> It’s kernel-based which reduces attack surface and can be ran in virtually any device.
Excuse my ignorance, but can someone explain why a kernel based networking stack has less of an attack surface then a user-space based stack?
I mean logically user-space should be more secure no?
Hm. I guess no-one has bothered with nftables yet, even when dealing with network code that's becoming part of the new upstream kernel (not just this blog, AFAIK wireguard upstream doesn't have any examples on using nftables either, just iptables).
I guess we need a new networking how-to?
Anyone aware of some resources I might have missed?
OK, I guess the nftables wiki is the "how-to": https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
Does wireguard have a noticeable overhead wrt data size compared to a unencrypted connection? I was thinking of setting up it on a small RPi-Like board at home, then on the laptop I carry around (when the lockdown is over). The purpose would be connecting to the Internet through the home broadband public IP which could be handy. However the laptop connects through a metered 4G connection which, although the data cap is more than reasonable, raises some concerns should the encryption require a lot more data than normal.
I would suggest using Algo VPN to set up WireGuard https://github.com/trailofbits/algo
I know its orthogonal to WireGuard itself, but I'd like to see these guides sometime provide some guidance around DNS, so that I can access services without having to remember the VPN client IP addresses.
If you're using NetworkManager and wireguard, try out the integration between the two as well. It lets you treat the tunnel as any other VPN in nm, and also easily avoids some issues with routing loops if you roam back on to your home network. Before, I always had to manually use wg-quick when I came back home or left.
I also made a guide for connecting with the official iOS and macOS WireGuard clients, as I originally found it a bit difficult with the current UI.
I made an Ansible script for the server : https://github.com/Tazeg/ansible-wireguard. If it helps.
Just FYI, WireGuard is baked right into the Linux 6.x kernel. Unless you're on a rolling distro you won't see it yet, but very cool indeed.
One thing that is imo downplayed about WireGuard as opposed to other VPNs is ease of use, specifically: - setup is easy - automated config of large setups is easy - it is extremely resilient under network temporary failure
Does anyone have a guide for setting up server-to-server wireshark connection?
Everything I have found so far is about consumer VPN stuff.
I'm interested in possibly using wireshark for server-to-server as a less painful alternative to TLS.
Do you have to use the wireguard client or could say the VPN stack in Windows be used to connect to a wireguard server?
Is there like a simpler configuration esp. for clients using windows / mac?