Thoughts on TunSafe

Discussion in 'privacy technology' started by n8chavez, Aug 9, 2018.

  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,562
    Location:
    Location Unknown
    Does anyone have any opinions on TunSafe? It seems to be much faster than anything openvpn based. From what I understand, up until recently it was not open source. But that changed. I understand the wire guard is it to release their software for windows. The VPN I use, mullvad, recommends wire guard. I read in forums that previous versions of tunsafe might leak especially DNS queries. However, this seems to have changed with the recent release candidate, where all routes except those used by the tab are blocked. TunSafe passes all the tests I have run on it, including am.i.mullvad, ipleak.net, and dnsleak.com. I am curious if anyone has anything negative to say about, and if it’s safe to use.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,896
    I like WireGuard. It's much easier to setup than OpenVPN. However, it relies on a kernel module. That's one reason it's so much faster than OpenVPN. But it also means that you need a kernel module that works with your kernel. And in my experience, the best way is to build WireGuard. That's the hardest part in getting WireGuard working. In Debian, that means using the latest stable release (at least) with the latest kernel.

    Once you have WireGuard working, creating tunnels is utterly trivial.
    Code:
    peer 0 with IPv4 address 1.2.3.4
    
    # ip link add dev wg0 type wireguard
    # ip link list
      see wg0
    # wg genkey | tee privatekey | wg pubkey > publickey
    # mkdir wg
    # mv privatekey publickey ./wg/
    # ip address add dev wg0 10.0.10.1 peer 10.0.10.2
    # wg set wg0 listen-port 51820 private-key ~/wg/privatekey
    # ip link set wg0 up
    # wg
      interface: wg0
        public key: 0GS...0U=
        private key: (hidden)
        listening port: 51820
    # wg set wg0 peer IlC...QI= allowed-ips 0.0.0.0/0 endpoint 6.7.8.9:51820
    
    peer 1 with IPv4 address 6.7.8.9
    
    # ip link add dev wg0 type wireguard
    # ip link list  see wg0
    # wg genkey | tee privatekey | wg pubkey > publickey
    # mkdir wg
    # mv privatekey publickey ./wg/
    # ip address add dev wg0 10.0.10.2 peer 10.0.10.1
    # wg set wg0 listen-port 51820 private-key ~/wg/privatekey
    # ip link set wg0 up
    # wg
      interface: wg0
        public key: IlC...QI=
        private key: (hidden)
        listening port: 51820
    # wg set wg0 peer 0GS...0U= allowed-ips 0.0.0.0/0 endpoint 1.2.3.4:51820
     
    Last edited: Aug 9, 2018
  3. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,533
    Location:
    Sweden
    I have used Tunsafe a lot, but I abandoned it because it's not open source. When I use a VPN I want to be absolutely sure that the software is legit. Tunsafe works fine though.

    An official client from Wireguard for Windows is soon going to be released! At last!
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,562
    Location:
    Location Unknown
    Do you have an ETA on when that'll be, because they've been saying that for months now and yet....nothing. That was the whole reason I went looking for alternatives.

    I seems like TunSafe might be opensource now.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,896
    This is great :) Linus Torvalds says:
    https://lwn.net/ml/linux-kernel/CA 55aFz5EWE9OTbzDoMfsY2ez04Qv9eg0KQhwKfyJY0vFvoD3g@mail.gmail.com/

    Also see https://lwn.net/SubscriberLink/761939/4cee93b4fe564556/
     
  6. farshid

    farshid Registered Member

    Joined:
    Aug 9, 2018
    Posts:
    2
    Location:
    Europe
    TunSafe went open source a few days ago when they released the FreeBSD and Linux version. Windows version source is also there.
     
  7. farshid

    farshid Registered Member

    Joined:
    Aug 9, 2018
    Posts:
    2
    Location:
    Europe
    I've had problems with slow speed on Windows 7 when using the NDIS6 TAP driver that is included in the TunSafe installer. Switched to the NDIS5 TAP driver and no problems since then.
     
  8. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,533
    Location:
    Sweden
    Their TAP-driver is their own version though, right?
    Thanks a lot for the heads up! That pretty much seals the deal for me. I'll use Tunsafe (Wireguard) instead of OpenVPN from now on then. We'll see how the "official" Wireguard client will compare to Tunsafe once it's released. I'll use the most mature of the two.
     
  9. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,533
    Location:
    Sweden
    I heard before the summer that the client will be released this autumn.
     
  10. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,562
    Location:
    Location Unknown
    From the TunSafe Forum:

     
  11. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,533
    Location:
    Sweden
    It is indeed getting more mature. The option to launch TunSafe as a service is a great step forward.
     
  12. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,562
    Location:
    Location Unknown
    Very much so, yes. It has definitely gotten more secure because of the service integration. The tweaked blocking rules are a nice touch too.

    Does anyone know if TunSafe uses the WFP for it's firewall blocking rules? I ask because I see no evidence of it using the windows firewall.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.