[lug] Security - Wireguard

Bucky Carr bcarr at purgatoire.org
Sat Jun 29 10:05:01 MDT 2019 

I'm a BSD guy but this applies equally to linux.

In a previous discussion thread we talked about moving internet 
exposed app servers, eg. sshd, behind a VPN. As a test, I was 
successful in doing that using my existing OpenVPN server. There are 
several reasons to hate OpenVPN (big, slow to connect and run, 
complicated, non-intuitive setup, etc). IPsec isn't a lot better 
though it is a kernel-land process.

For the last few days I've been playing with Wireguard, a newish 
entrant in the VPN server application arena, designed to compete 
handily with OpenVPN and IPsec technologies. Presently it operates in 
userland but Linux Torvalds has indicated he'd like to see it added to 
the kernel ASAP as the default VPN for linux.

Though it is strictly considered alpha-level software at this point it 
works quite well - flawlessly from I've seen. There are several, 
mostly non-USA commercial VPN providers who are offering Wireguard VPN 
connections alongside their present OpenVPN tech. The Wireguard author 
has warnings everywhere that the software is not ready for prime time. 
There is an active mailing list: 
<https://lists.zx2c4.com/pipermail/wireguard/> At 
<https://www.wireguard.com/> there is a very nice white paper by the 
author which answers the tech questions you may have.

Took a bit of fiddling (the various BSD how-tos on the internet are 
incomplete but culling what works from each resulted in a 
working-for-me, how-to for BSD). Now that I've gotten it to work, 
looking back, it is stupid-simple to set up & operate and is blazingly 
fast.

In my testing with a VM on my LAN yesterday, there was no significant 
speed-test difference between using the VPN or not. Last night I set 
up the Wireguard server on my internet-facing, FreeBSD server box 
[email and sshd server + LAN services (ntp, dhcp, NAS, sshd, RDC, 
etc)] and today, since it hadn't crashed during the night, used my 
laptop to access a nearby,open xfinitywifi hotspot to do the test. 
Clicked "connect" on the laptop Wireguard client and the VPN was set 
up almost instantly with all laptop traffic directed into the tunnel. 
I proved that the VPN showed my home IPv4 address and was easily able 
to access the sshd over the VPN. Internet browsing speed seemed 
unhampered by the VPN.

So now I can discontinue the internet-facing sshd and while I'm at it, 
anything else that can easily (and more safely) be accessed via the VPN.

Highly recommend Wireguard. I'm going to ditch OpenVPN.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190629/02750264/attachment.html>

More information about the LUG mailing list