tinc - Feb 2017 - wireguard what do you guys tinc?

Hello everybody,

I saw Guus already had contact with Jason over email.

What do you guys tinc of wireguards, are there advantages? Jason seems 
to have a good grip of what he is talking about.

https://fosdem.org/2017/schedule/event/wireguard/attachments/slides/1675/export/events/attachments/wireguard/slides/1675/wireguard_slides.pdf

https://fosdem.org/2017/schedule/event/wireguard/

Kind regards,

Jelle de Jong

On Sun, Feb 05, 2017 at 02:36:52PM +0100, Jelle de Jong wrote:
> I saw Guus already had contact with Jason over email.
I also had a nice talk with him after his presentation at FOSDEM.
> What do you guys tinc of wireguards, are there advantages? Jason seems to
> have a good grip of what he is talking about.
The main advantage of WireGuard is that it is completely in the kernel,
so it can be significantly faster. There are several reasons for it:

- Userspace VPNs require 3 times the number of context switches for
  sending a packet.
- They also suffer from roughly twice the amount of cache pressure.
- It is much harder to do batch processing of packets outside the
  kernel.

In his slides he showed that OpenVPN is 3 times as slow as WireGuard.
Tinc suffers from exactly the same issues.

WireGuard is doing pretty much a subset of what tinc does (and its
cryptography is also very similar to that of tinc 1.1): you have one
virtual network interface, and it is capable of making connections to
multiple other nodes, and knows which IP addresses belong to which
peers. The biggest drawback is that it is very static; you can't just
add a node to a VPN like you do with tinc, which spreads information
about a new node throughout the VPN, and is able to set up new
connections on demand. There are also some features that tinc has that
are not in WireGuard, such as PMTU discovery, STUN-like NAT traversal,
forwarding using a third node in case two nodes really cannot
communicate with each other directly, and some more things.

It would be very interesting to see if tinc could make use of WireGuard
if it knows that two nodes that want to communicate with each other both
are running Linux and have the WireGuard module installed. That way, you
get the best of both worlds. One important step to make that happen is
to have the ability to send out-of-band messages through a WireGuard
tunnel. This is necessary so that tinc nodes can communicate with each
other through WireGuard, and very that the connection is working
properly. Jason has said that this is a planned feature, so that's great
news.

Personally, I would like to see WireGuard only do the actual VPN packet
handling with symmetric crypto, and leave all the rest, including key
exchange using asymmetric crypto, to userspace. However, at the moment
WireGuard is pretty self-contained, not requiring any userspace daemons,
but just some simple tools to provision it with keys and the IP
addresses of peers. Both ways have their uses. Maybe it will be able to
do both in the future.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20170206/0539923b/attachment.sig>

On 5 February 2017 at 05:36, Jelle de Jong <jelledejong at powercraft.nl>
wrote:
> What do you guys tinc of wireguards, are there advantages? Jason seems to
> have a good grip of what he is talking about.

Well if it's kernel only, that rules out anything not Linux, at lest
at the moment. I know that may have a big share, but I find that
limit.
I understand it being in the kernel is attractive because it's much
faster, but how many things do we want to trust in running in the
kernel? Does a faster VPN really mean much these days?

-- 
-------
inum: 883510009027723
sip: jungleboogie at sip2sip.info

Contrary to most traditional in-kernel VPN or tunneling solutions, 
wireguard uses the UDP protocol. This should make it possible to 
implement the same protocol in userspace on any system that can handle 
UDP sockets - including Windows. It might be slower, but it should be 
able to talk to to the kernel implementation.

Wireguard currently does not support ethernet-layer tunneling, only 
IP(v4 and v6) packets can be tunneled. I think this is unfortunate, 
because I have some scenarios where I'd like to bridge entire ethernet 
segments or use another routing mechanism like BGP.

--

Ivo


Op 6-2-2017 om 20:25 schreef jungle Boogie:
> On 5 February 2017 at 05:36, Jelle de Jong <jelledejong at
powercraft.nl> wrote:
>> What do you guys tinc of wireguards, are there advantages? Jason seems
to
>> have a good grip of what he is talking about.
>
> Well if it's kernel only, that rules out anything not Linux, at lest
> at the moment. I know that may have a big share, but I find that
> limit.
> I understand it being in the kernel is attractive because it's much
> faster, but how many things do we want to trust in running in the
> kernel? Does a faster VPN really mean much these days?
>