Why I've switched from GRE-over-IPSec to using WireGuard
November 4, 2017
I have a long standing IPSec IKE and point to point GRE tunnel that gives my home machine an inside IPaddress at work. This has worked reasonablywell for years, but recently I discovered that its bandwidth hadcollapsed. Some subsequentstaring at network packet captures suggested that I was now seeingdropped or drastically delayed ACKs, and perhaps reordering andpacket drops in general. This smelled a lot like the kind of bugthat was not going to be fun to report and probably wasn't goingto get fixed any time soon. I could work around it for the moment,but its presence was irritating and inconvenient, and I consideredit a warning sign for IPSec plus GRE in general.
(Anything that has catastrophically bad performance that persistsfor some time is clearly not being used by very many other people,or if it is it's clear that the kernel developers just don't care.)
WireGuard is a new(ish) secure IPtunnel system, initially only on Linux. Its web pages talk aboutVPNs because that's what almost everyone uses secure tunnels for,but it's really a general secure transport for IP. I'd been hearinggood things about it for a while, but I hadn't really checked itout. Yesterday I wound up reading some stuffthat was both very positive on WireGuard and suggested that it wasgoing to wind up an official part of Linux. Given my IPSec+GREproblem, this was enough to push me to actively reading itswebpages, which were enough to sellme on its straightforward model of operation and convince me thatI could easily implement my current tunnel setup with WireGuard.Because I'm sometimes a creature of sudden impulses, today I wentahead and switched over from my IPSec+GRE setup to a WireGuard-basedone (and tweeted about it once I gotthe setup working).
I switched to get something that gave me my full DSL bandwidthinstead of only a pathetic fraction of it, and WireGuard deliversthis. It works and nothing's blown up so far. Installing WireGuardon Fedora 26 was straightforward, and configuring it was fairlyeasy once I read the manpage a couple oftimes (by that I mean 'it could be better but I've seen worse'). I definitely like how simple the thepeer setup is; it's a bunch simpler (and better documented) thanthe IKE equivalent.
(Bear in mind that I'm a sysadmin and I'm perfectly comfortablewriting scripts and systemd .service files, both of which I hadto do to set my WireGuard configuration up. Of course, I'd had todo most of the same to set up IKE IPSec back when I did that.)
As a whole, my WireGuard setup is simpler and involves less magicthan the IKE plus GRE one. WireGuard puts the encryption directlyinto the tunnel device; unlike with GREit's not possible to have either an unencrypted tunnel or IKE IPSecbut no operating tunnel. Apart from how the tunnel is created andsecured, the rest of my setup is the same,which is a large part of what made it so easy to switch over.
While less magic and a simpler, easier to understand configurationis nice, I probably wouldn't have bothered to switch if my old setuphad been working correctly. It was the constant drip irritation ofhaving to be careful any time I wanted to move a big file betweenhome and work (or even just look at a big work web page) that gotto me. Well, that and the thought of what would be involved intrying to report my problem to Fedora (and probably eventually theupstream kernel). Switching to a different technology for mysecure tunnel needs made the whole problem go away, which is theeasy way out.
(I have some early notes on using and dealing with WireGuard, butthat's going to be another entry.)
