So I am using OpenVPN server on my SBC at home and connect to it whenever I want to.
Nowadays I read so many positive reviews about WireGuard VPN as it is seem to be better choice over OpenVPN, but I am still not sure why should I switch to it? What does it make WireGuard a better choice rather than OpenVPN?
Well, yeah on WireGuard subreddit you will find that people will recommend it lol. But there are pretty solid VPNs out there. Found a spreadsheet floating around and bought Proton. If you are curious here is the sheet: https://docs.google.com/spreadsheets/d/13mF30zRbo7_5HQ3p3i7s7pT7oB9pxdWBU1hF5843yr4/edit?gid=1007600439#gid=1007600439
I would add:
Much simpler to set up, especially on “server” side
Roaming when using with mobile devices; I have it connected permanently and never worry about losing connection
Much quicker to establish connection
Significantly less battery drain on mobile devices, especially when using a custom Kernel that has the wireguard module
I recommend a read through the website (https://www.wireguard.com/) - I think that answers many of your questions. But a few common cited elements are a substantial speed advantage vs OpenVPN and smaller code base. Plus Wireguard should eventually be included in the mainline Linux kernel.
Using it on android without kernel support (userspace implementation) can’t say the battery life is that much better if at all from openvpn. Openvpn speed was about half of normal speed. Wireguard was about 1/6th. Using custom kernel with wireguard support, speed was only 6-7 mbps less than non-vpn speed, so pretty close to full speed.
i don’t even know where to start with this.
if only i could have you experience what it’s like trying to reverse engineer an openvpn connection to a destination where you don’t know the exact ciphers and configuration on the remote end. trying to make openvpn work with ec2 or usg gateway from linux. spending hours tweaking a cipher here or an option there and checking the debug output to see how much further p1 or p2 handshake managed to get…
all of that shit goes out the window. it’s now just a question of versioning. each version will have a list of ciphers which are currently considered safe. if you’re out of date, all you have to do is update your client/server and bam. it literally just fucking works. there’s ONE config file on each end. that’s it. they’re so fucking simple, a caveman can figure it out.
xl2tpd.conf? gone. options.xl2tpd.client? poof.
i’ve set up vpn’s on windows, mac, linux, site to site with fortinet, meraki, cisco…this is hands down the easiest and streamlined vpn i’ve ever touched. i honestly found myself at times going “surely there must be more. that couldn’t have been the entire setup…could it? let’s see…*click*…holy shit. it’s connected. and it works…clearly magic”
while the documentation on the wireguard site could use a bit more eli5, there are PLENTY of good write-ups on how to get this set up on a ton of various environments.
i’ve got mine running on a pi2 and cobbled this script together to get everything up and running, including generating the client side configs.
oh. almost forgot. one of the reasons i was looking at this was because i was unable to vpn home over a cellular connection from my pixel 2 on the google fi network (by the way, if you haven’t checked this out, you absolutely should). i was able to connect when i was on a remote wifi, but that wasn’t good enough. with the android wireguard client, i can keep it connected 24/7 if i felt like it and it just works. everywhere. all the time.
l2tp on i think both iOS and android require an IP address for always on functionality. wireguard allows the endpoint to be entered as fqdn which makes life considerably easier for those with dynamic IPs or other use cases where you don’t want to be changing ips on your, or potentially hundreds/thousands of employee devices.
it only routes traffic to my lan when necessary. on top of which, wireguard eats up considerably less battery/resources as the connection is only active when data needs to traverse. you don’t have a consistent flow of data to maintain the (non-existent) p1/p2 components of the tunnel.
is this still new? yes. does it need more eyes and review? absolutely. does it, regardless of the former, appear to be the best thing to happen to VPN since sliced bread in terms of oversight, configuration, and performance? fuck a doodle yes.
Full speed and it is much,much better at keeping the tunnel up.
Thanks everyone! I just got rid of OpenVPN as WireGuard does the job perfectly!
I read where there are security issues and compatibility problems with some vpns
• Much simpler to set up, especially on “server” side
I’m sure this is true but there were well vetted scripts on github that automated much of the setup of OpenVPN. You have any pointers on scripts I can use for WireGuard?
• Significantly less battery drain on mobile devices, especially when using a custom Kernel that has the wireguard module
I’m assuming you are running Android. I’d have to flash custom firmware to get this kernel loaded?
There is a WireGuard client for iOS but I’m assuming battery life will be worse than OpenVPN right now since apple will have to build support for WireGuard into iOS and they haven’t yet.
hi. for some reason, it crashes on my android, is there any alternative, as I setup my Algo VPN already…
You have any pointers on scripts I can use for WireGuard?
I mostly followed this guide: Wireguard VPN: Typical Setup - The poetry of (in)security
I’m assuming you are running Android. I’d have to flash custom firmware to get this kernel loaded?
No, you can run it in userspace, but it will be somewhat harder on the battery.
There is a WireGuard client for iOS but I’m assuming battery life will be worse than OpenVPN right now since apple will have to build support for WireGuard into iOS and they haven’t yet.
OpenVPN is not built into iOS afaik (ipsec is, I think) so I would be surprised if OpenVPN is any better
I don’t know if you’re using a custom kernel but if the official wireguard app is crashing you can try the tunsafe app. It has more features, such as app exclusions and local network bypass. I don’t know when, if ever, the official app will have those features. Only thing lack is kernel support, so userspace only.
u/khaberz, u/somas - I’d like to clarify one thing.
On my OpenVPN server, via SSH I generate required certificates and just using ovpn-gen utility I generate (then manually update it to fix remaining details) a single OVPN file, which I transfer to my relative(s), so he/she can connect to my OpenVPN server. It’s nothing hard for them to install Android app and then just import OVPN profile to it. Simple as that.
As long as I’ve seen regarding WireGuard - everything seems to be way more complicated to set up. Am I wrong or am I missing something? Is there any profiles (like OVPN) or smth?
Also, I am using Pi-Hole on my home server and I am also using custom DNS settings on my OpenVPN server, so every client is under ad blocking DNS. Is it also possible with WireGuard?