Comment by _joel

Comment by _joel 21 hours ago

9 replies

View on Hacker News

I use and advocate for wireguard but I don't see it's adoption in bigger orgs, at least the ones I've worked in. Appreciate this situation will change over time, but it'll be a long tail.

vlovich123 20 hours ago

It’ll take a little bit of time. But for example Cloudflare’s Warp VPN also uses Wireguard under the hood.

So while corp environments may take a long time to switch for various reasons, it will happen eventually. But for stuff like this corp IT tends to be a lagging adopter, 10-20 years behind the curve.

Reply View 2 replies
  • byhemechi 12 hours ago

    Warp actually uses MASQUE (UDP/IP over QUIC) by default

    Reply View 1 reply
    • vlovich123 10 hours ago

      I hadn’t realized they changed the default. It originally was Wireguard but you’re right - they added MASQUE as a tunnel option and it’s the default.

      Reply View 0 replies
BuildTheRobots 19 hours ago

Bigger orgs for the most part use whatever vpn solutions their (potentially decade old) hardware firewalls support. Until you can manage and endpoint a Wireguard tunnel on Cisco, Juniper, Fortigate (etc) hardware then it's going to take a while to become more mainstream.

Which is a shame, because I have a number of problematic links (low bandwidth, high latency) that wireguard would be absolutely fantastic for, but neither end supports it and there's no chance they'll let me start terminating a tonne of VPNs in software on a random *nix box.

Reply View 0 replies
danudey 21 hours ago

If you use Kubernetes and Calico you can use Wireguard to transparently encrypt in-cluster traffic[1] (or across clusters if you have cluster mesh configured). I wonder if we'll see more "automatic SDN over Wireguard" stuff like this as time goes on and the technology gets more proven.

Problem is IIRC if you need FIPS compliance you can't use Wireguard, since it doesn't support the mandated FIPS ciphers or what-have-you.

[1]https://docs.tigera.io/calico/latest/network-policy/encrypt-...

Reply View 1 reply
  • _joel 20 hours ago

    sure, but I mean "road warrior" client. Typical, average company VPN users. Ironocally getting a technology like wireguard in k8s is easier than replacing an established vendor/product that serves normal users.

    Reply View 0 replies
ted_dunning 18 hours ago

The anti-FIPS position of the wireguard implementors is a big problem for adoption.

Reply View 1 reply
  • sheepybloke 14 hours ago

    Exactly. We've looked at using Wireguard at my company, but because it can't be made FIPS compliant, it makes it a hard sell. There is a FIPS Wireguard implementation by WolfSSL, interestingly enough.

    Reply View 0 replies
awakeasleep 21 hours ago

Yeah itll be running out of steam not only when regulators _understand_ wireguard, but when its the recommendation and orgs need to justify their old vpn solution

Reply View 0 replies