Mullvad VPN Introducing WireGuard over TCP and IPv6
mullvad.netEverybody commenting that WireGuard over TCP is a bad idea, and TFA explains why it exists:
"WireGuard out of the box works only over UDP. This can cause problems because UDP is blocked on many public networks like in cafes and on trains. That’s why we’re introducing a solution for WireGuard over TCP."
Yeah, it's a bad idea, but sometimes it's necessary.
We understand why it exists. Although it would be nice if the issue was up front so people can be aware of the problem.
If they have an innovation that solved the TCP meltdown issue that would be interesting.
How does Wireguard over TCP even work. Its not designed that way.
Some sort of UDP in TCP encapsulation ?
Exactly that. They are including an encapsulation option on their client package and running something on the server side to listen/decode the TCP and shove it back into udp. I have run a wireguard server behind udptunnel for the same reasons in the past and it looks like they are simply setting their own internal standard.
The article mentions that places such as cafes and trains block UDP. What is the reasoning for this?
For the most part, if I am providing wifi in a place like that the only thing I want you to do is browse the web. I am not interested in your desire to run a torrent client, stream netflix, or do something else that consumes a significant amount of bandwidth. Most UDP applications are also rather poor when it comes to congestion control and in general do not play nice with the other children. These companies have better things to do than to provide IT support for people trying to use the wifi, so you block all UDP and force re-direct port 53 UDP (DNS lookups) to go to a resolver that you are going to provide in the DHCP lease. This also means that wireguard is not an option for most people if they are on these networks.
That actually makes a lot of sense, thank you!
There are very good reasons why it's a bad idea to run a VPN on top of TCP.
For those that aren't loading such domains these days: brief (even incomplete) list of points appreciated.
Assuming you’re tunneling TCP inside of TCP, then in the event of non-perfect network conditions, you have two layers of the stack that are now trying to adjust the TCP flow parameters, re-transmit packets, etc. This will frequently end up in a situation where overall performance of the link is significantly worse than it needs to be.