On Sun, Feb 05, 2017 at 02:36:52PM +0100, Jelle de Jong wrote:
> I saw Guus already had contact with Jason over email.
I also had a nice talk with him after his presentation at FOSDEM.
> What do you guys tinc of wireguards, are there advantages? Jason seems to
> have a good grip of what he is talking about.
The main advantage of WireGuard is that it is completely in the kernel,
so it can be significantly faster. There are several reasons for it:
- Userspace VPNs require 3 times the number of context switches for
sending a packet.
- They also suffer from roughly twice the amount of cache pressure.
- It is much harder to do batch processing of packets outside the
kernel.
In his slides he showed that OpenVPN is 3 times as slow as WireGuard.
Tinc suffers from exactly the same issues.
WireGuard is doing pretty much a subset of what tinc does (and its
cryptography is also very similar to that of tinc 1.1): you have one
virtual network interface, and it is capable of making connections to
multiple other nodes, and knows which IP addresses belong to which
peers. The biggest drawback is that it is very static; you can't just
add a node to a VPN like you do with tinc, which spreads information
about a new node throughout the VPN, and is able to set up new
connections on demand. There are also some features that tinc has that
are not in WireGuard, such as PMTU discovery, STUN-like NAT traversal,
forwarding using a third node in case two nodes really cannot
communicate with each other directly, and some more things.
It would be very interesting to see if tinc could make use of WireGuard
if it knows that two nodes that want to communicate with each other both
are running Linux and have the WireGuard module installed. That way, you
get the best of both worlds. One important step to make that happen is
to have the ability to send out-of-band messages through a WireGuard
tunnel. This is necessary so that tinc nodes can communicate with each
other through WireGuard, and very that the connection is working
properly. Jason has said that this is a planned feature, so that's great
news.
Personally, I would like to see WireGuard only do the actual VPN packet
handling with symmetric crypto, and leave all the rest, including key
exchange using asymmetric crypto, to userspace. However, at the moment
WireGuard is pretty self-contained, not requiring any userspace daemons,
but just some simple tools to provision it with keys and the IP
addresses of peers. Both ways have their uses. Maybe it will be able to
do both in the future.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20170206/0539923b/attachment.sig>