1. 36
  1. 9

    I strongly recommend using Algo if you want a brainless Wireguard + IPSec VPN setup that works well across a lot of devices, including those that can’t run Wireguard for some reason.

    1. 5

      I actually looked into this last week, but while IPSec technically does support more devices, I don’t think this is something that people will be having problems with. My setup was for people with close no technical knowledge, and involved different BSDs, Windows, Linux and Mobile OSs. So I think it is worthwhile to think about whether you actually want to have multiple VPN technologies running.

      Wireguard isn’t exactly hard to set up. Not even on non-Linux.

      • Generate keypairs Server, Peer1, …, PeerN
      • Create a server.conf (where you put in key+ip for each peer and key+port for the server, optional preshared key)
      • Depending on the OS, enable IP forwarding, internet access (two to three config lines on OpenBSD for example)
      • Create a client conf for the peers (server IP, DNS server, server key, client key)
      • Distribute the client configs and use them: All of the client have some simple command wg-quick or a simple GUI (mobile, windows, …), make qrcodes of the config with qrencode.

      I would strongly advise against setting up a VPN (or any service for that matter) “brainless”. Hiding understanding complexity at setup time makes it hard to reason about it at runtime, and you will likely spend more time on having it running, than setting it up.

      Here a nice OpenBSD guide.

      1. 6

        Here a nice OpenBSD guide.

        I have been working on a privilege separated implementation of WireGuard for OpenBSD. It has been stable for me personally for over a year now and has recently been accepted as part of the upcoming OpenBSD 6.7 ports system. If you have some opinions about it please share, I would appreciate any feedback.

        1. 1

          This is really cool! Also that it has been accepted into ports. Given that the license matches, it uses pledge and so on wouldn’t it potentially be something for the base system? Did you consider that?

          1. 2

            It would be really cool if it got included in base, but that decision is not for me to make. Aside from that, I think in the long term the kernel version that is being developed has a good chance of getting included at some point.

      2. 2

        +1 on Algo, been giving it to family and friends and it works easily and securely,

      3. 4

        I recently set up a tunnel between a DigitalOcean VPS running Ubuntu, and a Raspberry Pi running Raspbian (at home behind a NAT). These 2 docs not only explained the config files setup (like this one) but also how to keep them running using systemctl.

        1. 3

          Thanks for this tutorial! Really helping me get my feed wet with WG.

          I’ve got a lab running now!

          1. 3

            Well written article!

            Personally I use Linode’s article given that its super concise, but this is great for beginners.

            1. 2

              This may be a strange question and I apologize in advance if it is, but what are the benefits of this versus say Nord or Express?

              1. 8

                It depends a lot in what you need a VPN for. Personally I would never trust any VPN provider such as NordVPN who tries to get customers with fearmongering.

                If you are planning to hide your traffic from your ISP, setting up your own server works, but you are simply shifting the trust to whatever VPS provider you use and in what country/jurisdiction it belongs too, etc.

                Also note that the argument “A VPN protects you from man in the middle attacks.” is bullshit if you access a website such as lobsters of http, you would only be end to end encrypted to your VPN endpoint the rest is unecryped. “

                I personally only use wireguard for server to server tunnels, to access services at home, to use it for privacy it would have to do more research and take further steps (what dns do I use and how? etc.)

                1. 3

                  I just use wireguard to vpn into my home network, so third party VPNs aren’t an option for me.

                  1. 2

                    You can self-host with WireGuard meaning you don’t need to trust 3rd party VPN providers since they may collect logs and/or sell your information. For a regular user, Nord or Express is good enough, but running a VPN tunnel that you have full control over and you understand what you’re doing will always offer the best privacy protection.

                  2. 2

                    It’s kernel-based which reduces attack surface and can be ran in virtually any device.

                    This doesn’t seem right?

                    How does kernel-based or not reduce attack surface? I feel like, if anything, it increases risk when an exploit is found?

                    And the second point also feels like it’s the other way around? Kernel-based to me just sounds like it’s another of those things an embedded manufacturer could choose to omit from their locked-down kernel.

                    (The advantages of kernel-based I see is performance and ease of tunnel setup.)

                    1. 3

                      This doesn’t seem right?

                      I have a feeling this is just a leftover openvpn comparison, where wireguard “wins” in the fact that it has far less lines of code, but what many people also fail to see if that it provides a different “solution”. (openvpn has user management).

                      One other downside of the kernel approach is that manufacturers will have to update their kernels when wireguard issues are found which might be more work then updating an application.

                      1. 3

                        The attack surface is probably smaller with something kernel-based because you need less bricks to get the functionality. The risk is higher though. That being said, VPN software runs with fairly high privileges usually. Also, don’t forget Wireguard is also fairly small: it does only the minimum needed: the larger and more complex parts are left to userspace implementations.

                        Wireguard also has userspace implementations which are very competitive (faster than openvpn) which means that not having it in the kernel is not such a big issue. Moreover it looks like it might be enabled by default in Android which will help adoption and makes it likely everyone follows.

                        1. 1

                          It’s much simpler than ipsec - so compared to other, in-kernel vpn alternatives it reduces complexity and attack surface.

                        2. 2

                          For example, we’ll generate a key pair where the public key starts with “iPho” to denote that it’s a key pair to be used on the iPhone client.

                          I have no real understanding of ECC but it doesn’t really seem like a good idea to limit the keyspace for something that could be solved by commenting a configfile.

                          1. 1

                            It’s not limiting the keyspace since all the keys are randomly generated and the vanity address generator simply filters down the list to ones that match the vanity characters. The benefit is that the public key is self-documenting removing need for explicit commenting in the config file.