DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th February 2017
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 578
Default WireGuard: replacement for IPsec

Quote:
WireGuard is a next generation VPN protocol, which lives in the Linux kernel, and uses state of the art cryptography. One of the most exciting recent crypto-networking developments, WireGuard aims to drastically simplify secure tunneling.
https://fosdem.org/2017/schedule/event/wireguard/
Slides in PDF
Video in h.264
Video in VP8
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #2   (View Single Post)  
Old 4th May 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 578
Default

I am more than a month late with this news, but this belongs here anyway.
WireGuard VPN makes it to 1.0.0—and into the next Linux kernel
Quote:
We've been anticipating WireGuard's inclusion into the mainline Linux kernel for quite some time—but as of Sunday afternoon, it's official. Linus Torvalds released the Linux 5.6 kernel, which includes (among other things) an in-tree WireGuard.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #3   (View Single Post)  
Old 19th May 2020
ibara ibara is offline
JavaScript game developer
 
Join Date: Jan 2014
Posts: 744
Default

The effort is underway to get WireGuard in OpenBSD: https://marc.info/?l=openbsd-tech&m=158926407905492&w=2

But if you can't wait that long, there is a userland implementation called WireSep which is available in ports: https://netsend.nl/wiresep
Reply With Quote
  #4   (View Single Post)  
Old 22nd June 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 578
Default

https://lists.zx2c4.com/pipermail/wi...ne/005588.html
Quote:
Originally Posted by Jason A. Donenfeld
Hey everyone,

I'm happy to announce that WireGuard has been merged into the OpenBSD
kernel, with integration into userland as well.

https://marc.info/?l=openbsd-cvs&m=159274150512676&w=2
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #5   (View Single Post)  
Old 24th June 2020
ibara ibara is offline
JavaScript game developer
 
Join Date: Jan 2014
Posts: 744
Default

https://marc.info/?l=openbsd-cvs&m=159295575721928&w=2
Reply With Quote
  #6   (View Single Post)  
Old 24th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,093
Default

I was playing with wg(4) yesterday. As VPN tech goes, this is thing is simple and easy to provision and use.
Reply With Quote
  #7   (View Single Post)  
Old 24th June 2020
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 930
Default

Or one could use one of these.

Reply With Quote
  #8   (View Single Post)  
Old 24th June 2020
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 257
Default

Quote:
Originally Posted by jggimi View Post
I was playing with wg(4) yesterday. As VPN tech goes, this is thing is simple and easy to provision and use.
Do you still need the userland tools from net/wireguard-tools?
Reply With Quote
  #9   (View Single Post)  
Old 24th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,093
Default

They are optional. See the EXAMPLES section of the wg(4) man page for using ifconfig(8) alone.
Reply With Quote
Old 27th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,093
Default

Both ipv4 and ipv6 work well for me, and either can be tunneled over either. So testing is over. I'm now using it in (personal) production, with a dual-stack implementation running on an OpenBSD VPS, for my smartphone. At the moment I have two Android apps on the exclusion list so they can access devices on the home WiFi network.
Reply With Quote
Old 2nd July 2020
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,597
Default

If you read https://en.wikipedia.org/wiki/WireGuard you will notice that it uses a lot of crypto developed by Daniel J. Bernstein or is derived from it.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 5th July 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,093
Default

Indeed. It uses Bernstein's Curve22159, Chacha20, and Poly1305 primitives.

I've added my personal workstation as a VPN client, too. I'm very pleased with the outcomes for both phone and laptop. For the laptop, it was the first time I've added routes with -priority metrics, which permitted me to provision the correct routing table.

Last edited by jggimi; 5th July 2020 at 12:01 PM. Reason: added primitives
Reply With Quote
Old 5th July 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,093
Default

And there is one additional feature I did not expect: since the VPN can tunnel IPv6 within IPv4 (or vice versa), I can use IPv6 from within IPv4-only networks, a common limitation here in North America.
Reply With Quote
Old 6th July 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 578
Default

Quote:
Originally Posted by jggimi View Post
And there is one additional feature I did not expect: since the VPN can tunnel IPv6 within IPv4 (or vice versa), I can use IPv6 from within IPv4-only networks, a common limitation here in North America.
It is not that bad:
Google stats:
Poland: 12,57%
USA: 43,25%

Akamai stats:
Poland: 11,9%
USA: 45,3%

It is weird, because Poland doesn't have that bad Internet connectivity.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 6th July 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,093
Default

Many local networks in North America do not support IPv6, even if the ISP they are connected to support it. Often, SOHO routers are not provisioned for it, or the ISPs have IPv6 blocks assigned but do not actually offer IPv6 services to their customers, or they do not have trained staff or documentation to support customer deployments, which amounts to the same thing.
Reply With Quote
Reply

Tags
ipsec, vpn

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Replacement for Hsetroot? cats OpenBSD Packages and Ports 2 24th June 2020 08:01 PM
Remote Replacement of OS mwatkins FreeBSD Installation and Upgrading 4 5th April 2009 04:01 AM
Trisentry replacement? neurosis FreeBSD Security 0 10th December 2008 04:09 PM
MB + CPU replacement mururoa FreeBSD General 10 21st November 2008 08:21 PM
Replacement for Mail? Bruco FreeBSD Ports and Packages 9 14th June 2008 05:15 PM


All times are GMT. The time now is 09:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick