[lug] Security - Wireguard

Stephen Kraus ub3ratl4sf00 at gmail.com
Sun Jun 30 11:34:35 MDT 2019 

Bear: The OpenVPN vAppliance I posted above handles the distribution and
creation of keys: There is a client/user facing website, they log in with
their user account, and they can create and download their keyfiles and
link their Google MFA.



On Sun, Jun 30, 2019 at 12:38 PM Bear Giles <bgiles at coyotesong.com> wrote:

> Re conf - one of my "I should do this!" projects - which has been in that
> state for years - is to have a simple web interface where you select a few
> options and then download a zip file of zip files (since that's a bit more
> Windows-friendly) where the lower level zip files contain the configuration
> and crypto material for each node and the top level zip file bundles them.
> It could be accessed via website or REST API. The latter would let an
> installer package handle the query behind the scenes.
>
> Think LetsEncrypt. And, thinking of LetsEncrypt, it would probably be a
> good idea (now) to write it then contribute it to them so people would have
> confidence I wasn't keeping a copy of their crypto material. (Just how long
> this idea has been on the backburner - at the core is the same
> functionality as LetsEncrypt but it predates LE by years. In fact the
> implementation today would probably work as a front-end to LE although that
> would mean that the client-side installer would need to be smart enough to
> periodically update crypto material.)
>
> The motivation is that OpenVPN has some good stuff but 1) it doesn't have
> a clear list of "business problems" to solve, 2) a clear description of the
> best solution for each, complete with a bit of a "step up/step down" in
> security, including a checklist, and 3) it can be a pain to do manually if
> you want the strongest security since you have to create, distribute, and
> maintain a bunch of client keys.
>
> Hell, I still haven't gotten around to implementing one of those things
> myself. We have a corporate VPN and I know it's possible to set up my
> system so any connection to given IP address ranges will go through it
> instead of the default route... and that this supercedes me setting up a
> default VPN. I know the general approach - routing tables, entries in
> /etc/network/if-post-up.d, etc., but I've never gotten around to setting it
> up. There's probably several blog entries describing this... or if not I
> should write my own.
>
> On Sat, Jun 29, 2019 at 1:21 PM Bucky Carr <bcarr at purgatoire.org> wrote:
>
>>
>>
>> On 6/29/2019 1:06 PM, Zan Lynx wrote:
>> >
>> > With UDP there's no connection so NAT routers need to have a timeout
>> > or they'd just fill up with UDP tracking entries. They have to time
>> > out TCP also but they can use a longer timeout since most TCP
>> > connections mark themselves closed one way or another.
>> >
>> > I went and read some stuff about Wireguard and searched around. As
>> > best I can tell it defaults to 10 second heartbeat packets. So are
>> > you *sure* it's idle in the background? Because you'd have needed to
>> > set something for that.
>>
>> By "idle" I meant that I left the ssh window open and didn't have any
>> activity in it after logging in. Wireguard allows for keepalive
>> packets if you need them, time selectable with 25 (seconds)
>> recommended. I have that functionality turned off.
>>
>> So I dunno. The VPN client software I'm using (TunSafe for Windows)
>> has a window which shows the time since the last "handshake" and it
>> refreshes about every 2 minutes, but I'm thinking that is the key
>> re-negotiation time.
>>
>> Admittedly, I don't know much about this.
>>
>> I still need to use tcpdump to look at the traffic to be sure it is
>> encrypted, though many others have done this and report that it is.
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190630/77519476/attachment.html>

More information about the LUG mailing list