[hellcow]

Last time this was presented Mozilla mentioned a partnership with ProtonVPN.

To any Mozillians reading this, what was the reason for the switch to Mullvad?

Also will we be able to use our own standard Wireguard clients to connect?

[commoner]

It doesn't look like ProtonVPN supports WireGuard yet.

https://protonvpn.com/blog/whats-the-best-vpn-protocol/

Edit: As Gaelan mentioned below, this is an answer to hellcow's first question.

[fulafel]

Why would WireGuard be important? It's nice technically but the benefits vs mature protocols are not really material in a vpn service's value proposition, compared to other properties.

[Semaphor]

I recently became a mullvad customer and used wireguard for the first time. Maybe this is a windows thing, but it's so, so much faster than what I was used to from openVPN, ike, etc.

[fulafel]

Anyone know if there's something weird about OpenVPN that makes it particularly bad? You'd think crypto + UDP encapsulation at consumer internet speeds would be pretty straightforward to implement performantly in this day and age.

[persona_reuse]

5 years of VPN admining here.

The openvpn community is pretty nonexistent. Core is about 10 guys (half on loan from the for-profit company) and they're multiple years behind on where the development should be.

2.4 release: currently 3 years old, decently robust, but limited. 2.5 release: 38 of 51 blockers still open, no release date in sight. 3.0 release: roadmap was written in 2010, no release date in sight.

OpenVPN 2.5 is where we'll have per-user tls-crypt. tls-auth/tls-crypt in 2.4 means when the PSK (that all clients share) leaks, you have to rotate a PSK for ALL users all at once. Or you could not use that PSK at all and just get DoS'ed over UDP all the time. OpenVPN 3 is where they're looking at being multithreaded. Let that sink in for a minute, because the devs haven't. You share one core with EVERYONE who's connected. openvpn is, performance-wise, a glorified openssl-pipe-to-nc at that point.

These are features that any server admin should be dying to have, because they're what let you scale from "my cute little tunnel from my home to my cloud instance" to "endpoints that can scale."

Tuning to get solid performance means getting the client config right with a lot of low-level tweaks, a lot of iperf and network-ops knowledge, shipping it out to the userbase, and hoping it works in their situation. Tuning later because you screwed anything up is hit and miss: some features you can 'push' out and fix, some you can't. The devs can't imagine tunnels where someone who isn't as immersed in the code as them doesn't control all endpoints and all configs, or where there's no burden to walking around and changing every user's config. I'm years into this and I'm still finding things to adjust or submit patches for, to make my users happier.

OpenVPN has one thing that other VPNs severely lack: a ABSOLUTELY SUPERB hook system. You want to have actions trigger scripts, they got u fam. You can do a lot of serverside and clientside magic because of that, integrating with your SSO and ACL management. Wireguard is much more in the beautiful-in-its-simplicity-but-that-still-means-simple 'static definition' camp (for now).

[fulafel]

Thanks for the explanation!

If it's not multithreaded, sounds like one thing to try could be just to run an instance per user, but I guess that may not be straightforward to operate.

Oh well, at least we have IPsec.

[callalex]

Setup and tear down time are arguably a more important performance metric, especially on mobile devices where internet connections change frequently.

[justusthane]

The parent comment specifically states that Mozilla switched to Mullvad as the provider, and the linked article mentions that Mullvad uses Wireguard.

[Gaelan]

hellcow was asking why they switched to Mulled. commoner suggested it was because ProtonVPN didn't do WireGuard.