Intriguing. This week I started to look around for new wireguard implementation tools and appliances. I've used openvpn and ipsec in the main although last month put together a 10x and IPv6 wireguard net in my home and out to two vps hosts which is handy. For my own use this is ok -ish, but I am not so sure about keeping track of the configs, managing users and adding configs as a network grows. In other words I want help when scaling wg and handling change particularly if I am managing nets for other projects or delegating. Tailscale, ZeroTier and some others are doing a great job I feel and no doubt have a handle on that. I've not tried them as yet. Because I do like to have options that are not mediated I have kept looking as much for my own curiousity and education as for deploying a service in anger. But having a toolset that can support the latter capability has to be the aim to work towards. I've found a few potentially interesting more recent projects and am intending to start to test deploy some of these in sequence to see how I get on. I think I'll start wth https://github.com/gravitl/netmaker Please note I've only reviewed the documentation. I've not yet played with it. This seems to offer at an early stage in its development a webappliance (optionally) with CoreDNS if you want naming support and IPv6 and at least some client management features. It claims to be fast but that can be tested. It also is deployable as a docker/kubernetes k8 which is intriguing when deploying and managing containers between multiple hosts across data centres. It uses a mongodb licence which may or may not be a problem. If one plays with IPSEC then I guess one could run wg through IPSEC but is there any point unless you already have an IPSEC branch and don't want to take it down whilst adding wg for a new class of devices/userbase? I'd be interested in sharing experiences and advice (offlist) and delighted to learn from wireguard and vpn's clueful folk. thank you for an interesting discussion. Christian William Herrin <bill@herrin.us> writes:
On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon <sneddon@gmail.com> wrote:
1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It is very much a static set-it-and-forget-it technology, but that doesn’t work in a dynamically changing environment.
Hi Dan,
Depending on how you configure it, IPSEC can work fine with dynamic routing. The thing to understand is that IPSec has two modes: transport and tunnel. Transport is between exactly two IP addresses while tunnel expects a broader network to exist on at least one end. "Tunnel" mode is what everyone actually uses but you can deconstruct it: it's built up from transport mode + a tunnel protocol (gre or ipip I don't remember which) + implicit routing and firewalling which wreaks havoc on dynamic routing. Now, it turns out that you can instead configure IPSec in transport mode, configure the tunnel separately and leave out the implicit firewalling.
This may not apply to William Herrin’s (OP) use case of a VPN appliance
It's not relevant to my situation, no. I need the VPN to establish a statically addressed clean layer 3 on top of dynamically addressed and natted endpoints to support the next appliance in the chain where dynamic addressing is not possible. I don't actually care if it adds security; it just needs to establish that statically addressed layer. Oh yeah, and it has to be listed under "virtual private network" on the government NIAP list. https://www.niap-ccevs.org/product/PCL.cfm?ID624=34
Regards, Bill Herrin
-- Christian de Larrinaga https://firsthand.net