:: Re: [DNG] Info about openvpn
Inizio della pagina
Delete this message
Reply to this message
Autore: wirelessduck
Data:  
To: dng
Oggetto: Re: [DNG] Info about openvpn


> On 19 Dec 2023, at 13:09, o1bigtenor via Dng <dng@???> wrote:
>
> On Mon, Dec 18, 2023 at 5:55 PM wirelessduck--- via Dng
> <dng@???> wrote:
>>
>>
>>
>>>> On 19 Dec 2023, at 03:05, o1bigtenor via Dng <dng@???> wrote:
>>> Please questions are mostly because I'm a total noob at this and I'm
>>> trying real hard to
>>> understand this stuff that seems to often be flying by overhead - - -
>>> just out of reach . . .
>>>
>>>> On Mon, Dec 18, 2023 at 8:22 AM wirelessduck--- via Dng
>>>> <dng@???> wrote:
>>>>
>>>>
>>>>
>>>>>> On 17 Dec 2023, at 23:20, o1bigtenor via Dng <dng@???> wrote:
>>>>> (looking to understand rather than any other . . . )
>>>>> You're running Openvpn - - - is that because you have been running this
>>>>> for a while?
>>>>> Curious as to WireGuard - - - its the 'new kid on the block' but it also
>>>>> purports to be easier to set up. Have you looked at it to date?
>>>>> Comments - - - please ?
>>>>> TIA
>>>>
>>>> The problem I found with wireguard is that it seems to be just a point-to-point encryption tunnel so it doesn’t come with any authentication stack included like openvpn does.
>>>
>>> https://www.wireguard.com/quickstart/    - - - page seems to suggest
>>> that authentication ( at least
>>> I'm assuming that's what the 'key generation' refers to) is a part of
>>> the 'stack'.

>>
>> I was referring more to username/password authentication. Wireguard protocol only supports public key auth by default so it’s not really designed as a corporate style vpn where you have multiple people logging in from roaming laptops and authenticating with their own personal LDAP/OTP credentials.
>>
>> Openvpn has the username/password/otp/client certificates built in to the protocol directly.
>>
>>>>
>>>> Last time I looked at it you need to add user authentication and OTP as a separate layer on top like firezone does with a web portal. I’m also not sure if wireguard includes any capability to setup network routes or if that is another thing you have to DIY or find a separate tool to handle. Openvpn, with its much larger code base, includes all of that plus the kitchen sink. You can hook directly into PAM auth to use your favourite OTP plugin very easily.
>>> Same page seems to suggest that something that to me looks like
>>> 'network routing' is
>>> possible.
>>
>> The examples shown there are all manual configuration on the server or client with the `ip` command. Openvpn allows you to configure routes inside the openvpn config and also push routes from the server to clients.
>>
>> I’m not sure how wireguard handles dns configuration for the clients either as openvpn can also push the dns config through to the client.
>>
>>>> If you don’t need any of that then I would agree that wireguard is easier to setup.
>>>>
>>>> The main benefit of wireguard seems to be a relatively small code base which is easier to audit, and a very small restricted set of high quality ciphers that can be used. The same cipher list can be achieved in openvpn via configuration but wireguard makes it easy by not even giving the choice of older crypto. I guess being a newer protocol allows such liberties to be taken.
>>> Is it possible that you were looking at an earlier version - - -
>>> current seems to be from 202109 AFAICT?
>>>
>>> Thanking you for helping to understand what is necessary in setting up
>>> vpn software.
>>
>> Keep in mind this is not a case of one being better than the other. It’s all dependent on what you want to use it for.
>>
> Excellent question - - - and if one doesn't know what one wants to use
> it for but knows that one
> wants to maximize security AND privacy - - - - what does one do?
>
> TIA


I can’t really answer that one. A VPN doesn’t always guarantee privacy as that is entirely dependent on the security and privacy of the vpn endpoint that you are connecting to. Maybe Tor is useful for that but I can’t say much as I’ve never used it.

Hopefully someone else here has more guidance.

Tom