Wireguard support

Are there any plans to support Wireguard as third VPN option in the near future?
I know, it’s still in late beta stage, but anyway.

Hey,

currently there are no plans to integrate this. Plainly because I consider it a non-starter, it does not do anything that any existing VPN solution cannot do, yet.

There is a response on the old forum here: https://forum.ipfire.org/viewtopic.php?f=50&t=22111&p=123315&hilit=wireguard#p121490

Hi all,
there is also a continuing development regarding Wireguard not official but in the community which is meanwhile in a pretty good state but am not sure if this will ever see the light.

Let´s see.

Best,

Erik

EDIT: https://git.ipfire.org/?p=people%2Fmlorenz%2Fipfire-2.x.git&a=search&h=refs%2Fheads%2Fmailserver&st=grep&s=wireguard

Linus Torvals announced on 30 Jan.2020 that he will merge Wireguard into the Linux 5.6 kernel. Release date to be announced, but I would guestimate any time from April this year onwards. Which bares no relevance on ipFire…just yet.
Is there a roadmap as to when ipFire will move from kernel 4.14.x onto the 5.x kernel?

There are no plans to move from 4.14.x kernel that has extended long term support until Jan 2024 in IPFire 2.x yet.
https://www.kernel.org/category/releases.html

1 Like

Here is another vote for WireGuard.

IPsec is WAY too fragile and has too many compatibility issues. We gave up on it years ago. Love OpenVPN. It is complicated to set up, but one the initial hurdle is overcome it is as stable as a rock and always works.

Our initial testing of WireGuard has been very promising. It has the simplicity of IPsec with the stability of OpenVPN. Now that it has been incorporated into the mainline kernel, we see no reason not to get ready to move to it.

Fred

I cannot agree. Maybe i had not the same issues during time…

Again cannot agree: I’ve had few pre-cooked versions during time, always working flawlessly.

Anyway

Mine vote is here too.

I absolutely disagree. IPsec is a very robust protocol and it just works across many vendors.

I have read the whitepaper for WireGuard and I think that it won’t be able to fulfil all the promises that it makes. I will write a blog post about this as soon as I find some time.

1 Like

another request for wireguard. I’m 2 weeks into fighting an IPSec unreliability issue with a Cisco ASA firewall. If I can get a lighter weight, easier vpn, I’m all for it.

I have no use case for any of these vpn tunnels at this time.
For my basic router setup.
Perhaps some one that has the knowledge can make it a plugin.
I’m sure if it is popular it would to to their (Ipfire) benefit to add it to the main OS.

Totally agree with you Eric. I personally have spent way too much “quality time” with Cisco devices over almost three decades trying to get IPSec to work reliably. IPSec will always be the choice of last resort for us.

OpenVPN ALWAYS works, especially when trying to connect to road warriors in East Asia to other continents, particularly North America. Don’t ask how I know this.

Fred

I dont think so. We had three times in history where OpenVPN has messed backward compatibility of the configuration/clients so all roadwarrior clients need new config/certs. This is a absolute nogo!

Here it is:

It is a bit long, and I still have more points that I did not fit in, but the most important ones are in here.

In short: WireGuard just won’t be an option for what you want to achieve.

3 Likes

You cover a fair number points in the blog and I agree with most of them. Yes the protocol is not yet ready for prime time for the reasons you outline but it doesn’t mean it wouldn’t be useful for us to experiment with. Personally, I would love to be able to drop IPSec. As I said in another message, I’ve lost tens of hours trying to make it work reliably with Cisco firewall (ASA 5508 I believe). It runs fine for a couple of hours then loses its key mind and reconstructs the entire tunnel breaking any persistent connection like SSH. Cisco can’t find it. I can’t find it.

Even between two identical IPFire configurations, (which is set up to match the Cisco configuration) won’t work. Single choice encryption, hash functions etc. Doesn’t work and no idea why. Back when I was working on IPCop, IPSec was cantankerous and I see that it still fails today.

I’ve had to bodge together an openVPN net to net connection using one of the servers as an OpenVPN client. It’s reliable, performance is not as good as IPSec but at least I don’t have my client yelling at me multiple times a day. On the other hand, OpenVPN is not ideal either. I have failed to connect IPFire OpenVPN to Mikrotik.

Hey, if not wire guard how about tinc? https://www.tinc-vpn.org/

1 Like

Thanks for your feedback on the post…

You can definitely play around with it. Just do not expect something that you can use to replace your IPsec net-to-net or roadwarrior tunnels with.

tinc is just another multi-point TLS VPN. Use OpenVPN if you want to use TLS.

I would urge you to investigate the IPsec issues and find out what is going wrong. I honestly do not have any problems with tunnels cutting out and breaking TCP connections with IPFire.

Investigate the IP sec issues? You mean like this Ipsec to cisco asa 5506 failing (corrected)

I’ll try again on the IPFire to IPFire config. I’ll make a new post with config files etc.

Well, it is difficult to work this one out from a one-line bug report. The context on this post helps.

@ms Great article --> https://blog.ipfire.org/post/why-not-wireguard !

Best,

Erik

2 Likes

And in reply to this all, the Tailscale (Wireguard) folks reply…:

LOL 2-factor authentication… With a “secure” protocol with static keys…

$3 million seed round. I wish I was that much into money like he is.

Let’s be serious: He is forgetting that this is a blog post. It is not a scientific article of course. There are no extensive benchmarks to prove every single point in the article. It is already way too long for a casual read.

But a whole article just bashing my points and just saying I am wrong is a bit poor. He does not have any benchmarks or other proofs either to disproof my points. Instead he is “worried” and “surprised” about my “claims”.

He even went very far into the past (to 2003) to find a paper that shows how bad IPsec is. The problem only is that the IPsec folks have listened to that and improved.

I am flattered that my article was read. I do not write these things for publicity. Just for my own entertainment. But it would have been nice to have a debate and not just a PR stunt.

It disappoints me thought, that he is trying to deliberately misunderstand me to make his own points. And I am sure he knows better.

In the end, I think my point stands that in the real world, WireGuard has no place - yet. Maybe it will never find it with people like him backing it.

3 Likes