsunny 2 hours ago | parent | prev | next [-] |
| Its funny, this is another of the billions of reasons why Mullvad should be the VPN of choice. But so many fucking people can't ever get over that their favorite social media influencer/Youtuber is offering a code for 200% off of NordShark VPN, now with extra AI. |
| |
| ▲ | Philip-J-Fry 14 minutes ago | parent | next [-] | | Mullvad is great for privacy. But it's blocked by pretty much every VPN block list. NordVPN at the very least bypasses all the ones I regularly encounter. I do use Mullvad for most web browsing though. But Imgur for example is blocked on it, and it's blocked in the UK, so I need NordVPN if I want to see any images there. Most people's VPN usage is literally just geolocation restrictions and Nord is really good at that. | |
| ▲ | Spunkie 23 minutes ago | parent | prev | next [-] | | I love and use mullvad myself but I don't think they are very competitive for the average person. They mostly just care about getting around geo blocks on websites and streaming services, which mullvad puts 0 effort into facilitating. | |
| ▲ | eatbitseveryday an hour ago | parent | prev | next [-] | | It became less of a choice for many after they sadly had to disable port forwarding. | | |
| ▲ | jorvi an hour ago | parent [-] | | Yeah, their reasoning is solid (easy to abuse) but it is still a very useful feature. AFAIK, at the moment your choices are AirVPN and ProtonVPN. AirVPN has static port forwarding and Proton has UPNP port forwarding. | | |
| |
| ▲ | swexbe 44 minutes ago | parent | prev | next [-] | | I wish I could use Mullvad. But their IPs are banned from many streaming services and they don't change them often enough so I am stuck with Nord. | |
| ▲ | aitchnyu 32 minutes ago | parent | prev | next [-] | | Not to mention holding companies which snap up 15 competing VPNs and whitelabel most of them. | |
| ▲ | tumdum_ an hour ago | parent | prev [-] | | You do know that NordSec maintains its own rust fork of BoringTun: https://github.com/NordSecurity/NepTUN ? :) | | |
|
|
| ▲ | ur-whale 2 hours ago | parent | prev [-] |
| One meta thing I've always wondered ... Are multiple implementations of the same protocol good or bad for security? Probably naively, I'm thinking: - diversity: good
- doubling the attack surface: real bad
What do the security folks out there think of the topic? |
| |
| ▲ | embedding-shape 2 hours ago | parent | next [-] | | I think the general consensus is that it improves security of the protocol, but obviously that won't matter much if the implementation gets something wrong or has worse security by itself. Issues in the protocol itself would need all implementations to change, but issues in the implementation would obviously be isolated to one implementation. For something like Wireguard, I'd wager a guess that issues in the implementations are more common than issues in the protocol, at least at this stage. | |
| ▲ | mwalser 2 hours ago | parent | prev | next [-] | | I wouldn't say that multiple implementations are duplicating the attack surface since most users will not end up running them in parallel. | | |
| ▲ | ur-whale 2 hours ago | parent [-] | | I meant at a global level (think as if you're attacking all wireguard users, not a single one) | | |
| ▲ | swiftcoder an hour ago | parent [-] | | The increased attack surface mostly only affects that one particular implementation though. So, yes, twice as many implementations that may contain exploitable bugs, but each new implementation could only be used to exploit a fraction of the total user base | | |
| ▲ | rlpb an hour ago | parent [-] | | > could only be used to exploit a fraction If anything this is a even a good thing, since it means that each individual vulnerability an attacker finds is less valuable to them. |
|
|
| |
| ▲ | saidnooneever 22 minutes ago | parent | prev | next [-] | | dont fix if it ain't broken. look at sudo-rs and other rust ports. ofc, thats a cynical view. i personally think its a bad idea to duplicate efforts. better combine them. otherwise u risk making mistakes that were already solved. missing lessons already learnt. | |
| ▲ | stevefan1999 2 hours ago | parent | prev [-] | | That's really good because it means it will be able to have more exposure, more exposure means more improvement, more improvement eventually dig out bad bugs and reduces the attack surface in the long run |
|
