Discussion

WireGuard Is Two Things

tptacek: This is almost true, but not quite. WireGuard is a protocol, but it's also the Linux kernel implementation of that protocol; there are design decisions in the protocol that specifically support software security goals of the kernel implementation. For instance, it's designed to be possible to implement WireGuard without demand dynamic allocation.

zekica: Minor nitpick: dynamic memory allocation is not used when processing packets, but is when adding/removing clients via netlink.

viceconsole: The post mentions the deficiencies of TCP for mobile devices over unreliable links, but I've had nothing but trouble with Wireguard when connecting from phones via mobile data.I suspect it's due to my mobile operator doing traffic shaping / QoS that deprioritizes UDP VPN.In contrast, connecting to OpenVPN over TCP was a huge improvement. Not at all what I expected.

extr: Hard to read due to LLM generated prose.

wakeywakeywakey: You probably just need to lower your MTU if your phone is getting an ip6 address.

Cyphase: This is why WireGuard has continued to work even when a node is otherwise unusable from low free memory. :)

Cyphase: Counter-anecdote: I've been using WireGuard on Android for years with no particular issues to speak of. 0.0.0.0/0 to my home network. I often forget to enable WiFi at home and don't notice (I often have it disabled when out).

peddling-brink: You're absolutely right!

bradley13: I suspect ya you're right - nothing to do with Wireguard. I set it up do I could VPN into my home network from my phone. More than once, I have forgotten to turn it off. Everything worked, and I only noticed days later. Very robust, in my anecdotal experience.

viceconsole: Even with the minimum of 1280 for IPv6, nothing improved.

laughinghan: Does it bother anyone else when an article is so clearly written by an LLM? Other than being 3x longer than it needs to be the content is fine as far as I can tell, but I find the voice it’s written in extremely irritating.I think it’s specifically the resemblance to the clickbaity writing style that Twitter threads and LinkedIn and Facebook influencer posts are written in, presumably optimized for engagement/social media vitality. There’s a lot of clickbaity constructions like: “setup: payoff” or “sentence fragment, similar fragment, maybe another similar fragment”.This paragraph has both:> The symptom is familiar: a stream that occasionally "locks up" briefly before catching up, jitter in audio or video, or a latency spike that appears to come from nowhere, a "hang" in the application when it gets blocked waiting for a packet. It comes from a single packet forcing the entire pipeline to pause. The underlying network recovered quickly; TCP's ordering guarantee is what made it visible.So does this!> WireGuard's protocol is a fundamentally different design point. It's stateless — there's no connection to establish upfront, no session to track, and no certificate authority in the picture. Two keys, a compact handshake, and you're encrypting. And unlike TLS, WireGuard's cryptographic choices are fixed: Noise_IKpsk2 for key exchange, ChaCha20-Poly1305 for authenticated encryption. There's nothing to misconfigure.Obviously these aren’t things you should never do; I’m not totally sure what I want instead, what makes tptacek’s writing or Cloudflare’s blog etc so much more readable by comparison. Is it just variety? Maybe these tactics should be reserved for intro paragraphs (of the article but also of individual sections/chapters might be fine too) to motivate you to read on, whereas the meat of the article (or section) should have more substance and less clickbaiting hooks?

laughinghan: Specifically there’s a lot of clickbaity constructions like: “setup: payoff” or “sentence fragment, similar fragment, maybe another similar fragment”.This paragraph has both:> The symptom is familiar: a stream that occasionally "locks up" briefly before catching up, jitter in audio or video, or a latency spike that appears to come from nowhere, a "hang" in the application when it gets blocked waiting for a packet. It comes from a single packet forcing the entire pipeline to pause. The underlying network recovered quickly; TCP's ordering guarantee is what made it visible.So does this!> WireGuard's protocol is a fundamentally different design point. It's stateless — there's no connection to establish upfront, no session to track, and no certificate authority in the picture. Two keys, a compact handshake, and you're encrypting. And unlike TLS, WireGuard's cryptographic choices are fixed: Noise_IKpsk2 for key exchange, ChaCha20-Poly1305 for authenticated encryption. There's nothing to misconfigure.

Hamuko: For a moment I thought that Tunnelblick had added WireGuard support. But no, it's probably just an AI hallucination.

nake89: Yeah, it's quite bad. Just some of the classics:- "Why This Matters"- "That's accurate, but it's only half the answer — and the less interesting half"- "this isn't an edge case. It's routine."I'm at the point, I would just rather read something somebody actually wrote even if it's not grammatically perfect and has lots of spelling mistakes.

josh3736: The much more likely culprit is your VPN server's port. If it's running on some no-name port (such as the default 51820), that's likely to get throttled.I'd bet that switching your VPN server port to 443 would solve the problem.

josh3736: This is a clever reuse of WireGuard's cryptographic design, and may indeed make sense as a way to slap some low-overhead encryption on top of your app's existing UDP packets.However, it's definitely not a replacement for TCP in the way the article implies. WireGuard-the-VPN works because the TCP inside of it handles retransmission and flow control. Going raw WireGuard means that's now entirely up to you.So this might be a good choice if you're doing something realtime where a small number of dropped packets don't particularly matter (such as the sensor updates the article illustrates).But if you still need all your packets in order, this is probably a bad idea. Instead, I'd consider using QUIC (HTTP/3's UDP protocol), which brings many of the benefits here (including migration of connections across source IP address and no head-of-line-blocking between streams multiplexed inside the connection), and as the protocol powering 75% of web browsing¹, is a pretty safe choice of transport.¹ https://blog.apnic.net/2025/06/17/a-quic-progress-report/