And there are public options to make the setup even easier than that...
tailscale makes wireguard utterly trivial to deploy, and as mentioned the dedicated interface makes firewalls trivial to write and update.
Maybe someday – maybe – Zero Trust will solve many of our network security problems. But for now, if you want to make sure you don't have an eavesdropper on your network, you need a Virtual Private Network (VPN). There's only one little problem with commercial VPNs: many of them are untrustworthy. So, what can you do? Well, …
WireGuard is by far the best VPN I've worked with and, since mid 2018, have implemented it for companies, friends and use it myself for ephemeral, region specific VPN's in the cloud. Being forced to use OpenVPN at my current job feels like being told to use PuTTY on a Windows laptop because they don't let anyone install their own Linux distro. I imagine that the reason most companies won't be interested though i because nobody likes to touch the VPN server once it's running and works so it's easier to keep forking out money for OpenVPN licenses or simply having the costs absorbed by your monthly AWS bill.
A terminal emulator isn't the same thing as a shell. Windows is an impediment for productivity for me which is why I used the analogy and needing to customise my default work environment just to get a semblance of the real thing simply reinforces that.
I've been running it a home between my computers in the house and a tiny hosted virtual server in a data centre for about a year or so. Works perfectly well when I want my machines at home to appear to be in a different geographic location, and for my phone or a mobile system away from the house, when I want to check something at home.
As it stands for a small user it's pretty perfect and no more or less complicated than SSH to set up. Obviously once you have a lot of systems it doesn't have all the bells and whistles of OpenVPN, but then for a lot of small simple use cases it's pretty good. It also appears to be quite a bit more efficient than OpenVPN, which may be an issue if you're stuck with rubbish ADSL connections...
Same here. I've been running it for several years for mail and sometimes proxy when out & about on both phone & laptop. It replaces completely the kludgy port forwarding over SSH that I used to use. The only annoyance I had to solve on my laptop was split DNS so I could look up over the VPN for names on my home network. Systemd-resolved wouldn't do it the way I needed so I canned that & went back to dnsmasq.
I run it in a Docker container on an RPi4 at home and in an X86 VPS - Very effective. The clients for Android/iPhone/Linux and MacOS work well too.
Colleagues inform me that it was trivial on Windows too. Unless looking for particularly arcane use cases, what's not to like?*
* Rhetorical. Don't bother.
I have to shout out to ZeroTier one - I think I first saw it mentioned on the Reg a few years back. Fast forward to today and I run it on every device I have, on multiple OSs, and then promptly forget about it. I don't notice it when I move between home and office - everything works, including multicast traffic.
It just works and I don't have to think about it is pretty much the highest praise I can offer.
Yes, and that makes its "simplicity" a pain in the ass when you have to manage far more complex setups. The cryptography may be very good, but everything else makes it really unmanageable even for moderately complex setups and needs. Sure, as usual someone else will add layers and layers of other stuff to overcome that, making everything as brittle as possible. But that's today's IT fashion.
Exactly, it's fine for small use cases, personal use, but when using it in an enterprise environment with 100s to 1000s of users, requiring access profiles, it is piss poor, requiring scripts and various other software piled on top. Then it's 'ease of use' goes out the window.
What has an access profile have to do with it having a user database?
VPNs, have access profiles, allowing restrictions of sources, for example the logging in user, with destination systems/ networks. This can be done via the user logging in, the user within a group / groups, stored in an external ldap system, wireguard has no ability to do this.
Why, because wireguard isnt a user VPN, its the equivalent of a site to site VPN or a tunnel with pre-shared keys, so a piss poor end user VPN for remote access within an enterprise.
Has no local user profile config setup, configuring of the routes, when needed to be changed the user logging on needs to be an admin.
Wireguard needs to currently keep its own 'user database' of pre-shared keys
The windows client is / was the last time i looked, poorly done, requiring write access in program files, per system, not per user. With the reason given by the developer incorrectly being you shouldn't change the permissions in app data, and its difficult to get right. But hey its fine to change them in program files, where you should never be given write permission (why there is redirection for old crappy software written before there was a difference in user rights).
>wireguard has no ability to do this.
It doesn't have to.
It provides a solid foundation to build other things on top of it, making the simple use cases simple out-of-the-box, and empowering developers of more complex solutions to build on an efficient base.
This is unix philosophy at its best, and as time has proven, it is a vastly useful (and successful) approach.
This is the Unix philosophy at its worst. Build brittle systems with layers and layers cobbled one upon another without a unified design - with bad error management as well.
Good maybe with the simple mainframes with their little resources in the 1970s - truly ugly fifty years later on far more powerful and complex systems.
WireGuard is awesome, I'll give him that. The one nice thing about IKEv2 though, is that it's built into most OSs out there already, so you don't have to install yet another client.
I'm using IKEv2 (OpenBSD's iked) with WireGuard as a failback. I haven't had to use the failback in over a year, luckily.
I have mentioned this somewhere else here, but I need to repeat it every time I can, because WireGuard is the best.
My mom has a circa-2014 router (TP-Link WDR4300) running OpenWRT. I do need to VPN there every once in a while.
Being OpenWRT, I was able to use OpenVPN. But... it. was. a. dog. Bandwidth was TERRIBLE.
Of course, the damn thing was not state of the art in 2014. I got it on sale, clearance even, so there it is.
Yet, with WireGuard, it's almost like I am there. It flies.
The same goes for my phone, laptop, pretty much all devices that roam around with me, yet are always connected to my network. It is robust... and fast. And secure.
Yes, there's a little fiddling around to get it all set up, as it usually happens with Linux and friends. After that, though, it just goes on and on, and you leave nothing on the table. Resource efficient, secure, simple. Gets your stuff VPN'd in, makes sure that site-to-site VPN you need is iron-clad and speedy. I could go on and on!
I tested it out and found it to be the very first VPN that actually tunnels anything through VPN. Most of them don't tunnel IPv6 either because they can't support it or because the correct configuration can't be derived from the documentation. Traffic goes right around the VPN client. WireGuard is crude to configure but the simplest documentation for getting started work with IPv4 and IPv6.
As mentioned in the first post take a look at https://tailscale.com/ which is built on top of wireguard. You get 20 devices free and $50 gets you a further 80 for home/hobbyist users. I have one of my home servers set up as an exit node. This means when out and about can push everything through my home internet, you can also bring up VM's in the cloud quickly install and use that as an exit node from a region of choice. The DNS service means you can access home servers via name. It really has a lot going for it and is available on most mac/windows/linux/andriod platforms. Don't get me wrong wireguard is awesome, but, tailscale IMHO takes it to the next level.
I think one important reason for Wireguard existing in the first place is that the Raspberry Pi series are one of the few ARM boards that does NOT do hardware crypto. So wireguard was written to get decent VPN performance on the RPi.
I use TV boxes instead, cheaper, faster, and with built-in MMC memory. And they can do hardware crypto, so no reason for me to sacrifice 1 CPU core for VPN when I can run it in hardware crypto.
WG was not written to negotiate encryption algo,
WG has its place. I use it in containers. But it is wasted if you have hardware crypto.
Povl H. Pedersen, could you elaborate on these "TV boxes" you speak of that are good replacements for a RPi? I see lots of Android TV boxes on Amazon which I assume you are talking about. I suspect some can be reloaded with Linux and some can't. Sounds like a nightmare to me to not know for certain if a random TV Box off Amazon will even be usable. The RPi is basically turn key and wildly available. I hate finding solutions that require a specific device made by some Chinese company no one has ever heard of and then a year later you can't buy it anymore.
Biting the hand that feeds IT © 1998–2022