Tue 2020-03-17 03:49

I'm not sure what Michael Tremer over at IPFire is smoking when he says that WireGuard isn't a suitable replacement for OpenVPN. In my view, he seems to be picking gnat shit out of pepper on the technical details while trying to grind some personal axe against the new protocol. Whatever his motivations... here at ground level on planet Earth:

I frickin' love WireGuard.

And I am a looong time OpenVPN user (like 15+ years, I think). I can't see how anyone who has worked with OpenVPN for a decade or more wouldn't find WireGuard to be a much-needed breath of fresh air in the Open Source VPN space. I mean, unless you just like dicking around with certificate chain management, session negotiation problems, dog slow performance, inability to use standard firewall rules for traffic management, etc. Me? Yeah, not so much.

And don't get me started on IPSec, of which Michael also sings praises. IPSec is great, until you need to connect a tunnel between two endpoints from different vendors. Then all bets are off. I've been building IPSec VPN networks for over 20 years and I won't willingly do a buildout unless I have access to both endpoints. Trying to troubleshoot an IPSec tunnel build between different hardware vendors from only one side of the connection is like trying to drive blindfolded in a foreign country while some guy with a strange accent gives you directions from the back seat.

I tried WireGuard when it was still in beta and I quickly became a convert. The protocol is straightforward, the implementation is easy (and easily scriptable), and the tunnel interfaces act like typical network interfaces so all the standard firewall tools (iptables, firewalld) work as expected. My experience with WireGuard has been nothing but great. I've since replaced my OpenVPN implementations on all of my static tunnels and remote access connections, everywhere.

Not only have I found WireGuard to be about 10x more performant than OpenVPN in terms of session build time and network throughput, I've also found it to be a hell of lot easier to maintain. Granted WireGuard is probably not suited to every single possible use case at this time (as Michael takes great pains to elaborate on). And granted, my personal use case doesn't cover a lot of the ground where WireGuard is lacking. I got 99 problems but running a remote access solution for 500 road warriors ain't one.

What Wireguard does - man, it does it really, really well. The biggest feature I've been waiting on is mainline kernel integration, and that's finally starting to roll out. So to me, the future of WireGuard is looking bright, indeed.

Submit a webmention

You may reply, like, repost, or bookmark this page by submitting a webmention.