Sometimes ago, I tried to expose some virtual machines on a wireguard
VPN. I didn't have permissions to change the wireguard configuration but
I did have perms on my virtual machines and on the network
configuration. After some tries, my conclusion was that wireguard can't
handle level 2 bridging, like openvpn does.
I didn't dig really hard, so it maybe I'm wrong, I just concluded that
wireguard is not really a "virtual private network" unless you use it at
application level.
Il 18/12/23 17:05, o1bigtenor via Dng ha scritto:
> Please questions are mostly because I'm a total noob at this and I'm
> trying real hard to
> understand this stuff that seems to often be flying by overhead - - -
> just out of reach . . .
>
> On Mon, Dec 18, 2023 at 8:22 AM wirelessduck--- via Dng
> <dng@???> wrote:
>>
>>
>>
>>> On 17 Dec 2023, at 23:20, o1bigtenor via Dng <dng@???> wrote:
>>>
>>> (looking to understand rather than any other . . . )
>>>
>>> You're running Openvpn - - - is that because you have been running this
>>> for a while?
>>>
>>> Curious as to WireGuard - - - its the 'new kid on the block' but it also
>>> purports to be easier to set up. Have you looked at it to date?
>>>
>>> Comments - - - please ?
>>>
>>> TIA
>>
>> The problem I found with wireguard is that it seems to be just a point-to-point encryption tunnel so it doesn’t come with any authentication stack included like openvpn does.
>
> https://www.wireguard.com/quickstart/ - - - page seems to suggest
> that authentication ( at least
> I'm assuming that's what the 'key generation' refers to) is a part of
> the 'stack'.
>
>>
>> Last time I looked at it you need to add user authentication and OTP as a separate layer on top like firezone does with a web portal. I’m also not sure if wireguard includes any capability to setup network routes or if that is another thing you have to DIY or find a separate tool to handle. Openvpn, with its much larger code base, includes all of that plus the kitchen sink. You can hook directly into PAM auth to use your favourite OTP plugin very easily.
>>
> Same page seems to suggest that something that to me looks like
> 'network routing' is
> possible.
>
>> If you don’t need any of that then I would agree that wireguard is easier to setup.
>>
>> The main benefit of wireguard seems to be a relatively small code base which is easier to audit, and a very small restricted set of high quality ciphers that can be used. The same cipher list can be achieved in openvpn via configuration but wireguard makes it easy by not even giving the choice of older crypto. I guess being a newer protocol allows such liberties to be taken.
>>
> Is it possible that you were looking at an earlier version - - -
> current seems to be from 202109 AFAICT?
>
> Thanking you for helping to understand what is necessary in setting up
> vpn software.
>
> Regards
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng