[Cryptography] WireGuard
Paul Wouters
paul at cypherpunks.ca
Fri Sep 7 10:38:38 EDT 2018
On Thu, 6 Sep 2018, Phillip Hallam-Baker wrote:
> I would not describe IPSEC as a standard as it is difficult enough to get OpenVPN to talk to OpenVPN.
The perceived difficulty of IKE/IPsec is interesting, as it is mostly
folklore.
A few months ago I visited NetDev, to show Linux kernel developers how
easy it is to setup an IPsec VPN. You can find the slides here:
https://libreswan.org/wiki/File:NetDev-0x12-IPsec.pdf
A host to host VPN takes two slides to explain how to configure (slide 10-11)
A net to net VPN takes one more additional slide (slide 16)
A Remote Access VPN takes 3 slides as well (slide 19-21)
For those that still think this is too hard, there are scripts to
automate this for you and to generate server configs and client
profiles (for OSX/iOS)
https://github.com/trailofbits/algo
(algo even supports WireGuard if you prefer that :)
For GSoC 2018, libreswan worked on making it even easier
to setup a Remote Access VPN by adding an admin gui. This
code is being finished up and should be ready very soon.
https://libreswan.org/wiki/Libreswan_Managing_Interface
Then you can browse to your admin page, setup the server with some simple
questions, and send invite emails to your users to obtain VPN credentials
and client configurations over HTTPS.
If you think IKE/IPsec is too difficult to configure, you are going to
have a really hard time with IPv6. From a developer point of view, sure
there are (too) many smart and tricky knobs. But from an admin/user
point of view, all VPNs have roughly the same complexity. Usually in
the form of "how on earth do you generate proper X509 certificates".
Anyway, before the moderators poke me for being off-topic, I'll stop
posting in this thread. Feel free to contact me offlist with questions
on IPsec though.
Paul
More information about the cryptography
mailing list