Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wireguard will likely replace OpenVPN.

But it won’t be faster than IPsec (basically the same framing overhead), and won’t be replacing IPsec.



I've been using wireguard lately on my phone and laptop. I can tell that it's leaps and bounds faster than openVPN in terms of pure network throughput but also in terms how fast it establishes a channel. With such performance it is a viable always-on VPN solution. In other words, it's a game changer.

Regarding IPSEC: I have never been able to reliably configure and use IPSEC, and I'm in IT for several decades. Not that it can't be done, it's just too complex, so much so that it only makes sense for large companies to hire and train specialists who can do it. If wireguard offers similar throughput but eliminates complexity, I'd say it makes sense to replace IPSEC with it, if only to reduce complexity


It’s much easier on the OpenBSD OpenIKEd (IKEv2) server that competes with theirs and that they denigrate, at least with iOS and macOS clients. Where WG wins massively over IPSec is in ease of configuration.


Single client implementation is the easy part. The hell starts when you need to use several different clients (think iOS, Android-built in or Strongswan, Windows, Linux Libreswan or Strongswan, also throw in several appliances by different vendors) and each of them has different ideas about what is acceptable in their algo list[1].

And that's just cipher negotiation. Don't get me started, what the clients expect to be in the certificates as CN and SAN. You have IPSec gateway behind NAT (so the internal IP of the gateway is different than the public IP), with dynamic IP, so you need to use DNS instead of fixed IP? Good luck with configuring your Windows clients.

[1] I.e. libreswan has deprecated MD5 and SHA1 in their default algo list; if you need them, you must find out how to configure the client that uses it as a backed. Ubiquiti routers on the other hand support SHA1 as their strongest auth algorithm, so there is no match, leading to forum posts like this: https://community.ui.com/questions/L2TP-unusable-on-Fedora/d..., where people butcher it and end up using 3DES and DH group 2. Yay, great for security.


OpeVPN also gets super complex once you get past the basic config stuff.


why wouldn't it replace IPsec? And why can't it be as fast as IPsec?

I can only see one reason, their choice of Chacha20-Poly1305 (which should be re-considered IMO)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: