[lug] Security - Wireguard

Bear Giles bgiles at coyotesong.com
Mon Jul 1 05:18:33 MDT 2019 

Thanks! One of the drawbacks of knowing how do to something yourself (esp.
in many ways) is that you tend to lose track of others who can do it so you
don't have to.

On a somewhat related note yesterday I realized that it might be easier to
set up FreeIPA on my home network than to maintain all of the pieces
myself. It's a bit overkill to set up an enterprise-ready solution for a
single user... but the client and server are already packaged. I don't have
to do everything myself, by hand or by my own ansible scripts

On Sun, Jun 30, 2019 at 11:34 AM Stephen Kraus <ub3ratl4sf00 at gmail.com>
wrote:

> Bear: The OpenVPN vAppliance I posted above handles the distribution and
> creation of keys: There is a client/user facing website, they log in with
> their user account, and they can create and download their keyfiles and
> link their Google MFA.
>
>
>
> On Sun, Jun 30, 2019 at 12:38 PM Bear Giles <bgiles at coyotesong.com> wrote:
>
>> Re conf - one of my "I should do this!" projects - which has been in that
>> state for years - is to have a simple web interface where you select a few
>> options and then download a zip file of zip files (since that's a bit more
>> Windows-friendly) where the lower level zip files contain the configuration
>> and crypto material for each node and the top level zip file bundles them.
>> It could be accessed via website or REST API. The latter would let an
>> installer package handle the query behind the scenes.
>>
>> Think LetsEncrypt. And, thinking of LetsEncrypt, it would probably be a
>> good idea (now) to write it then contribute it to them so people would have
>> confidence I wasn't keeping a copy of their crypto material. (Just how long
>> this idea has been on the backburner - at the core is the same
>> functionality as LetsEncrypt but it predates LE by years. In fact the
>> implementation today would probably work as a front-end to LE although that
>> would mean that the client-side installer would need to be smart enough to
>> periodically update crypto material.)
>>
>> The motivation is that OpenVPN has some good stuff but 1) it doesn't have
>> a clear list of "business problems" to solve, 2) a clear description of the
>> best solution for each, complete with a bit of a "step up/step down" in
>> security, including a checklist, and 3) it can be a pain to do manually if
>> you want the strongest security since you have to create, distribute, and
>> maintain a bunch of client keys.
>>
>> Hell, I still haven't gotten around to implementing one of those things
>> myself. We have a corporate VPN and I know it's possible to set up my
>> system so any connection to given IP address ranges will go through it
>> instead of the default route... and that this supercedes me setting up a
>> default VPN. I know the general approach - routing tables, entries in
>> /etc/network/if-post-up.d, etc., but I've never gotten around to setting it
>> up. There's probably several blog entries describing this... or if not I
>> should write my own.
>>
>> On Sat, Jun 29, 2019 at 1:21 PM Bucky Carr <bcarr at purgatoire.org> wrote:
>>
>>>
>>>
>>> On 6/29/2019 1:06 PM, Zan Lynx wrote:
>>> >
>>> > With UDP there's no connection so NAT routers need to have a timeout
>>> > or they'd just fill up with UDP tracking entries. They have to time
>>> > out TCP also but they can use a longer timeout since most TCP
>>> > connections mark themselves closed one way or another.
>>> >
>>> > I went and read some stuff about Wireguard and searched around. As
>>> > best I can tell it defaults to 10 second heartbeat packets. So are
>>> > you *sure* it's idle in the background? Because you'd have needed to
>>> > set something for that.
>>>
>>> By "idle" I meant that I left the ssh window open and didn't have any
>>> activity in it after logging in. Wireguard allows for keepalive
>>> packets if you need them, time selectable with 25 (seconds)
>>> recommended. I have that functionality turned off.
>>>
>>> So I dunno. The VPN client software I'm using (TunSafe for Windows)
>>> has a window which shows the time since the last "handshake" and it
>>> refreshes about every 2 minutes, but I'm thinking that is the key
>>> re-negotiation time.
>>>
>>> Admittedly, I don't know much about this.
>>>
>>> I still need to use tcpdump to look at the traffic to be sure it is
>>> encrypted, though many others have done this and report that it is.
>>>
>>> _______________________________________________
>>> Web Page:  http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190701/4b33ff6a/attachment.html>

More information about the LUG mailing list