[yeasayer]

> WireGuard doesn't work over TCP

Can somebody well versed explain what the difference between TCP and UDP in this case? I obviously know what these are, I just don't understand why it's such a debatable choice applied to VPNs.

[drewmol]

01CGAT’s link sums it up as: TCP is not designed to be stacked and doing so results in the exponentially increasing retry timeout feature, used for reliability optimization of the protocol, conflicting to provoke excessive retransmission attempts by the upper layer TCP.

The detailed explanation is in the linked article: “Why TCP over TCP is a bad idea”[0]. It was broken for me so I dug up an archive.org copy.

The upper layer transmission control and and retransmission attempts are completely unnecessary as transmission is already guaranteed by the lower layer TCP. The upper layer TCP, unaware of TCP underneath and having an increasing timeout on acknowledgment failure, can begin to queue up more retransmission than the lower layer can process increasing congestion and inducing a meltdown effect.

Explained better here: [0]https://web.archive.org/web/20190531210932/https://sites.ink...

[kazen44]

mind you that this is not only applicable to any VPN setup, but any tunneling or overlay protocol.

[tptacek]

It's applicable to any tunneling or overlay protocol that encapsulates TCP in TCP.

[01CGAT]

https://openvpn.net/faq/what-is-tcp-meltdown/