[HN Gopher] WireGuard for Windows now uses high speed kernel imp...
___________________________________________________________________
WireGuard for Windows now uses high speed kernel implementation
Author : zx2c4
Score : 137 points
Date : 2021-09-16 13:05 UTC (2 days ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| tptacek wrote:
| These are some of the hardest working people in show business.
| optimiz3 wrote:
| What do you mean by show business?
| wolverine876 wrote:
| There's a good description here of what they're doing:
| https://lists.zx2c4.com/pipermail/wireguard/2021-August/0068...
|
| I am curious (though happy) about their focus on performance. For
| most security projects, the specification seems to be
| 'sufficient' performance and beyond that they invest their
| limited resources elsewhere. The WireGuard team seems to make it
| a top priority.
|
| Maybe this upgrade was needed to be 'sufficient'? Maybe they see
| performance as key to adoption? Or maybe they have other reasons.
| I could see how WireGuard's significant reduction in complexity,
| compared to other VPN software, could feed performance.
|
| It's hard to imagine the Internet without WireGuard, without a
| VPN I have confidence in. Thank you Jason and team!
| lgierth wrote:
| I think performance is just a top priority as security, I
| remember how in their first whitepaper they already talked
| about how they batch up packets and stuff like that. Also the
| whole approach of kernelspace instead of userspace is just for
| performance.
|
| Actually, I think in the beginning there was even a "marketing
| chart" with throughput numbers in addition to the chart with
| lines-of-code numbers?
|
| Edit: performance being a top priority also makes sense
| strategically: if you want people to use secure software en-
| masse, then the experience needs to be stellar in UX and
| performance as well.
| wolverine876 wrote:
| > I think performance is just a top priority as security ...
|
| That's my impression too. Nothing wrong with it, but I wonder
| what their thinking is.
| loeg wrote:
| > For most security projects, the specification seems to be
| 'sufficient' performance and beyond that they invest their
| limited resources elsewhere.
|
| I think this impression is basically mistaken, but I'd love to
| hear about any examples you have in mind.
| wolverine876 wrote:
| It may be mistaken but to be clear, I don't mean it
| critically. Most FOSS projects have very limited resources -
| most FAANG projects have limited resources (and skip the
| security to invest in addictive user experiences and data
| collection). If security is the aim, it's wise to spend the
| resources there.
|
| An example? Signal. I love it but performance isn't more than
| sufficient IME. I'm glad Moxie and crew are spending their
| time inventing new security technology for the world.
| orra wrote:
| > The WireGuard team seems to make [performance] a top
| priority.
|
| Well, if people adopt WireGuard because it's really fast,
| they'll also end up with a relatively secure VPN. Together,
| it's really compelling.
| zx2c4 wrote:
| Security is the top priority. But being useful is also
| important; if nobody can use it, nobody benefits from that
| security. Acceptable performance is very important for being
| useful, especially when tunneling layer 3 packets, where
| latency has rippling effects. The prior non-kernel WireGuard
| for Windows simply was not sufficiently useful for real world
| workloads people wanted to run, because of the lower
| performance, both on servers and on laptop wifi alike.
|
| A big part of the WireGuard project since the beginning has
| been trying to figure out how to do high security tunneling
| that also performs acceptably. It's easy to do one without the
| other, but doing them both together has meant thinking about a
| lot of fundamentals, from the protocol state machines on up.
| It's hard to do tunneling in the kernel at high speed while
| still maintaining a strong security posture. That's a principal
| challenge the project endeavors to solve.
|
| More generally, it's worth noting that cryptographers also care
| about performance quite a bit in things like symmetric crypto.
| We know well how to make a good cipher now, but making one that
| also performs at increasingly high speeds remains an open area
| of research, with whole conferences, such as FSE, devoted to
| it.
| pdenton wrote:
| Seems to me like if you need to do your task inside the
| kernel to get acceptable performance, there's something wrong
| with that kernel.
|
| It's also arguably more difficult to do a given task in the
| kernel than in userland, code for the kernel is much more
| security-sensitive and even subtle bugs can be detrimental to
| overall system performance (or even exploitable).
|
| Best thing would be to fix the OS instead of piling up
| kludges.
| Godel_unicode wrote:
| Basically all high performance VPN implementations are
| kernel-mode. Just because something is difficult does not
| make it automatically wrong. Note that the main userland
| VPN which gets cited (OpenVPN) has terrible battery and
| latency performance.
|
| https://arstechnica.com/gadgets/2020/03/wireguard-vpn-
| makes-...
|
| https://www.freebsd.org/cgi/man.cgi?query=ipsec&sektion=4&f
| o...
| sorenjan wrote:
| What do you suggest that the Wireguard team should do about
| that?
| Jenk wrote:
| My employer use wireguard (perimeter81) - during video
| conferences (using ms teams) the VPN client goes bananas,
| occupying some 40-50% of a cpu core - I assume to en/decode the
| video streams - so I hope this will improve that experience.
| DenisM wrote:
| Whatever happened to hardware accelerated encryption? Did it
| never become a thing?
| tyingq wrote:
| There's AES-NI, on most modern x64 processors, which helps with
| some Vpn ciphers. But I think Wireguard uses Chacha20 after the
| key exchanges for most of the traffic, and AES-NI doesn't help
| with that.
| captainmuon wrote:
| It's good to see WireGuard getting some love on Windows.
| Unfortunately it's not for me at the moment and doesn't tick the
| boxes I need:
|
| - Last I checked, dynamic server IPs were not supported
|
| - It's system wide by default. With all VPNs, it is relatively
| difficult to say: use this connection for these applications, or
| these addresses. Popular VPN apps have per-app-settings, but I
| find them buggy and not trustworthy. And if you are an expert you
| can set your own routing of course. But it would be great if you
| could just right click on a titlebar and say "use VPN for this
| app", and it was integrated with the OS
|
| - There is no obfuscation for hostile environments. I would like
| a VPN which has pluggable transports, and can, say, look like ssh
| or http or a game, and route over 20 random servers. I know of
| shadowsocks etc., but I could never get it to run.
|
| - There is no integration with Windows login AFAIK. If you want
| to log into a Windows AD domain, you need to be in the VPN, but
| you can't establish connection when you are not logged in. This
| is really annoying. There is a capability in Windows for this,
| but I never found a VPN where it works properly.
|
| So technically WireGuard is great, security and speed wise, but
| for me the potential VPN killer application would be defined by
| superior UX, not by tech.
| c7DJTLrn wrote:
| On your last point, I have a similar problem. I'd like to use
| WireGuard in a large fleet but the authentication/encryption is
| just too barebones. You have to generate a keypair for each
| host and then add that public key to a file on the server. In
| other words, you can't do it with X509 certificates.
|
| I appreciate WireGuard is designed for simplicity but I don't
| see how it can scale with this limitation.
| phkahler wrote:
| Other VPN software will change out their lower layers for
| wire guard, while keeping things like key management as is.
| ur-whale wrote:
| After fighting with OpenVPN for years, I finally switched to
| Wireguard a while back.
|
| Wireguard on Linux is simply _amazing_ , been using it for the
| last year plus to link all of my devices in a single tunneled
| LAN, it's been a blast (I can access any of my devices from any
| of my devices, wherever I or they may be physically located).
|
| I do keep _one_ windoze box because I occasionally need to run
| things that refuse to run on anything but that, and I recently
| installed wireguard on it ... was expecting headaches ... what do
| you know, it worked right out of the box, and I can actually
| _securely_ ssh into the Redmond-spawned contraption from any of
| my other devices, including my android phone.
|
| Wireguard FTW.
| cm2187 wrote:
| That should toast OpenVPN in term of performance. I never managed
| to get more than 5MB/s on OpenVPN on windows, I understand
| precisely because it wasn't implemented in kernel. I ended up
| running a pfsense gateway in a VM.
| neilalexander wrote:
| It also doesn't help that the OpenVPN TAP driver on Windows is
| utterly abysmal. Wintun (also born out of the Wireguard
| project) performs significantly better.
| Hamuko wrote:
| I'm gonna guess there's no such development planned for macOS
| given how Apple wants to dump all kernel extensions.
| zx2c4 wrote:
| I would love to work on this, but indeed it won't happen
| without Apple's blessing. It would be terrific to work with
| them on this, though!
| rastafang wrote:
| even without that, it was probably faster then everything else? I
| wouldn't know because I avoid Windows...
___________________________________________________________________
(page generated 2021-09-18 23:00 UTC)