wireguard support?

[distributev]

Is openziti using wireguard behind the scene? I suspect that the answer is no since I see wireguard is not mentioned anywhere on the documentation and I did not find wireguard being mentioned on any github issue either.

If the answer is that you are not using wireguard then the next obvious question is "why?" You will probably answer with another question like "why we should use wireguard?" (when we can build something better) and I'm not implying that you should use wireguard but I am curious on your answer. Many of the existing similar solutions use wireguard ie. Tailscale/Headscale, Netmaker etc and wireguatd looks now like a good bet because it is part of the linux kernel and, in the same time, it seems like a risky proposition to go with a custom-built VPN protocol when a good VPN protocol already exists and it is almost like a standard.

[dovholuknf]

I'm going to focus solely on the "wire" part of this question as there are numerous features OpenZiti implements that wireguard isn't looking to provide.... No, OpenZiti does not use wireguard for transport. OpenZiti is also a mesh network. It takes a different approach than wireguard does by taking a payload and wrapping it with a protocol that the overlay knows how to route most efficiently across it's mesh network. Wireguard, to my personal knowledge, also cannot hide the actual final destination of traffic since the traffic is purely underlay. OpenZiti's design allows for the final destination of the traffic to be entirely dark to the underlay. Finally, OpenZiti is a full mesh overlay network, wireguard isn't looking to be that. Those are the first thoughts that came up in my head as to some differences, along with some "why".

Although I personally view OpenZiti as much more/different than a VPN, it definitely can act as a VPN replacement and plenty of people use it as such. It's a lot more though, zero trust sounds ready, but is a pretty big thing to make an entire overlay network that implements zero trust.

I didn't want to go on and on, hopefully that gives you a bit of insight and is the right amount. Fwiw, we generally will engage in discussions using discourse over at https://openziti.discourse.group

[distributev]

This is probably not the place to ask this but are you aware on how do Netmaker, Tailscale/Headscale, etc, using wireguard as their underline engine, achieve the same features as OpenZiti "numerous features OpenZiti implements that wireguard isn't looking to provide...." ?

Do they use wireguard for a minuscule set of their feature set and then, on top of that, for additional features which wireguard does not provide, they re-implement from ground up what they need?

[dovholuknf]

There are indeed features that overlap OpenZiti from those other secure networking implementations, but there are numerous differences as well. We don't have an exhaustive list of similarities/differences handy.

Do they use wireguard for a minuscule set of their feature set and then, on top of that, for additional features which wireguard does not provide,

Yes, that is exactly what they do. They rely on Wireguard for secure transport and then built additional capabilities around Wireguard. Things like:

• making it easy to deploy "n" devices (something Wireguard isn't trying to solve on its own, from my recollection)
• solving the "double NAT" problem (which OpenZiti doesn't have at this time, due to it's design)
• logging
• metrics
• etc.

[distributev]

I believe that, in general, you are on doing a great job with open ziti. I like the SDKs idea, especially the java sdk.

I do understand why other providers use WireGuard as you said for “secure transport” and I do not understand what benefits open ziti gets by avoiding to use WireGuard.

I do not feel comfortable becoming locked in with open ziti's custom network transport implementation - with other providers they just generate plain WireGuard configurations which means that the WireGuard generated networks will continue to work even if, let's say, netmaker or headscale will cease to exist. Yes, in this situations, the extras i.e. metrics etc will stop working but the main wireguard networks will continue to work.

[dovholuknf]

Thanks for the compliment! I understand your positioning, thanks for the issue. We'll be here and in discourse if you ever change your mind :)