[lug] Security - Wireguard

Sat Jun 29 10:24:29 MDT 2019

I'll totally check it out, thanks for the heads up

"OpenVPN (big, slow to connect and run, complicated, non-intuitive setup,
etc) "

Honestly? I'm gonna disagree here, there's plenty of OpenVPN setups that
alleviate this. OpenVPN Access Server is entirely GUI based, with easily
exportable conf files and an automated setup for Google Authentication for
MFA. Its a Virtual Appliance too, so its practically a click of a button,
and simple routing changes to get it opened to the DMZ or Internet, and its
ready to go.

On Sat, Jun 29, 2019 at 12:05 PM Bucky Carr <bcarr at purgatoire.org> wrote:

>
> I'm a BSD guy but this applies equally to linux.
>
> In a previous discussion thread we talked about moving internet exposed
> app servers, eg. sshd, behind a VPN. As a test, I was successful in doing
> that using my existing OpenVPN server. There are several reasons to hate
> OpenVPN (big, slow to connect and run, complicated, non-intuitive setup,
> etc). IPsec isn't a lot better though it is a kernel-land process.
>
> For the last few days I've been playing with Wireguard, a newish entrant
> in the VPN server application arena, designed to compete handily with
> OpenVPN and IPsec technologies. Presently it operates in userland but Linux
> Torvalds has indicated he'd like to see it added to the kernel ASAP as the
> default VPN for linux.
>
> Though it is strictly considered alpha-level software at this point it
> works quite well - flawlessly from I've seen. There are several, mostly
> non-USA commercial VPN providers who are offering Wireguard VPN connections
> alongside their present OpenVPN tech. The Wireguard author has warnings
> everywhere that the software is not ready for prime time. There is an
> active mailing list: <https://lists.zx2c4.com/pipermail/wireguard/> At <
> https://www.wireguard.com/> there is a very nice white paper by the
> author which answers the tech questions you may have.
>
> Took a bit of fiddling (the various BSD how-tos on the internet are
> incomplete but culling what works from each resulted in a working-for-me,
> how-to for BSD). Now that I've gotten it to work, looking back, it is
> stupid-simple to set up & operate and is blazingly fast.
>
> In my testing with a VM on my LAN yesterday, there was no significant
> speed-test difference between using the VPN or not.  Last night I set up
> the Wireguard server on my internet-facing, FreeBSD server box [email and
> sshd server + LAN services (ntp, dhcp, NAS, sshd, RDC, etc)] and today,
> since it hadn't crashed during the night, used my laptop to access a nearby,
> open xfinitywifi hotspot to do the test. Clicked "connect" on the laptop
> Wireguard client and the VPN was set up almost instantly with all laptop
> traffic directed into the tunnel. I proved that the VPN showed my home IPv4
> address and was easily able to access the sshd over the VPN. Internet
> browsing speed seemed unhampered by the VPN.
>
> So now I can discontinue the internet-facing sshd and while I'm at it,
> anything else that can easily (and more safely) be accessed via the VPN.
>
> Highly recommend Wireguard. I'm going to ditch OpenVPN.
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190629/e8cb8b0d/attachment.html>