I’ve been using the TestFlight beta for a while now - since it was first announced - and it’s been a great experience so far. The recently added option to activate on-demand is great, as it means I can now force VPN for any WiFi and/or mobile data connections.
The primary niggle I came across was transferring the keys between my host and the client, however after a bit of tweaking I found it far easier to just utilise the QR codes option. For those interested, I wrote about my experiences on my blog[0]
Great write up, thank you! Looking at your blog post, it seems that once I've followed your guide, I only need to forward port 51820 from my router to the WG server. Is that correct?
Is your threat model that you trust your ISP for your wireguard server more than the mobile ISPs? WiFi I completely understand but 4g providers seem to be on par if not better than cable companies in the us when it comes to molesting your traffic.
Depends on the country I am in as to whether or not I want to VPN whilst on a mobile connection (whether that is for just having an IP in my home country or don’t fancy my traffic going over their wires).
It is primarily for public and/or untrusted WiFi connections, or so that I can take packet captures of iOS applications easily without a jailbreak or connecting the phone via USB to a Mac.
I also use the setting to automatically switch on when going to cellular. I use it because I have a PiHole for DNS ad blocking that I wish to continue to use when on cellular. Being on a VPN is the only way to do that on iOS.
I installed OpenVPN on my DO box after a hotel (Legoland CA) tried to MITM Dropbox, Reddit, and a few other sites. The app/browser caught this, but it rendered them unusable.
But in general, yeah I’d trust DO over Comcast or Verizon. I believe one of the US cell phone providers have been caught injecting tracking cookies into http headers in the past and selling customer information fits nicely into their business model.
I tend to only use it when I’m on sketchy WiFi networks though.
That's pretty much my threat model. I tunnel everything over a Digital Ocean box, where I can assume that three letter agencies have access to my traffic but be reasonably confident that my ISP isn't building up a profile on me that it may be sharing with third parties in my country like insurance companies or credit agencies. I can also roll my IP every few weeks which might assist in messing up various tracking/profiling measures.
My initial concern was that it would slow down my browsing because my VPS is in another country but I haven't noticed much difference.
I just ran through this - works flawlessly. One peculiarity that might help someone else in my shoes: I was connecting to my VPN node through Terminal (with Solarized Dark) on OS X and generating the QR code with the suggested command but the result was a little 'off' somehow and didn't read as a QR code to my phone. By replacing 'ansiutf8' with simply 'ansi' I was able to get a smoother, readable QR code. Just a heads up in case someone else follows this excellent guide and gets the same issue - I fully blame Solarized ;)
The primary niggle I came across was transferring the keys between my host and the client, however after a bit of tweaking I found it far easier to just utilise the QR codes option. For those interested, I wrote about my experiences on my blog[0]
[0] https://grh.am/2018/wireguard-setup-guide-for-ios/