Discussion:
[GTALUG] Questions on wireguard and networking
o1bigtenor via talk
2018-10-03 14:36:47 UTC
Permalink
Greetings

Found what looks to be a quite interesting vpn 'system' called wireguard.

The dev team is still saying, after a couple years of what looks to be
some very active development, don't run this as solid software. From
the chatter that I've read the quality of the software is maybe like
grub where it sat at version 0.97 for what was that - - - about 7 or 8
years ( and then hit version 2 in no time flat!).

I am wanting to use this wireguard between two different routers here
to firmly control not only the in but also the outgoing electronic
communications.

Perhaps someone has a better solution - --if so - - - I'm looking (grin!).

TIA

Dee
---
Talk Mailing List
***@g
James Knott via talk
2018-10-03 14:54:28 UTC
Permalink
Post by o1bigtenor via talk
Found what looks to be a quite interesting vpn 'system' called wireguard.
"WireGuard^® is an extremely simple yet fast and modern VPN that
utilizes *state-of-the-art cryptography
<https://www.wireguard.com/protocol/>*. It aims to be faster
<https://www.wireguard.com/performance/>, simpler
<https://www.wireguard.com/quickstart/>, leaner, and more useful than
IPSec, while avoiding the massive headache. It intends to be
considerably more performant than OpenVPN."

Be very, VERY careful about cryptography that hasn't been extensively
verified by experts.  Even ones that have still have flaws discovered
occasionally.

---
Talk Mailing List
***@gtalug.org
https://gtalug.org/mailman
Dhaval Giani via talk
2018-10-03 15:27:26 UTC
Permalink
Post by James Knott via talk
Post by o1bigtenor via talk
Found what looks to be a quite interesting vpn 'system' called wireguard.
"WireGuard^® is an extremely simple yet fast and modern VPN that
utilizes *state-of-the-art cryptography
<https://www.wireguard.com/protocol/>*. It aims to be faster
<https://www.wireguard.com/performance/>, simpler
<https://www.wireguard.com/quickstart/>, leaner, and more useful than
IPSec, while avoiding the massive headache. It intends to be
considerably more performant than OpenVPN."
Be very, VERY careful about cryptography that hasn't been extensively
verified by experts. Even ones that have still have flaws discovered
occasionally.
*THIS*

Having said that, the good news about wireguard is not around those.
The author of wireguard understands that and has implemented using
well tested/verified algorithms. It is mostly around how it has
currently been implemented. The last I saw on that, the wireguard
authors are working on fixing the crypto side of things before the
networking side will be reviewed. People are interested in getting it
in, it will just take time before it is mainline.

Dhaval
---
Talk Mailing List
***@gtalug.org
https://gtalug.org/ma

Jamon Camisso via talk
2018-10-03 15:06:51 UTC
Permalink
Post by o1bigtenor via talk
I am wanting to use this wireguard between two different routers here
to firmly control not only the in but also the outgoing electronic
communications.
Perhaps someone has a better solution - --if so - - - I'm looking (grin!).
GRE & IPsec would be the bog standard approach here.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html

Ignore the cisco specific bits, just look at the diagrams and descriptions.

You can implement this yourself pretty easily using 'ip_gre' (GRE kernel
module) and strongswan (for IPsec) following any of the tutorials out there.

Cheers, Jamon
---
Talk Mailing List
***@gtalug.org
https:
James Knott via talk
2018-10-03 15:10:52 UTC
Permalink
Post by Jamon Camisso via talk
Post by o1bigtenor via talk
Perhaps someone has a better solution - --if so - - - I'm looking (grin!).
GRE & IPsec would be the bog standard approach here.
I have set up many systems with IPSec at work, but use OpenVPN with my
own network.  Both work well.

---
Talk Mailing List
***@gtalug.org
https://gtalu
Loading...