libraz

English

日本語

English

日本語

Appearance

Apr 03, 2026/#networking#securityENJA

Tunnel Vision

I set up a site-to-site VPN for the first time in years.

When I took over an on-prem operation, the previous owner walked me through WireGuard. I'm embarrassed to say I'd never heard of it. I needed a secure link between the data center and the office, so I gave it a try. The config file is a few lines. Generate a key pair, write the peer's public key and endpoint, specify the allowed IP ranges. That's it. The tunnel comes up.

Before this, it would have been OpenVPN. Certificate generation, CA setup, TLS configuration, distributing ovpn files. Half a day to get it running, sometimes. There's no reason to touch it now. WireGuard runs as a kernel module and communicates over a single UDP port. If you run a VPN over TCP, you get TCP-over-TCP and a retransmission storm. UDP avoids that entirely. This is what correct design looks like.

WireGuard's codebase is about 4,000 lines. OpenVPN is over 100,000. An order of magnitude apart. Less code means less attack surface. The cryptography is fixed to ChaCha20-Poly1305 and Curve25519. No choices. That's a strength. The history of TLS proved that cipher suite negotiation itself was an attack surface.

ChaCha20 and Curve25519 are free for anyone to use now. But cryptography hasn't been free for very long.

In the 1990s, cryptographic software fell under U.S. munitions export controls. Phil Zimmermann's PGP was banned from export — too strong. You couldn't ship it as software. So what if you printed the source code in a book? Books are protected by the First Amendment. Someone did exactly that. PGP's source code became printed text, crossed borders legally, and was OCR'd and recompiled on the other side.

There was a time when cryptography was a weapon. There was a time when source code had to be printed on paper to leave the country.

Now I type wg genkey in a terminal and have a key pair in seconds. The tunnel between sites was up in five minutes. A long way from those stacks of paper. Not that I'm one to talk about tunnel vision — I didn't know WireGuard existed. Couldn't have done this on Solaris, though.

© 2026 libraz · All bugs are considered features.