## 1. WireGuard 能否取代 IPSec？

No. There is no chance the big vendors […] will pick up WireGuard. They do not jump onto trains like this unless there is a big necessity.

Tremer 这里讨论的是商业 VPN 硬件/软件厂商，这些厂商大多使用的是集 VPN 网关和 spoke 架构。他说的没错，大多数 IPsec VPN 厂商确实不太可能升级到 WireGuard，但客户是怎么想的呢？很少有客户想让现有的 VPN 网关直接支持新协议，相反，他们渴望使用更轻巧、限制更少的东西来取代 VPN 网关。

## 2. WireGuard 实现了 Road Warrior？

Right now, WireGuard has a huge backlog of features that it needs to implement to be suitable for this use-case. It does not, for example, allow using a dynamic IP address on the server side of the tunnel which breaks a whole use-case.

WireGuard 目前还有很多功能未实现，例如不能使用动态 IP 来建立连接。要想实现漫游功能，还有很长的路要走。

Tremer 认为 WireGuard 缺少大量功能，但这里只讨论了动态 IP，没关系，我们来看看他关于动态 IP 的讨论是否正确。

## 3. WireGuard 真的好用吗？

Is IPsec really hard to use? No, it clearly is not if the vendor has done their homework right and provides an interface that is easy to use.

IPsec 真的很难用吗？恐怕不是这样，如果厂商做了正确的功课，并提供了易于使用的界面（比如，IPFire），就不会难用。

Tremer 认为 IPsec 不算很难用，只需要提供自己的公网地址、peer 的公网地址、子网和预先共享的秘钥，之后 VPN 就可以兼容所有厂商的产品。这。。。

OpenBSD 系统之间建立隧道，过程可能会比较痛苦。

## 4. 协议复杂度真的很重要吗？

The end-user does not have to worry about the complexity of the protocol. If that was an issue we would have definitely gone rid of SIP and H.323, FTP and other protocols that don’t cope well with NAT and are decades old.

IPSec 太复杂了，很不安全。这个设计的初衷显然是想通过不同的选项来支持各种不同的情况，但最终导致整个 VPN 系统远远超出了用当前的方法论可以分析或正确实现的复杂程度，它就是个黑盒子。因此，任何 IPSec 系统都无法保证其高度安全性。

Tremer 又说了：

User-authentication using username/password or a SIM card with EAP. […] WireGuard does not have that.

WireGuard 不能使用用户名/密码或带有 EAPSIM 卡进行用户认证。

## 5. 如何更新加密方式

If you were to change the cipher you are using from one day to the next one, you would need to upgrade your WireGuard software on all those laptops, phones, etc. at the same time.

## 6. 加密算法

I would conclude that practically the same cryptography is available for all VPNs here. Therefore WireGuard is not more or less secure than the others when it comes to encryption or data integrity.

## 7. WireGuard 真的很快吗？

WireGuard 就比较先进了，它支持点对多点架构，同一个客户端可以同时连接多个 peer，而不是只连接一个 peer，再通过该 peer 将流量转发到其他客户端。

## 9. 理想与现实

Unfortunately every time, when a customer asks me to help them setting up a VPN, the credentials that they are getting are using old ciphers. 3DES in combination with MD5 is a common candidate as well as AES-256 with SHA1. Although the latter is better, it is still not what I would like to use today.

-------他日江湖相逢 再当杯酒言欢-------