Hi David, Thanks for testing WireGuard, and you make good points.
WireGuard and IPSec are similar in some ways, as the core code is in the kernel and as such all addresses are manually assigned as you mention. IPSec has bolted on much "stuff" as time has gone on, Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG) to support dynamic pools for client configuration via a user space daemon. I have tested a commercial VPN provider Mullvad.net which supports WireGuard VPN "clients" where their "server" end automatically assigns a 10.0.0.0/8 private /32 address for each client. A static one-time configuration, works very nicely. Another approach would be to standardize on a IPv6 ULA "fd" address scheme for the local client address, possibly generated from a hash of the PublicKey. For site-to-site AstLinux constellations, there is no better VPN solution than WireGuard, IMHO. It will take some time for Android, iOS, ChromeOS, etc. to provide WireGuard solutions, but Android is almost there now, both user-space and kernel implementations. Lonnie On Dec 4, 2017, at 9:02 AM, David Kerr <da...@kerr.net> wrote: > Having played with Wireguard I think that it is very good underlying > technology to implement VPN. It seems to be very robust and tolerates > roaming (client's IP address changing) very well. But there are missing > pieces before it is ready for mainstream adoption. > > The biggest issue that I see is that client IP addresses (whether IPv4 or > IPv6) needed to be managed manually.... if you have a dozen clients > connecting in to the one server, each of these clients must have an IP > address manually assigned and configured at the client, and the server needs > to know what IP address was assigned and if there are any conflicts (two > clients use the same IP address) then I guess the results are "undefined". > Right now there is no way to have the server manage a pool of IP addresses > and push out to the client a IP address when it connects, whether that IP is > dynamically determined by the server or manually configured for each client > on the server. Wireguard could never be deployed on a large scale without > this. > > Managing IP addresses should not be a kernel task. So I suspect the raw VPN > technology will get embedded into the kernel and solving IP address > management will be left to some user space utility. I just don't know if it > will require some supporting capability in the kernel or not. > > David > > > > On Sun, Dec 3, 2017 at 3:44 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > Great thanks Lonnie. Im looking forward to it. Very cool! > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Monday, 4 December 2017 at 1:39 am > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] AstLinux Pre-Release: astlinux-1.3-3534-c5e366 > > Hi Michael, > > > Wow (WireGuard) looks super easy to set up. > > Indeed, the easiest VPN you ever have setup, particularly for site-to-stie > scenarios routing networks across the VPN. > > > > So is it ready for production? > > I have had in production a remote AstLinux box (SIP / HTTPS) over WireGuard > for a few weeks now ... works perfectly, never missed a beat, different ISP > at each end. > > Officially, I would look for a 1.0.0 release and acceptance into the mainline > Linux kernel as milestones indicating WireGuard's production-readyness ... > should happen soon, but not yet. > > Definitely worth testing now. > > Lonnie > > > > On Dec 2, 2017, at 10:26 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > > Wow looks super easy to set up. So is it ready for production? > > > > Regards > > Michael Knill > > > > -----Original Message----- > > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > > Reply-To: AstLinux Developers Mailing List > > <astlinux-de...@lists.sourceforge.net> > > Date: Sunday, 3 December 2017 at 10:13 am > > To: AstLinux List <astlinux-users@lists.sourceforge.net> > > Cc: AstLinux Developers Mailing List <astlinux-de...@lists.sourceforge.net> > > Subject: [Astlinux-devel] AstLinux Pre-Release: astlinux-1.3-3534-c5e366 > > > > Announcing Pre-Release Version: astlinux-1.3-3534-c5e366 > > > > Particularly notable is the addition of the WireGuard VPN. > > > > The AstLinux Team is regularly upgrading packages containing security and > > bug fixes as well as adding new features of our own. > > > > -- WireGuard VPN, new package; an extremely simple yet fast and modern VPN > > that utilizes state-of-the-art cryptography. > > http://doc.astlinux-project.org/userdoc:tt_wireguard_vpn > > > > -- Asterisk 13 version bump to 13.18.3 > > > > These pre-release images are for those who would like to take advantage of > > the AstLinux development before the next official release, as well as > > providing testing for the project. > > > > The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be > > found under the "Development" tab of the AstLinux Project web site ... > > > > AstLinux Project -> Development > > http://www.astlinux-project.org/dev.html > > > > While these images are considered 'stable', the lack of testing will not > > make these images suitable for critical production systems. > > > > If you should come across an issue, please report back here. > > > > AstLinux Team > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot_______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
