Modern security: We need Wireguard

Here, I want to have the option to use the new VPN protocol Wireguard.

image

And it should be there by default. Security should be the default, after all…

By default!

Note that when I say by default, I mean by default. So it should be possible to use without any extra installation, just like it’s possible OpenVPN currently, which it is supposed to replace.

Note that it will even be implemented in the Linux kernel, soon, likely.

Technology

It would be preferable to use it with an implementation in a safe language, after all, this is security-relevant.

Recently Cloudflare published a nice implementation in Rust, so maybe that can be used:

How to make this happen?

I guess it needs to be integrated into NetworkManager somehow?

Where can this be reported/tracked?

Or does this request here fit into the “Applications” category then? If so, which application? gnome-control-center ?


Cross-posted in the GNOME discourse community.

3 Likes

So there is

for NetworkManager.

But it does not yet have an official Fedora package:

Also, it seems to be a complete new implementation of Wireguard in C or what? So I am not sure if it can e.g. use boringtun..

There seem to be some misconceptions here about security, and OpenVPN is
actually not fully available by default. If users want WireGuard (and I do,
for example), they may install it using copr or rpmfusion.

Also, there is no such thing as a “safe language” in this context.

I have no idea why this would use any implementation other than the official
WireGuard reference implementation.

I am absolutely interested to hear which…

Really?
In my case I could set it up without installing anything before (IIRC). (in Fedora Workstation with GNOME, here.)

Not in this content. Sorry for not explaining it further, but I was mostly referring to the memory safety and these are not my words, just refer to Cloudflare itself:

After we decided to create a userspace WireGuard implementation, there was the small matter of choosing the right language. While C and C++ are both high performance, low level languages, recent history has demonstrated that their memory model was too fragile for a modern cryptography and security-oriented project. Go was shown to be suboptimal for this use case by wireguard-go.

The obvious answer was Rust. Rust is a modern, safe language that is both as fast as C++ and is arguably safer than Go (it is memory safe and also imposes rules that allow for safer concurrency), while supporting a huge selection of platforms.

They also want their implementation to get a security review, BTW.

Well, at least users should be able to uninstall the default and install a different “backend”, if this is somehow possible.

However, do note, that the Wireguard devs actually wanted to get Cloudflare’s implementation into upstream as a default implementation and also seem to think the implementation is quite good.

Looks like it depends on Fedora Edition:

# dnf groupinfo "Fedora Workstation" | grep -i -e gnome
   GNOME Desktop Environment
# dnf groupinfo "GNOME Desktop Environment" | grep -i -e openvpn -e wireguard
   NetworkManager-openvpn-gnome

Regarding to WireGuard, I think it would be much simpler when it is officially merged into the kernel.

1 Like

It looks very interesting for sure, and I’ve been following it’s development quite closely, it’s small code footprint and the smaller attack surface area looks very appealing from a speed/security aspect.

My brief WireGuard benchmarking tests have already proved to myself that it’s undoubtedly quicker than OpenVPN. I tested it on some restricted free public servers.

The only current downside of WireGuard for me is that WireGuard currently only supports UDP, and I personally prefer to use TCP.

You can install WireGuard for Fedora from Here.

My current VPN provider doesn’t currently support WireGuard, but regardless of the encryption protocol method that you decide to use I would highly recommend using a provider that is based in the Seychelles.

Purely because of the Five (FVEY), Nine, and Fourteen peering BigBrother eyes.

I’ll be moving to a Seychelles based company when my current VPN subscription expires. You can be sure about that.

My primary daily web browser (non-tor) is currently configured with two different chained-layered encryption protocol methods, so I actually web browse via three different countries…and bah it’s still not quite good enough for my personal liking lol.

#paranoidandroid
1 Like

Wireguard support is now in NetworkManager! However, it does not seem be in the NetworkManager GUI yet… :thinking:

https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/

1 Like

Since I am unable to respond in the Gnome Discourse nor at Ask Ubuntu, I will leave this note here.

Next to the missing GUI, ther remains a little flaw with an eventual connction not used exclusively for the 0.0.0.0 route. After enabling the connection, one is not routing all traffic through the VPN. This may be desired, though.

# ip r
default via 10.10.10.254 dev enp0s20f0u1u1 proto dhcp metric 100 
default dev Europe-UK4 proto static scope link metric 20050 
10.10.10.0/24 dev enp0s20f0u1u1 proto kernel scope link src 10.10.10.188 metric 100 
10.29.0.0/24 dev Europe-UK4 proto kernel scope link src 10.29.0.156 metric 50 

with Europe-UK4 being the Wireguard connection:

# nmcli --overview connection show Europe-UK4 
connection.id:                          Europe-UK4
connection.uuid:                        091b0acf-bc4b-47a4-9dbb-8ed0fa7604c1
connection.type:                        wireguard
connection.interface-name:              Europe-UK4
connection.timestamp:                   1571225666
ipv4.method:                            manual
ipv4.dns:                               1.1.1.1
ipv4.addresses:                         10.29.0.156/24
ipv6.method:                            ignore
wireguard.private-key-flags:            0 (keine)
wireguard.listen-port:                  51820
GENERAL.NAME:                           Europe-UK4
GENERAL.UUID:                           091b0acf-bc4b-47a4-9dbb-8ed0fa7604c1
GENERAL.DEVICES:                        Europe-UK4
GENERAL.STATE:                          aktiviert
GENERAL.DEFAULT:                        nein
GENERAL.DEFAULT6:                       nein
GENERAL.SPEC-OBJECT:                    --
GENERAL.VPN:                            nein
GENERAL.DBUS-PATH:                      /org/freedesktop/NetworkManager/ActiveConnection/51
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/Settings/37
GENERAL.ZONE:                           --
GENERAL.MASTER-PATH:                    --
IP4.ADDRESS[1]:                         10.29.0.156/24
IP4.GATEWAY:                            0.0.0.0
IP4.ROUTE[1]:                           dst = 10.29.0.0/24, nh = 0.0.0.0, mt = 50
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 0.0.0.0, mt = 20050
IP4.DNS[1]:                             1.1.1.1
IP6.ROUTE[1]:                           dst = ff00::/8, nh = ::, mt = 256, table=255

Unfortunately I was also unable to set the ominuous GENERAL.VPN setting, only visible with --overview, to yes. It does not appear in the NetworkManager reference manual.

Any pointers on how to get a desired VPN behaviour without having to manually remove the default route of the LAN interface are appreciated.

Try this:

nmcli connection modify Europe-UK4 ipv4.route-metric 50 ipv6.route-metric 50
nmcli connection down Europe-UK4
nmcli connection up Europe-UK4

Although, if there’s no explicit route to the remote gateway, than it might be a bug.
Perhaps you can workaround it using a separate routing table.

The upper scale parameters refer to the runtime status.