Feature Request: Wireguard

Planned

Comments

33 comments

  • Avatar
    Firewalla

    Since wireguard is now 1.0, we will be integrating it with Firewalla for sure.  Likely to happen after we stabilize the Gold, and highly likely later in the summer :)

     

    3
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    Client!  Desperately needed!  OpenVPN is sooooooo slow.

    3
    Comment actions Permalink
  • Avatar
    Firewalla

    Need to wait a bit on that.  1.971 need to be out first (Multi-WAN, SQM, ...)  and bug fixes need to be out first.  Likely 1.972 will have Wireguard (hopefully) 

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    @David

    The problem is not WireGuard ... WireGuard is fairly light. 

    The issue is the rest of the system. Firewalla resource allocation is per network. For example, on the blue today, you have the main network and an OpenVPN network; and adding a WireGuard network ... will increase the resource usage due to a new network that will need to be tracked. (These resources are primarily cache and data structures to track flows and break/assemble traffic)

    Due to how the software was designed, it is also really difficult to remove OpenVPN and only run WireGuard ...

     

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    @Wacey thanks for looking into this.  The reason we picked openvpn is purely due to maturity and popularity.  Will look at wireguard for sure in the future.  It is on our long term to do list already.   Thanks to @Jeremy and you. 

    1
    Comment actions Permalink
  • Avatar
    Wacey

    Has it matured enough yet?  Linus Torvalds seems to like it.  :)

    1
    Comment actions Permalink
  • Avatar
    Hans Tobeason

    Another vote for WireGuard ASAP!

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Wireguard server on firewalla? or wireguard client on firewalla? which one do you want first?

    1
    Comment actions Permalink
  • Avatar
    K.S. Chong (Kwong Sheng)

    Server first please

    1
    Comment actions Permalink
  • Avatar
    Mark

    I would say server. I only connect to my FireWalla: clients are available for every OS.

    1
    Comment actions Permalink
  • Avatar
    Jeremy

    I failed to understand how you used the VPN function. the VPN function is to have the Firewalla app establish a vpn tunnel to your Firewalla device. Clever feature. I thought it was for anonymity VPN service such as that provided https://www.azirevpn.com/wireguard. I still think it could be an advanced option but the boxes need to bring up the CPU a lot more if you want to run VPN throughput equivalent to your Bro throughput.

    0
    Comment actions Permalink
  • Avatar
    Wacey

    I was looking at the features and anti-features of Algo VPN (a cloud VPN) and noticed that they call OpenVPN a "risky server."

    They use WireGuard.

    Edit: Upon further investigation, WireGuard states the code is not complete yet and "has not undergone proper degrees of security auditing and the protocol is still subject to change."

    It does look promising though.

    0
    Comment actions Permalink
  • Avatar
    Jeremy

    @Wacey Wireguard still needs maturity and thorough security auditing but for basic obfuscation similar to Algo's and Streissand's business modesl, it is more then acceptable. For its performance it is very choice for this device and usage model. IPSec/L2tp would be an acceptable protocol suite for mobile devices since they typically have hardware accelerated crypto but IPSec is a nightmare and not as fast.

    0
    Comment actions Permalink
  • Avatar
    Mstormo

    Is there an update on WireGuard support, particularly for the Gold version?

    0
    Comment actions Permalink
  • Avatar
    Bob

    I'm also very interested in this!

    0
    Comment actions Permalink
  • Avatar
    FF

    If I may make a suggestion, can we still preserve the option to choose classic OpenVPN even if you decide to switch to wireguard?  

    the second is definitely very interesting from a security and performance point of view but it is also so new that we might face incompatibility issues (similar to TLS 1.3)

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @FF, we will not touch existing functions.  We do understand, even Wireguard is new ... OpenVPN is still much more popular ...

    0
    Comment actions Permalink
  • Avatar
    Mark

    Might be a bit off-topic, but I just want to say that Firewalla support is absolutely fantastic. The interaction with your customers is also one I have not seen with any other security focused company. Keep it up!

    Besides that: cannot wait for WG to get integrated. The minute it does I will install it on all my phones and route all traffic throug Firewalla :)

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Mark, thank you!  

    0
    Comment actions Permalink
  • Avatar
    horizonbrave

    me too

    0
    Comment actions Permalink
  • Avatar
    Bob

    I like Wireguard too but keep in mind some ISPs are throttling UDP traffic that isn't DNS, like mine... I tried changing ports, eventually using a Linode to test my suspicions. Some use DPI to ensure it's not DNS traffic and still throttle. Just something to be aware of. 

    Aside from using port 53 for the Wireguard traffic, lol, not sure how you'd overcome that. 

     

     

    0
    Comment actions Permalink
  • Avatar
    Hector

    +1 Another vote here for Wireguard support.

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    +1 on wanting Wireguard support.  I would even pay a bit to accelerate its development. 

    0
    Comment actions Permalink
  • Avatar
    Hector

    +1 for both :)

    0
    Comment actions Permalink
  • Avatar
    Jeff B

    Client!

    0
    Comment actions Permalink
  • Avatar
    Anders Ripa

    I would say server first but client soon after, my main use case is Gold to Gold VPN traffic. Wireguard is mainly to increase throughput as OpenVPN works stable at the moment.

    0
    Comment actions Permalink
  • Avatar
    Anders Ripa

    I just want to thank you for the Wireguard server function in the Gold. It have speeded things up when doing larger transfers of backups!
    Whenever the client support is also there it will be even more easy to use it between Gold devices!

    Good work and once again thank you!

    0
    Comment actions Permalink
  • Avatar
    Mark

    Yeah, thank you from me as well! I now use WireGuard VPN for default on all our phones too. Do not even notice it!

     

    I did have some issues getting it to work though. For some reason the DNS server was set to a wireguard address (10.something). I could get a VPN tunnel, but no internet trough it. After changing the DNS in the WireGuard settings to my Firewall address I had no more issues. Has this been fixed, or was I the only one with this issue?

    0
    Comment actions Permalink
  • Avatar
    Support

    @Mark. Thanks for the feedback. Can you please send an email to help@firewalla.com so that we can help check if there is any misconfiguration on the wireguard server?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Mark,

    This maybe because the app configured WireGuard DNS server incorrectly when setting up WireGuard. Using Firewalla IP can bypass the problem.

    Do you use iOS or Android?

    Would you mind sending email to help@firewalla.com? we can help check the problem on the box to confirm the root cause.

    0
    Comment actions Permalink

Please sign in to leave a comment.