[HN Gopher] Full WireGuard Support in ProtonVPN for Android ___________________________________________________________________ Full WireGuard Support in ProtonVPN for Android Author : xook Score : 56 points Date : 2021-10-11 18:35 UTC (4 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | jvanderbot wrote: | Eventually nobody will talk about Wireguard because everyone will | use it for almost everything. It'll be like HTTPS, TLS, or TCP. | badrabbit wrote: | I've mostly only used OpenVPN for personal VPN needs. Is WG | stable/reliable? My OpenVPN tunnels bounce too much. | codetrotter wrote: | I've been running a WireGuard setup for a couple of years now, | and have been and continue to be very satisfied with it. | | - WireGuard server running on my FreeBSD VPS. Always on. | | - WireGuard client running on my MacBook Pro M1 laptop (and | prior to that, on the MacBook Air that I had before this | computer). I activate this one when I need to connect to my | server or to some other device on the VPN. | | - WireGuard client running on my iPhone X. Like with my laptop, | I activate it when I need to connect to the server or to | another device on the VPN. | | - WireGuard client running on my grandfather's Mac Pro desktop | computer. Always on. This allows me to remote into his computer | via the macOS-builtin VNC server on his computer, to help him | out when he is stuck at something. I use the macOS-builtin VNC | client on my MBP or a third-party VNC client on my iPhone. In | either case the connection is tunneled over the WireGuard VPN. | I also have the builtin SSH server running on his computer that | I connect to over WG VPN to transfer files or run commands | through. | | - WireGuard client running on my desktop computer which runs | KDE Neon Linux. Always on. | | WireGuard has been almost trivially simple to set up across all | of these systems; FreeBSD, macOS, iOS, Linux. And I am sure it | is equally simple to set up on many other systems as well. | | WireGuard has been very stable and reliable too for all of the | time that I have been using it. | | Some months ago I changed the WireGuard configuration on my | server to run on port 443 UDP instead of the UDP port that | WireGuard server would run on by default. This has allowed me | to connect to my VPN even when using some public hotspots that | were very restrictive on what traffic they allowed through and | where previously I could not connect to my WireGuard VPN. Deep | packet inspection would still block the traffic I assume, but | in all cases with regular public hotspots in my country I have | been able to connect to my VPN after I made this change of what | port I am using. I live in Norway. | | I highly recommend anyone that wants to run their own VPN to | use WireGuard. | | I personally use my WireGuard VPN for connectivity between | these hosts only, not for tunneling traffic that is routed out | onto the wider Internet. (That is, my tunnel runs over the | Internet but I only use it for traffic that is destined to the | machines that are member of the VPN). So I cannot really | comment on the use-case of tunneling Internet traffic, but from | the experience with connecting the hosts in my VPN I can only | assume that tunneling Internet traffic would work out equally | well. | atatatat wrote: | Is your grandfather on a VPN you share with him? | | Is he on static IP? | mbreese wrote: | It doesn't need to be. If his grandfathers computer is | connecting to a "hub" server and is always connected, it | will work. | | Alternatively, if @codetrotter need to do the connecting, | you can also setup wire guard to use a dns name, which | could be dynamic. | | On the VPN side, it would be a static IP though... | codetrotter wrote: | Yes, his computer is on my VPN and has a static IPv4 | address inside of the VPN, 10.42.42.4, as well as a static | IPv6 address inside of the VPN, fc42:4242:4242:4242::4. | | I updated my comment above to note that I use my VPN for | connectivity between hosts only, but across the Internet. | So I can connect to any host in the VPN from anywhere in | the world, but all of the hosts still send all of their | other traffic via the same interface that they would if | they were not part of the VPN. | | So when he browses the Internet, his traffic is routed by | his ISP directly and the VPN is not involved, and the same | goes for my own computers and other devices. | jvanderbot wrote: | WG isn't just stable, it's so easy to configure and set up | you'll wonder why you didn't do it ages ago. At least that's | the way it was for me. | | I stand by my assertion that eventually nobody will talk about | Wireguard because everyone will use it for almost everything. | It'll be like HTTPS, TLS, or TCP. | icelancer wrote: | I tried setting it up on a VPS on Ubuntu the other day, got | it installed after doing some config files, connected to the | tunnel, could access the server but not the wider Internet. | Made about 4-5 config changes per a bunch of Stackoverflow | posts then gave up since nothing worked. | | Installed OpenVPN instead, took me 2 minutes and worked | immediately with far fewer config files changes. | | I've had this experience before with Wireguard as well. | People keep saying how easy it is and in my experience... it | simply isn't. | | OpenVPN has a lot of BS overhead and I'd be more than pleased | to move off of it. But WG hasn't been simple for a common use | case - install on Ubuntu VPS, client on Windows. | j3th9n wrote: | This was possibly all you needed to do: | | echo 1 > /proc/sys/net/ipv4/ip_forward | icelancer wrote: | cat /proc/sys/net/ipv4/ip_forward shows '1', I set it via | sysctl -w net.ipv4.ip_forward=1 in the past I think based | on instructions. | ciupicri wrote: | There is also a per interface setting, e.g. | net.ipv4.conf.virbr0.forwarding | icelancer wrote: | apt purge'd it, reinstalled and updated my Windows | client, now getting this entry in the Wireguard log: | | 2021-10-11 15:18:30.313: [MGR] Failed to connect to | adapter interface \\\?\SWD#WireGuard[REDACTED]: The | system cannot find the file specified. (Code 0x00000002) | | So, again, I'd like to use it but... dead simple it | ain't. Googling that error shows 5 month old reddit posts | and not much else. | | https://www.reddit.com/r/WireGuard/comments/n6yocf/unable | _to... | j3th9n wrote: | Then maybe you need to add the following to the | [Interface] section of your wg0.conf on your server or | else I don't know ;-) : | | PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t | nat -A POSTROUTING -o eth0 -j MASQUERADE | | PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables | -t nat -D POSTROUTING -o eth0 -j MASQUERADE | icelancer wrote: | Already reads as such, though I've tried that code | snippet too: | | PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t | nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A | FORWARD -o %i -j ACCEPT | | PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables | -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D | FORWARD -o %i -j ACCEPT | | Like I said, everyone keeps saying Wireguard is dead | simple to set up, but the comments are full of editing | configuration files, priv/pub key pairs, etc. I've helped | administer OpenVPN servers for a decade now (and take no | pride in it), and yet all these errors that keep coming | up in Wireguard configuration for me on a main Linux | distro + Windows 10 client seem pretty odd for something | that's supposedly so easy to use. | | Someone just come out with a wizard/package installer | that actually works reasonably well (like OpenVPN has | already) and then it might be "easy" to install. For | OpenVPN I run an apt install command, run a wizard, SFTP | into the box, transfer out the .ovpn file, import it into | whatever client devices I need, and it works. Wireguard | is at least 10 times tougher than that, even if it | worked, which it currently does not. | georgyo wrote: | All the replies to your comment seem like sales pitches that | don't actually explain anything. | | The difference between wireguard and OpenVPN is that there is | no real negotiation between the client and server. | | Connecting to OpenVPN can take several seconds as it | authenticates you, figured out encryption algorithms, IP and | route management. If the network or OpenVPN server hiccup, it | drops you and you need to reconnect and renegotiate again. | | Wireguard does not do this, the interface comes up regardless | if the remote server is up. The client and server key have | already been exchanged, the routing and ip are statically | configured, so the server can just receive packets without any | negotiation. | | Clients are identified by their public key, so roaming and ip | switches are seamless as well. | | There actually is a very tiny amount of negotiation in that | protocol has perfect forward secrecy, so the connection re keys | every two minutes (hard codes time value). | SahAssar wrote: | > All the replies to your comment seem like sales pitches | that don't actually explain anything. | | It's sort of hard to provide any other than "yes/no" to a | question like "Is WG stable/reliable", right? | | For most uses the answer is probably "yes" but there are use | cases (I'm guessing around auth and middleboxes that do not | like UDP) where the answer would be "no". | johnchristopher wrote: | Running wg on my VPS was a setup-and-forget thing. I like the | fact it's dead simple to add a new pair and to configure. | oliverjudge wrote: | It's nice to see one of these providers upgrading their protocols | away from openvpn and the like, but it still doesn't solve the | problem of these commercial VPN's are still just someone else's | computer. | jvanderbot wrote: | If what you care about is encrypting traffic, then set up WG | yourself and have a free tier / $3/m machine do the relay. Or | your router. It's so easy there's really no excuse not to. | | If what you care about is anonymizing your traffic, then you | _need_ someone else 's computer. That's the idea, to mix your | traffic in with a bunch of other traffic. | zibzab wrote: | I'm pretty sure that 50% of VPN companies are run by spy | agencies | | Some of the rest are probably run by criminals. | | Oh yeah, let us not forget Facebook whose vpn app was created | mainly to snoop on you other network activities | | Edit: remember that you can roll your own temporary vpn: | https://www.digitalocean.com/community/tutorials?q=vpn | TravisHusky wrote: | It is really nice, OpenVPN is good, but it is definitely harder | to configure, and slower. I also like that it is hard to shoot | yourself in the foot with Wireguard given it is really hard to | mess up and create an insecure config. | | ProtonVPN is also at least a bit better than other commercial | VPNs, specifically the "Secure Core" feature is quite good. | Proton is one of only like two or three companies I actually | trust when it comes to their security and honesty. | stingraycharles wrote: | But if you would want a more secure alternative, there are | options like Tor and I2P right? Or do you have something else | in mind? | Skunkleton wrote: | I think the point is that public VPNs don't provide much | additional security. Basically they just let you act from a | different location on the internet. Is your traffic safer | egressing on to the public network from your current | location, or from the VPN's location? In some cases the VPN | may be better. In others, your local network makes more | sense. | Forbo wrote: | If a VPN isn't sufficient for your threat model, then you need | to be using something like Tor, I2P, or Nym. ___________________________________________________________________ (page generated 2021-10-11 23:00 UTC)