VPN recommendations?

Sat Feb 12 14:05:39 UTC 2022

Intriguing. This week I started to look around for new wireguard 
implementation tools and appliances. I've used openvpn and ipsec 
in the main although last month put together a 10x and IPv6 
wireguard net in my home and out to two vps hosts which is 
handy. For my own use this is ok -ish, but I am not so sure about 
keeping track of the configs, managing users and adding configs as 
a network grows. In other words I want help when scaling wg and 
handling change particularly if I am managing nets for other 
projects or delegating. 

Tailscale, ZeroTier and some others are doing a great job I feel 
and no doubt have a handle on that. I've not tried them as yet. 

Because I do like to have options that are not mediated I have 
kept looking as much for my own curiousity and education as for 
deploying a service in anger. But having a toolset that can 
support the latter capability has to be the aim to work towards.

I've found a few potentially interesting more recent projects and 
am intending to start to test deploy some of these in sequence to 
see how I get on. I think I'll start wth
https://github.com/gravitl/netmaker Please note I've only reviewed 
the documentation. I've not yet played with it.  

This seems to  offer at an early stage in its development a 
webappliance (optionally) with CoreDNS if you want  naming support 
and IPv6 and at least some client management features. It claims 
to be fast but that can be tested. It also is deployable as a 
docker/kubernetes k8 which is intriguing when deploying and 
managing containers between multiple hosts across data centres. 
It uses a mongodb licence which may or may not be a problem.

If one plays with IPSEC then I guess one could run wg through 
IPSEC but is there any point unless you already have an IPSEC 
branch and don't want to take it down whilst adding wg for a new 
class of devices/userbase?   

I'd be interested in sharing experiences and advice (offlist) and 
delighted to learn from  wireguard and vpn's clueful folk. 

thank you for an interesting discussion. 

Christian

William Herrin <bill at herrin.us> writes:

> On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon <sneddon at gmail.com> 
> wrote:
>> 1) IPSEC does not lend itself to dynamic routing or dynamic 
>> configuration. It is very much a static set-it-and-forget-it 
>> technology, but that doesn’t work in a dynamically changing 
>> environment.
>
> Hi Dan,
>
> Depending on how you configure it, IPSEC can work fine with 
> dynamic
> routing. The thing to understand is that IPSec has two modes:
> transport and tunnel. Transport is between exactly two IP 
> addresses
> while tunnel expects a broader network to exist on at least one 
> end.
> "Tunnel" mode is what everyone actually uses but you can 
> deconstruct
> it: it's built up from transport mode + a tunnel protocol (gre 
> or ipip
> I don't remember which) + implicit routing and firewalling which
> wreaks havoc on dynamic routing. Now, it turns out that you can
> instead configure IPSec in transport mode, configure the tunnel
> separately and leave out the implicit firewalling.
>
>> This may not apply to William Herrin’s (OP) use case of a VPN 
>> appliance
>
> It's not relevant to my situation, no. I need the VPN to 
> establish a
> statically addressed clean layer 3 on top of dynamically 
> addressed and
> natted endpoints to support the next appliance in the chain 
> where
> dynamic addressing is not possible. I don't actually care if it 
> adds
> security; it just needs to establish that statically addressed 
> layer.
> Oh yeah, and it has to be listed under "virtual private network" 
> on
> the government NIAP list.
> https://www.niap-ccevs.org/product/PCL.cfm?ID624=34
>
> Regards,
> Bill Herrin

-- 
Christian de Larrinaga 
https://firsthand.net