Wireguard

There have been a couple of times where it would be have been useful to be able to fake the origin of my internet traffic. Services that geo-block, differentiated regional pricing, etc.

To some extent this can be done with Tor, requesting new circuits until you get an exit node in the locale you need. However, many exit nodes get blacklisted, or made difficult to use by the “saints” (hello Cloudflare!) running some of the largest virtual hosting environments.

Time for a VPN?

The thing about VPNs is that, unless you are very careful, they provide only an incremental improvement in privacy. Still, if the goal is to be able to defeat geo-blocking it’s not a bad answer… except that the OpenVPN, the software supported by most VPN providers doesn’t have a stellar record for security (due to it’s size, it presents a large act surface), has relatively high-over head, and kills batteries.

Wireguard is a proposed answer to these issues. It’s new code, but is building on modern security libraries freeing it from some of the baggage that OpenVPN has been lugging around since 2001, and is small enough that it can realistically be reviewed / validated. Conceptually it’s a lot simpler than what came before it… i’d emphasise the “conceptually” part – making no claims to have truly understood the implications of the security choices that have been made.

And there are now VPN providers out there that are supporting Wireguard. Having signed up with one of them to experiment, it seems to be a big step forward. For my home connection (100MBit / 50MBit) it’s possible to saturate the downlink when connected to VPN… when using a server exit in Germany. Leaving it connected on my laptop there isn’t any noticeable change in battery life. I’d assume there is a change, but it’s not enough for me to worry about it.

The clients i’m using (macOS / iOS) are from the respective AppStores, and have been straightforward to configure.

All that said, not sure that i’m going to carry on paying for a VPN. The most compelling reason to do so is using it from my phone over sketch “free” WiFi… but if that is the only thing i care about it would be just as easy to install Wireguard at home and route all the traffic via that connection. The only thing stopping me doing that is laziness.

Wireguard on Synology. That’s the thing!

Advertisements