[HN Gopher] Full WireGuard Support in ProtonVPN for Android
___________________________________________________________________
Full WireGuard Support in ProtonVPN for Android
Author : xook
Score : 56 points
Date : 2021-10-11 18:35 UTC (4 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| jvanderbot wrote:
| Eventually nobody will talk about Wireguard because everyone will
| use it for almost everything. It'll be like HTTPS, TLS, or TCP.
| badrabbit wrote:
| I've mostly only used OpenVPN for personal VPN needs. Is WG
| stable/reliable? My OpenVPN tunnels bounce too much.
| codetrotter wrote:
| I've been running a WireGuard setup for a couple of years now,
| and have been and continue to be very satisfied with it.
|
| - WireGuard server running on my FreeBSD VPS. Always on.
|
| - WireGuard client running on my MacBook Pro M1 laptop (and
| prior to that, on the MacBook Air that I had before this
| computer). I activate this one when I need to connect to my
| server or to some other device on the VPN.
|
| - WireGuard client running on my iPhone X. Like with my laptop,
| I activate it when I need to connect to the server or to
| another device on the VPN.
|
| - WireGuard client running on my grandfather's Mac Pro desktop
| computer. Always on. This allows me to remote into his computer
| via the macOS-builtin VNC server on his computer, to help him
| out when he is stuck at something. I use the macOS-builtin VNC
| client on my MBP or a third-party VNC client on my iPhone. In
| either case the connection is tunneled over the WireGuard VPN.
| I also have the builtin SSH server running on his computer that
| I connect to over WG VPN to transfer files or run commands
| through.
|
| - WireGuard client running on my desktop computer which runs
| KDE Neon Linux. Always on.
|
| WireGuard has been almost trivially simple to set up across all
| of these systems; FreeBSD, macOS, iOS, Linux. And I am sure it
| is equally simple to set up on many other systems as well.
|
| WireGuard has been very stable and reliable too for all of the
| time that I have been using it.
|
| Some months ago I changed the WireGuard configuration on my
| server to run on port 443 UDP instead of the UDP port that
| WireGuard server would run on by default. This has allowed me
| to connect to my VPN even when using some public hotspots that
| were very restrictive on what traffic they allowed through and
| where previously I could not connect to my WireGuard VPN. Deep
| packet inspection would still block the traffic I assume, but
| in all cases with regular public hotspots in my country I have
| been able to connect to my VPN after I made this change of what
| port I am using. I live in Norway.
|
| I highly recommend anyone that wants to run their own VPN to
| use WireGuard.
|
| I personally use my WireGuard VPN for connectivity between
| these hosts only, not for tunneling traffic that is routed out
| onto the wider Internet. (That is, my tunnel runs over the
| Internet but I only use it for traffic that is destined to the
| machines that are member of the VPN). So I cannot really
| comment on the use-case of tunneling Internet traffic, but from
| the experience with connecting the hosts in my VPN I can only
| assume that tunneling Internet traffic would work out equally
| well.
| atatatat wrote:
| Is your grandfather on a VPN you share with him?
|
| Is he on static IP?
| mbreese wrote:
| It doesn't need to be. If his grandfathers computer is
| connecting to a "hub" server and is always connected, it
| will work.
|
| Alternatively, if @codetrotter need to do the connecting,
| you can also setup wire guard to use a dns name, which
| could be dynamic.
|
| On the VPN side, it would be a static IP though...
| codetrotter wrote:
| Yes, his computer is on my VPN and has a static IPv4
| address inside of the VPN, 10.42.42.4, as well as a static
| IPv6 address inside of the VPN, fc42:4242:4242:4242::4.
|
| I updated my comment above to note that I use my VPN for
| connectivity between hosts only, but across the Internet.
| So I can connect to any host in the VPN from anywhere in
| the world, but all of the hosts still send all of their
| other traffic via the same interface that they would if
| they were not part of the VPN.
|
| So when he browses the Internet, his traffic is routed by
| his ISP directly and the VPN is not involved, and the same
| goes for my own computers and other devices.
| jvanderbot wrote:
| WG isn't just stable, it's so easy to configure and set up
| you'll wonder why you didn't do it ages ago. At least that's
| the way it was for me.
|
| I stand by my assertion that eventually nobody will talk about
| Wireguard because everyone will use it for almost everything.
| It'll be like HTTPS, TLS, or TCP.
| icelancer wrote:
| I tried setting it up on a VPS on Ubuntu the other day, got
| it installed after doing some config files, connected to the
| tunnel, could access the server but not the wider Internet.
| Made about 4-5 config changes per a bunch of Stackoverflow
| posts then gave up since nothing worked.
|
| Installed OpenVPN instead, took me 2 minutes and worked
| immediately with far fewer config files changes.
|
| I've had this experience before with Wireguard as well.
| People keep saying how easy it is and in my experience... it
| simply isn't.
|
| OpenVPN has a lot of BS overhead and I'd be more than pleased
| to move off of it. But WG hasn't been simple for a common use
| case - install on Ubuntu VPS, client on Windows.
| j3th9n wrote:
| This was possibly all you needed to do:
|
| echo 1 > /proc/sys/net/ipv4/ip_forward
| icelancer wrote:
| cat /proc/sys/net/ipv4/ip_forward shows '1', I set it via
| sysctl -w net.ipv4.ip_forward=1 in the past I think based
| on instructions.
| ciupicri wrote:
| There is also a per interface setting, e.g.
| net.ipv4.conf.virbr0.forwarding
| icelancer wrote:
| apt purge'd it, reinstalled and updated my Windows
| client, now getting this entry in the Wireguard log:
|
| 2021-10-11 15:18:30.313: [MGR] Failed to connect to
| adapter interface \\\?\SWD#WireGuard[REDACTED]: The
| system cannot find the file specified. (Code 0x00000002)
|
| So, again, I'd like to use it but... dead simple it
| ain't. Googling that error shows 5 month old reddit posts
| and not much else.
|
| https://www.reddit.com/r/WireGuard/comments/n6yocf/unable
| _to...
| j3th9n wrote:
| Then maybe you need to add the following to the
| [Interface] section of your wg0.conf on your server or
| else I don't know ;-) :
|
| PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t
| nat -A POSTROUTING -o eth0 -j MASQUERADE
|
| PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables
| -t nat -D POSTROUTING -o eth0 -j MASQUERADE
| icelancer wrote:
| Already reads as such, though I've tried that code
| snippet too:
|
| PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t
| nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A
| FORWARD -o %i -j ACCEPT
|
| PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables
| -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D
| FORWARD -o %i -j ACCEPT
|
| Like I said, everyone keeps saying Wireguard is dead
| simple to set up, but the comments are full of editing
| configuration files, priv/pub key pairs, etc. I've helped
| administer OpenVPN servers for a decade now (and take no
| pride in it), and yet all these errors that keep coming
| up in Wireguard configuration for me on a main Linux
| distro + Windows 10 client seem pretty odd for something
| that's supposedly so easy to use.
|
| Someone just come out with a wizard/package installer
| that actually works reasonably well (like OpenVPN has
| already) and then it might be "easy" to install. For
| OpenVPN I run an apt install command, run a wizard, SFTP
| into the box, transfer out the .ovpn file, import it into
| whatever client devices I need, and it works. Wireguard
| is at least 10 times tougher than that, even if it
| worked, which it currently does not.
| georgyo wrote:
| All the replies to your comment seem like sales pitches that
| don't actually explain anything.
|
| The difference between wireguard and OpenVPN is that there is
| no real negotiation between the client and server.
|
| Connecting to OpenVPN can take several seconds as it
| authenticates you, figured out encryption algorithms, IP and
| route management. If the network or OpenVPN server hiccup, it
| drops you and you need to reconnect and renegotiate again.
|
| Wireguard does not do this, the interface comes up regardless
| if the remote server is up. The client and server key have
| already been exchanged, the routing and ip are statically
| configured, so the server can just receive packets without any
| negotiation.
|
| Clients are identified by their public key, so roaming and ip
| switches are seamless as well.
|
| There actually is a very tiny amount of negotiation in that
| protocol has perfect forward secrecy, so the connection re keys
| every two minutes (hard codes time value).
| SahAssar wrote:
| > All the replies to your comment seem like sales pitches
| that don't actually explain anything.
|
| It's sort of hard to provide any other than "yes/no" to a
| question like "Is WG stable/reliable", right?
|
| For most uses the answer is probably "yes" but there are use
| cases (I'm guessing around auth and middleboxes that do not
| like UDP) where the answer would be "no".
| johnchristopher wrote:
| Running wg on my VPS was a setup-and-forget thing. I like the
| fact it's dead simple to add a new pair and to configure.
| oliverjudge wrote:
| It's nice to see one of these providers upgrading their protocols
| away from openvpn and the like, but it still doesn't solve the
| problem of these commercial VPN's are still just someone else's
| computer.
| jvanderbot wrote:
| If what you care about is encrypting traffic, then set up WG
| yourself and have a free tier / $3/m machine do the relay. Or
| your router. It's so easy there's really no excuse not to.
|
| If what you care about is anonymizing your traffic, then you
| _need_ someone else 's computer. That's the idea, to mix your
| traffic in with a bunch of other traffic.
| zibzab wrote:
| I'm pretty sure that 50% of VPN companies are run by spy
| agencies
|
| Some of the rest are probably run by criminals.
|
| Oh yeah, let us not forget Facebook whose vpn app was created
| mainly to snoop on you other network activities
|
| Edit: remember that you can roll your own temporary vpn:
| https://www.digitalocean.com/community/tutorials?q=vpn
| TravisHusky wrote:
| It is really nice, OpenVPN is good, but it is definitely harder
| to configure, and slower. I also like that it is hard to shoot
| yourself in the foot with Wireguard given it is really hard to
| mess up and create an insecure config.
|
| ProtonVPN is also at least a bit better than other commercial
| VPNs, specifically the "Secure Core" feature is quite good.
| Proton is one of only like two or three companies I actually
| trust when it comes to their security and honesty.
| stingraycharles wrote:
| But if you would want a more secure alternative, there are
| options like Tor and I2P right? Or do you have something else
| in mind?
| Skunkleton wrote:
| I think the point is that public VPNs don't provide much
| additional security. Basically they just let you act from a
| different location on the internet. Is your traffic safer
| egressing on to the public network from your current
| location, or from the VPN's location? In some cases the VPN
| may be better. In others, your local network makes more
| sense.
| Forbo wrote:
| If a VPN isn't sufficient for your threat model, then you need
| to be using something like Tor, I2P, or Nym.
___________________________________________________________________
(page generated 2021-10-11 23:00 UTC)