Modern security: We need Wireguard

Here, I want to have the option to use the new VPN protocol Wireguard.

image

And it should be there by default. Security should be the default, after all…

By default!

Note that when I say by default, I mean by default. So it should be possible to use without any extra installation, just like it’s possible OpenVPN currently, which it is supposed to replace.

Note that it will even be implemented in the Linux kernel, soon, likely.

Technology

It would be preferable to use it with an implementation in a safe language, after all, this is security-relevant.

Recently Cloudflare published a nice implementation in Rust, so maybe that can be used:

How to make this happen?

I guess it needs to be integrated into NetworkManager somehow?

Where can this be reported/tracked?

Or does this request here fit into the “Applications” category then? If so, which application? gnome-control-center ?


Cross-posted in the GNOME discourse community.

2 Likes

So there is

for NetworkManager.

But it does not yet have an official Fedora package:

Also, it seems to be a complete new implementation of Wireguard in C or what? So I am not sure if it can e.g. use boringtun..

There seem to be some misconceptions here about security, and OpenVPN is
actually not fully available by default. If users want WireGuard (and I do,
for example), they may install it using copr or rpmfusion.

Also, there is no such thing as a “safe language” in this context.

I have no idea why this would use any implementation other than the official
WireGuard reference implementation.

I am absolutely interested to hear which…

Really?
In my case I could set it up without installing anything before (IIRC). (in Fedora Workstation with GNOME, here.)

Not in this content. Sorry for not explaining it further, but I was mostly referring to the memory safety and these are not my words, just refer to Cloudflare itself:

After we decided to create a userspace WireGuard implementation, there was the small matter of choosing the right language. While C and C++ are both high performance, low level languages, recent history has demonstrated that their memory model was too fragile for a modern cryptography and security-oriented project. Go was shown to be suboptimal for this use case by wireguard-go.

The obvious answer was Rust. Rust is a modern, safe language that is both as fast as C++ and is arguably safer than Go (it is memory safe and also imposes rules that allow for safer concurrency), while supporting a huge selection of platforms.

They also want their implementation to get a security review, BTW.

Well, at least users should be able to uninstall the default and install a different “backend”, if this is somehow possible.

However, do note, that the Wireguard devs actually wanted to get Cloudflare’s implementation into upstream as a default implementation and also seem to think the implementation is quite good.

Looks like it depends on Fedora Edition:

# dnf groupinfo "Fedora Workstation" | grep -i -e gnome
   GNOME Desktop Environment
# dnf groupinfo "GNOME Desktop Environment" | grep -i -e openvpn -e wireguard
   NetworkManager-openvpn-gnome

Regarding to WireGuard, I think it would be much simpler when it is officially merged into the kernel.

1 Like

It looks very interesting for sure, and I’ve been following it’s development quite closely, it’s small code footprint and the smaller attack surface area looks very appealing from a speed/security aspect.

My brief WireGuard benchmarking tests have already proved to myself that it’s undoubtedly quicker than OpenVPN. I tested it on some restricted free public servers.

The only current downside of WireGuard for me is that WireGuard currently only supports UDP, and I personally prefer to use TCP.

You can install WireGuard for Fedora from Here.

My current VPN provider doesn’t currently support WireGuard, but regardless of the encryption protocol method that you decide to use I would highly recommend using a provider that is based in the Seychelles.

Purely because of the Five (FVEY), Nine, and Fourteen peering BigBrother eyes.

I’ll be moving to a Seychelles based company when my current VPN subscription expires. You can be sure about that.

My primary daily web browser (non-tor) is currently configured with two different chained-layered encryption protocol methods, so I actually web browse via three different countries…and bah it’s still not quite good enough for my personal liking lol.

#paranoidandroid

Wireguard support is now in NetworkManager! However, it does not seem be in the NetworkManager GUI yet… :thinking:

https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/