[HN Gopher] WireGuard for Windows now uses high speed kernel imp... ___________________________________________________________________ WireGuard for Windows now uses high speed kernel implementation Author : zx2c4 Score : 137 points Date : 2021-09-16 13:05 UTC (2 days ago) (HTM) web link (twitter.com) (TXT) w3m dump (twitter.com) | tptacek wrote: | These are some of the hardest working people in show business. | optimiz3 wrote: | What do you mean by show business? | wolverine876 wrote: | There's a good description here of what they're doing: | https://lists.zx2c4.com/pipermail/wireguard/2021-August/0068... | | I am curious (though happy) about their focus on performance. For | most security projects, the specification seems to be | 'sufficient' performance and beyond that they invest their | limited resources elsewhere. The WireGuard team seems to make it | a top priority. | | Maybe this upgrade was needed to be 'sufficient'? Maybe they see | performance as key to adoption? Or maybe they have other reasons. | I could see how WireGuard's significant reduction in complexity, | compared to other VPN software, could feed performance. | | It's hard to imagine the Internet without WireGuard, without a | VPN I have confidence in. Thank you Jason and team! | lgierth wrote: | I think performance is just a top priority as security, I | remember how in their first whitepaper they already talked | about how they batch up packets and stuff like that. Also the | whole approach of kernelspace instead of userspace is just for | performance. | | Actually, I think in the beginning there was even a "marketing | chart" with throughput numbers in addition to the chart with | lines-of-code numbers? | | Edit: performance being a top priority also makes sense | strategically: if you want people to use secure software en- | masse, then the experience needs to be stellar in UX and | performance as well. | wolverine876 wrote: | > I think performance is just a top priority as security ... | | That's my impression too. Nothing wrong with it, but I wonder | what their thinking is. | loeg wrote: | > For most security projects, the specification seems to be | 'sufficient' performance and beyond that they invest their | limited resources elsewhere. | | I think this impression is basically mistaken, but I'd love to | hear about any examples you have in mind. | wolverine876 wrote: | It may be mistaken but to be clear, I don't mean it | critically. Most FOSS projects have very limited resources - | most FAANG projects have limited resources (and skip the | security to invest in addictive user experiences and data | collection). If security is the aim, it's wise to spend the | resources there. | | An example? Signal. I love it but performance isn't more than | sufficient IME. I'm glad Moxie and crew are spending their | time inventing new security technology for the world. | orra wrote: | > The WireGuard team seems to make [performance] a top | priority. | | Well, if people adopt WireGuard because it's really fast, | they'll also end up with a relatively secure VPN. Together, | it's really compelling. | zx2c4 wrote: | Security is the top priority. But being useful is also | important; if nobody can use it, nobody benefits from that | security. Acceptable performance is very important for being | useful, especially when tunneling layer 3 packets, where | latency has rippling effects. The prior non-kernel WireGuard | for Windows simply was not sufficiently useful for real world | workloads people wanted to run, because of the lower | performance, both on servers and on laptop wifi alike. | | A big part of the WireGuard project since the beginning has | been trying to figure out how to do high security tunneling | that also performs acceptably. It's easy to do one without the | other, but doing them both together has meant thinking about a | lot of fundamentals, from the protocol state machines on up. | It's hard to do tunneling in the kernel at high speed while | still maintaining a strong security posture. That's a principal | challenge the project endeavors to solve. | | More generally, it's worth noting that cryptographers also care | about performance quite a bit in things like symmetric crypto. | We know well how to make a good cipher now, but making one that | also performs at increasingly high speeds remains an open area | of research, with whole conferences, such as FSE, devoted to | it. | pdenton wrote: | Seems to me like if you need to do your task inside the | kernel to get acceptable performance, there's something wrong | with that kernel. | | It's also arguably more difficult to do a given task in the | kernel than in userland, code for the kernel is much more | security-sensitive and even subtle bugs can be detrimental to | overall system performance (or even exploitable). | | Best thing would be to fix the OS instead of piling up | kludges. | Godel_unicode wrote: | Basically all high performance VPN implementations are | kernel-mode. Just because something is difficult does not | make it automatically wrong. Note that the main userland | VPN which gets cited (OpenVPN) has terrible battery and | latency performance. | | https://arstechnica.com/gadgets/2020/03/wireguard-vpn- | makes-... | | https://www.freebsd.org/cgi/man.cgi?query=ipsec&sektion=4&f | o... | sorenjan wrote: | What do you suggest that the Wireguard team should do about | that? | Jenk wrote: | My employer use wireguard (perimeter81) - during video | conferences (using ms teams) the VPN client goes bananas, | occupying some 40-50% of a cpu core - I assume to en/decode the | video streams - so I hope this will improve that experience. | DenisM wrote: | Whatever happened to hardware accelerated encryption? Did it | never become a thing? | tyingq wrote: | There's AES-NI, on most modern x64 processors, which helps with | some Vpn ciphers. But I think Wireguard uses Chacha20 after the | key exchanges for most of the traffic, and AES-NI doesn't help | with that. | captainmuon wrote: | It's good to see WireGuard getting some love on Windows. | Unfortunately it's not for me at the moment and doesn't tick the | boxes I need: | | - Last I checked, dynamic server IPs were not supported | | - It's system wide by default. With all VPNs, it is relatively | difficult to say: use this connection for these applications, or | these addresses. Popular VPN apps have per-app-settings, but I | find them buggy and not trustworthy. And if you are an expert you | can set your own routing of course. But it would be great if you | could just right click on a titlebar and say "use VPN for this | app", and it was integrated with the OS | | - There is no obfuscation for hostile environments. I would like | a VPN which has pluggable transports, and can, say, look like ssh | or http or a game, and route over 20 random servers. I know of | shadowsocks etc., but I could never get it to run. | | - There is no integration with Windows login AFAIK. If you want | to log into a Windows AD domain, you need to be in the VPN, but | you can't establish connection when you are not logged in. This | is really annoying. There is a capability in Windows for this, | but I never found a VPN where it works properly. | | So technically WireGuard is great, security and speed wise, but | for me the potential VPN killer application would be defined by | superior UX, not by tech. | c7DJTLrn wrote: | On your last point, I have a similar problem. I'd like to use | WireGuard in a large fleet but the authentication/encryption is | just too barebones. You have to generate a keypair for each | host and then add that public key to a file on the server. In | other words, you can't do it with X509 certificates. | | I appreciate WireGuard is designed for simplicity but I don't | see how it can scale with this limitation. | phkahler wrote: | Other VPN software will change out their lower layers for | wire guard, while keeping things like key management as is. | ur-whale wrote: | After fighting with OpenVPN for years, I finally switched to | Wireguard a while back. | | Wireguard on Linux is simply _amazing_ , been using it for the | last year plus to link all of my devices in a single tunneled | LAN, it's been a blast (I can access any of my devices from any | of my devices, wherever I or they may be physically located). | | I do keep _one_ windoze box because I occasionally need to run | things that refuse to run on anything but that, and I recently | installed wireguard on it ... was expecting headaches ... what do | you know, it worked right out of the box, and I can actually | _securely_ ssh into the Redmond-spawned contraption from any of | my other devices, including my android phone. | | Wireguard FTW. | cm2187 wrote: | That should toast OpenVPN in term of performance. I never managed | to get more than 5MB/s on OpenVPN on windows, I understand | precisely because it wasn't implemented in kernel. I ended up | running a pfsense gateway in a VM. | neilalexander wrote: | It also doesn't help that the OpenVPN TAP driver on Windows is | utterly abysmal. Wintun (also born out of the Wireguard | project) performs significantly better. | Hamuko wrote: | I'm gonna guess there's no such development planned for macOS | given how Apple wants to dump all kernel extensions. | zx2c4 wrote: | I would love to work on this, but indeed it won't happen | without Apple's blessing. It would be terrific to work with | them on this, though! | rastafang wrote: | even without that, it was probably faster then everything else? I | wouldn't know because I avoid Windows... ___________________________________________________________________ (page generated 2021-09-18 23:00 UTC)