Conversation

Notices

1. Embed this notice
   Stefano Marinelli (stefano@mastodon.bsd.cafe)'s status on Friday, 08-Nov-2024 23:33:16 JST Stefano Marinelli

   Mullvad: Removing OpenVPN 15th January 2026

   https://mullvad.net/it/blog/removing-openvpn-15th-january-2026

   #VPN #Mullvad #MullvadVPN

   • Embed this notice
     feld (feld@friedcheese.us)'s status on Friday, 08-Nov-2024 23:59:42 JST feld

     in reply to

     • matuzalem
     @stefano @matuzalem I don't know that Wireguard has that much of an advantage anymore, really. It's missing so many features that OpenVPN provides for managing a user and access control, injecting routes and stuff, etc.
     
     You can't even complain about performance anymore as there is now a kernel module (OpenVPN DCO // data channel offload) that closes the performance gap
     
     Wireguard just has a better default cipher and its network roaming feature but that's about it.
   • Embed this notice
     Stefano Marinelli (stefano@mastodon.bsd.cafe)'s status on Friday, 08-Nov-2024 23:59:43 JST Stefano Marinelli

     in reply to

     • matuzalem

     @matuzalem I agree. OpenVPN is still a great choice for many use cases (if you need user/password auth, etc) but Wireguard is so good

   • Embed this notice
     matuzalem (matuzalem@mastodon.bsd.cafe)'s status on Friday, 08-Nov-2024 23:59:45 JST matuzalem

     in reply to

     @stefano Wireguard indeed IS the future.

   • Embed this notice
     feld (feld@friedcheese.us)'s status on Saturday, 09-Nov-2024 00:04:47 JST feld

     in reply to

     • matuzalem
     @matuzalem @stefano for the simplest uses cases it works great, no doubt.
     
     But try to figure out how to automate deployment with users in LDAP and restrict access to the VPN by their group, for example. Wireguard isn't a good fit for something like that.
   • Embed this notice
     matuzalem (matuzalem@mastodon.bsd.cafe)'s status on Saturday, 09-Nov-2024 00:04:48 JST matuzalem

     in reply to

     • feld

     @feld @stefano it’s so easy for me to configure, and I run wireguard-ui for user creation and that works very well for me.

   • Embed this notice
     Nux (nux@fosstodon.org)'s status on Saturday, 09-Nov-2024 01:00:56 JST Nux

     in reply to

     • matuzalem
     • feld

     @feld @matuzalem @stefano
     or tcp, or layer2 ..

   • Embed this notice
     feld (feld@friedcheese.us)'s status on Saturday, 09-Nov-2024 01:00:56 JST feld

     in reply to

     • Nux
     • matuzalem
     @Nux @matuzalem @stefano I just remembered my firewall (OpnSense) supports DCO now as it's based on FreeBSD 14, so I turned on OpenVPN and did tests compared to Wireguard over LTE
     
     OpenVPN is giving me better performance :laugh:
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Saturday, 09-Nov-2024 02:31:06 JST feld

     in reply to

     • Elliot Schlegelmilch
     • matuzalem
     @elliot @matuzalem @stefano Which project/tool will let me control WireGuard access by LDAP group membership?
     
     How do I inject routes, DNS, and NTP servers from the server -- not read from the client's WireGuard config?
   • Embed this notice
     Elliot Schlegelmilch (elliot@microscopic.network)'s status on Saturday, 09-Nov-2024 02:31:07 JST Elliot Schlegelmilch

     in reply to

     • matuzalem
     • feld

     @feld @matuzalem @stefano there are several solutions/tools that do that sort of thing, that use wireguard.

   • Embed this notice
     Eva Winterschön (winterschon@mastodon.bsd.cafe)'s status on Saturday, 09-Nov-2024 05:15:18 JST Eva Winterschön

     in reply to

     • matuzalem
     • feld

     @feld OpenVPN can go head to head with Wireguard on hardware optimized deployments, and at a substantially lower cost*.

     The performance reality is often, nearly always, occluded in the modern tech user's mindset... unless they have first hand experience with encryption offload accelerators.

     OpenVPN can have it's encryption and compression/decompression fully offloaded from the CPU (via QAT Integration for OpenSSL), which substantially increases the throughput performance and reduces latency. This acceleration is available on all of generations of Intel's QAT cards -- which notably have full support in FreeBSD and OPNsense and PFsense (among others) where that type of network accel is heavily used for advanced scaling solutions.

     On but wait... what about Wireguard and its default reliance on Poly ChaCha20?... well, the newest generation of QAT (no longer PCIe AIC, but are directly on-die for certain Xeon and Atom C5/P5/P7 series SKUs) also include acceleration offload for Wireguard's chacha20-poly1305.

     [*] Since Wireguard needs newer gen QAT for its ChaCha20 offload, which are only CPU on-die, OpenVPN can utilize older Intel CPUs with inexpensive gen1-2 QAT as PCIe cards.

     Examples:
     * Gen1 8950 ~$65: https://www.ebay.com/itm/375502192437
     * Gen2 8960 ~$150: https://www.ebay.com/itm/186265281944
     * Gen3: https://www.servethehome.com/welcome-to-the-intel-ice-lake-d-era-with-the-xeon-d-2700-and-d-1700-series/
     Gen4+: Xeon (Sapphire Rapids) 6438N https://www.intel.com/content/www/us/en/products/sku/232397/intel-xeon-gold-6438n-processor-60m-cache-2-00-ghz/specifications.html

     I have a decent amount of these options in my personal labs and production PoCs at various Corps, all super fun to work with. If it helps to sell the benefits, these are also used for similar performance gains on OpenZFS with native encryption and compression/decompression and maybe a little bit on checksumming. 💯

     Maybe I should write a blog post with more details, perf metrics, pics, some code samples for integration.. ja?

     @matuzalem @stefano

     feld likes this.