Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The really nice thing about WireGuard on Linux is that it acts like a regular network device and thus you can use iptables or network namespaces for free with it. Very clean and genius design that eradicates the need for any client support as well as removing the potential for leaking at the network device level (if you configure it in the "container" mode where you move your host network devices into an inaccessible network namespace and only provide wg0 on the host).


At lot of Linux VPN creates network interfaces (tap/tun), and support namespacing them - you can do the same thing with OpenVPN .

The really nice thing is the full in-kernel implementation, and the lack of configurability.


Right, sorry. I was comparing it to the shadow-socks project GP was referring to. (And the userspace WireGuard implementation uses TUN/TAP. In fact one of the rootless containers subprojects I've worked on is using TAP to allow for unprivileged network bridge emulation for rootless containers.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: