VPN recommendations?
Christian de Larrinaga
cdel at firsthand.net
Sat Feb 12 14:05:39 UTC 2022
Intriguing. This week I started to look around for new wireguard
implementation tools and appliances. I've used openvpn and ipsec
in the main although last month put together a 10x and IPv6
wireguard net in my home and out to two vps hosts which is
handy. For my own use this is ok -ish, but I am not so sure about
keeping track of the configs, managing users and adding configs as
a network grows. In other words I want help when scaling wg and
handling change particularly if I am managing nets for other
projects or delegating.
Tailscale, ZeroTier and some others are doing a great job I feel
and no doubt have a handle on that. I've not tried them as yet.
Because I do like to have options that are not mediated I have
kept looking as much for my own curiousity and education as for
deploying a service in anger. But having a toolset that can
support the latter capability has to be the aim to work towards.
I've found a few potentially interesting more recent projects and
am intending to start to test deploy some of these in sequence to
see how I get on. I think I'll start wth
https://github.com/gravitl/netmaker Please note I've only reviewed
the documentation. I've not yet played with it.
This seems to offer at an early stage in its development a
webappliance (optionally) with CoreDNS if you want naming support
and IPv6 and at least some client management features. It claims
to be fast but that can be tested. It also is deployable as a
docker/kubernetes k8 which is intriguing when deploying and
managing containers between multiple hosts across data centres.
It uses a mongodb licence which may or may not be a problem.
If one plays with IPSEC then I guess one could run wg through
IPSEC but is there any point unless you already have an IPSEC
branch and don't want to take it down whilst adding wg for a new
class of devices/userbase?
I'd be interested in sharing experiences and advice (offlist) and
delighted to learn from wireguard and vpn's clueful folk.
thank you for an interesting discussion.
Christian
William Herrin <bill at herrin.us> writes:
> On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon <sneddon at gmail.com>
> wrote:
>> 1) IPSEC does not lend itself to dynamic routing or dynamic
>> configuration. It is very much a static set-it-and-forget-it
>> technology, but that doesn’t work in a dynamically changing
>> environment.
>
> Hi Dan,
>
> Depending on how you configure it, IPSEC can work fine with
> dynamic
> routing. The thing to understand is that IPSec has two modes:
> transport and tunnel. Transport is between exactly two IP
> addresses
> while tunnel expects a broader network to exist on at least one
> end.
> "Tunnel" mode is what everyone actually uses but you can
> deconstruct
> it: it's built up from transport mode + a tunnel protocol (gre
> or ipip
> I don't remember which) + implicit routing and firewalling which
> wreaks havoc on dynamic routing. Now, it turns out that you can
> instead configure IPSec in transport mode, configure the tunnel
> separately and leave out the implicit firewalling.
>
>> This may not apply to William Herrin’s (OP) use case of a VPN
>> appliance
>
> It's not relevant to my situation, no. I need the VPN to
> establish a
> statically addressed clean layer 3 on top of dynamically
> addressed and
> natted endpoints to support the next appliance in the chain
> where
> dynamic addressing is not possible. I don't actually care if it
> adds
> security; it just needs to establish that statically addressed
> layer.
> Oh yeah, and it has to be listed under "virtual private network"
> on
> the government NIAP list.
> https://www.niap-ccevs.org/product/PCL.cfm?ID624=34
>
> Regards,
> Bill Herrin
--
Christian de Larrinaga
https://firsthand.net
More information about the NANOG
mailing list