Rethinking Obfuscation
Hi, I'd just like to revisit a topic that recently came on the mailing list, traffic obfuscation. Firstly, I'd like to state that I'm merely a grateful user of Wireguard, not a contributor. That's relevant because the only way I can get reliable, uncensored Internet is with the help of Wireguard. And the only reason that is so, is because Wireguard is not yet a popular protocol. I don't want to be so bold as to make an outright "feature request" for traffic obfuscation, but I would like to make my case for it's acceptance. Right now, in many countries there are extreme filtering practices in place. And I realise that there's an argument for addressing this at a policy level but sadly that thinking is just not useful for literally billions of people (https://freedomhouse.org/report/freedom-net/freedom-net-2016). It's a different political context. It's easy to feel comfortable from a western democratic context with our relative sense of freedom, but our governments have already built the most pervasive instruments of mass surveillance ever known. We've a lot of trust and people who've brazenly betrayed us. We're just building security infrastructure on the assumption we'll be continued to be allowed to use it for privacy. For old VPN protocols such as IPSEC, OpenVPN and the like there's no hope. These are easily blocked by breaking the handshake processes, at the very least. Systems like TOR are praised by privacy advocates but are all but useless in the face of state-level / ISP filtering. So while the problem might originate at a political level, this is not always resolvable. And right now there's precious little offering a technical solution. The only reliable approach I'm seeing widely employed is proprietary implementations of Open Source VPNs. VPN providers are making various obfuscation tweaks to things like OpenVPN to enable there services to work in places like China. The problem here is at least two fold. Firstly, it's proprietary! Need I say more here. Secondly, I don't see why any rational person should have confidence in these companies' cryptographic expertise. I'd humbly like to propose a change in philosophy: That obfuscation is a necessary, intermediary safeguard on the road to policy change. That at least making provision for compatibility with obfuscation tools is relevant to the mission of projects such as Wireguard. That providing expertise or guidance on how to obfuscate the Wireguard protocol, in the least miserable way, is a good and worthwhile thing. Once again, thanks for all your work on the project. I love working with the userspace tools, they're well thought through. I love how resilient and well the protocol performs in the real world with miserable network latencies and giant evil firewalls. I love that it's open source. I just hope I can keep using it where it really counts. Paul S. Sent from [ProtonMail](https://protonmail.com), encrypted email based in Switzerland.___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Rethinking Obfuscation
Hi, I'd just like to revisit a topic that recently came on the mailing list, VPN obfuscation. Firstly, I'd like to state that I'm merely a grateful user of Wireguard, not a contributor. That's relevant because the only way I can get reliable, uncensored Internet is with the help of Wireguard. And the only reason that is so, is because Wireguard is not yet a popular protocol. I don't want to be so bold as to make an outright "feature request" for traffic obfuscation, but I would like to make my case for it's acceptance. Right now, in many countries there are extreme filtering practices in place. And I realise that there's an argument for addressing this at a policy level but sadly that thinking is just not useful for literally billions of people (https://freedomhouse.org/report/freedom-net/freedom-net-2016). It's a different political context. It's easy to feel comfortable from a western democratic context with our relative sense of freedom, but our governments have already built the most pervasive instruments of mass surveillance ever known. We've a lot of trust and people who've brazenly betrayed us. We're just building security infrastructure on the assumption we'll be continued to be allowed to use it for privacy. For old VPN protocols such as IPSEC, OpenVPN and the like there's no hope. These are easily blocked by breaking the handshake processes, at the very least. Systems like TOR are praised by privacy advocates but are all but useless in the face of state-level / ISP filtering. So while the problem might originate at a political level, this is not always resolvable. And right now there's precious little offering a technical solution. The only reliable approach I'm seeing widely employed is proprietary implementations of Open Source VPNs. VPN providers are making various obfuscation tweaks to things like OpenVPN to enable there services to work in places like China. The problem here is at least two fold. Firstly, it's proprietary! Need I say more here. Secondly, I don't see why any rational person should have confidence in these companies' cryptographic expertise. I'd like to propose a change in philosophy. That obfuscation in a necessary, intermediary safeguard on the road to policy change. That at least making provision for compatibility with obfuscation tools is relevant to the mission of projects such as Wireguard. That providing expertise or guidance on how to obfuscate the Wireguard protocol, in the least miserable way, is a good and worthwhile thing. Once again, thanks for all your work on the project. I love working with the userspace tools, they're really well thought through. I love how resilient and well the protocol performs in the real world with miserable network latencies and giant evil firewalls. I love that it's open source. I just hope I can keep using it where it really counts. Paul S. Sent from [ProtonMail](https://protonmail.com), encrypted email based in Switzerland.___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
awesome mips performance
Hey guys, The latest snapshot is broken on big endian. This commit [1] fixes it, and will be released in the next snapshot shortly. Sorry about that. Lots of churn with the siphash implementation. With the recent changes to add alignment in the headers, I now get 60 megabits per second on a super crappy TL-WR841N board (QCA9533) transmitting over the internet. This is awesome performance -- a good milestone for little CPUs. Jason [1] https://git.zx2c4.com/WireGuard/commit/?id=094e95e736723075d586d7a006c5525f2e3a74d4 ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [WireGuard] Wireguard in OpenWRT/LEDE: FYI: Pull Request
Hey Dan, I just submitted a pull request to bump the package and add this conditional: https://github.com/openwrt/packages/pull/3664 Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard