Jay Taylor's notes

back to listing index

WireGuard is very hard to run without logging. It simply wasn’t designed for tha... | Hacker News

[web search]
Original source (news.ycombinator.com)
Tags: security vpn rootkit wireguard news.ycombinator.com
Clipped on: 2019-10-31

Image (Asset 1/2) alt=
WireGuard is very hard to run without logging. It simply wasn’t designed for that and the maintainer was paid once to write “a rootkit-like” piece of code for a VPN provider which hired him to help them fix that.

It’s still an open question afaik

edit: I've worded this weird. I was typing on my phone at lunch stuff I'd just learned this morning[0] which referenced this[1] article saying running a log-less Wireguard might not be possible.

AirVPN in [0]:

> "Wireguard, in its current state, not only is dangerous because it lacks basic features and is an experimental software, but it also weakens dangerously the anonymity layer."

and Perfect Privacy:

> "WireGuard has no dynamic address management, the client addresses are fixed. That means we would have to register every active device of our customers and assign the static IP addresses on each of our VPN servers. [...]"

Things may have changed, but it appears that running a log-less vpn provider is actually more complicated with Wireguard than at first glance. Namely the issues around DynamicIPs.

[0]: https://restoreprivacy.com/wireguard/ [1]: https://www.perfect-privacy.com/blog/2018/10/10/wireguard-vp...



Image (Asset 2/2) alt=
I run Wireguard on my systems and to my knowledge it does not log anything on my Linux systems (not that I intended specifically to set it up that way, it is just something that I noticed). Can you tell me where I can find these logs which I am seemingly unaware of? I do know that my iOS app logs things but I'm talking about Linux.


At least AzireVPN has some claims of not logging Wireguard:

https://www.azirevpn.com/docs/security#blind-operator-mode


>WireGuard is very hard to run without logging. It simply wasn’t designed for that and the maintainer was paid once to write “a rootkit-like” piece of code for a VPN provider which hired him to help them fix that.

This is a really bizarre misunderstanding of the events.

Wireguard does not generate any log entries by default.

zx2c4 wrote a rootkit which makes it more difficult to retrieve connected users IPs from a running wireguard instance.


Your statement is vacant without an explanation of what kind of logging Wireguard requires. Currently, all it does is attempt to scare the user with the word "rootkit".


FWIW Jason called it A Defensive Rootkit [0].

But the parent post is wrong, the defensive rootkit is not to prevent logging, it's to prevent extracting the configuration from the kernel. It effectively makes the WireGuard configuration write-only from the perspective of userspace. WireGuard does not do any access logging by default as far as I am aware.

[0]: https://lists.zx2c4.com/pipermail/wireguard/2017-November/00...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: