Hi Michael,
It looks like both Mullvad and azire are using essentially the same script
(copyright claimed by same person) to do initial configuration... they
request info from their servers using simple HTTS requests to obtain basic
info from which they create the wireguard config files. This means that
they are managing a pool of IP addresses at their servers when the customer
does an initial configuration. Essentially assigning a static IP address
that will be used every time a customer connects. The VPN IP address will
be the same for every connection. If they allocate from the 10.x.x.x pool
then this gives them approx 16 million IP addresses to work from. Which
probably works fine for a small VPN provider. I suppose when they run out
they can start revoking the access rights of the last used IP address by
keeping track of who connects when, whomever connected longest time ago
looses their VPN access. For IPv6 I doubt that there is any problem with
running out of available addresses!
It would be interesting to see the server-side scripts for this.
David
On Mon, Dec 4, 2017 at 10:32 AM, Michael Keuter <li...@mksolutions.info>
wrote:
>
> > Am 04.12.2017 um 16:02 schrieb David Kerr <da...@kerr.net>:
> >
> > Having played with Wireguard I think that it is very good underlying
> technology to implement VPN. It seems to be very robust and tolerates
> roaming (client's IP address changing) very well. But there are missing
> pieces before it is ready for mainstream adoption.
> >
> > The biggest issue that I see is that client IP addresses (whether IPv4
> or IPv6) needed to be managed manually.... if you have a dozen clients
> connecting in to the one server, each of these clients must have an IP
> address manually assigned and configured at the client, and the server
> needs to know what IP address was assigned and if there are any conflicts
> (two clients use the same IP address) then I guess the results are
> "undefined". Right now there is no way to have the server manage a pool of
> IP addresses and push out to the client a IP address when it connects,
> whether that IP is dynamically determined by the server or manually
> configured for each client on the server. Wireguard could never be
> deployed on a large scale without this.
>
> Hi David,
>
> good point. It would be interesting in which way the commercial VPN
> providers, who use WireGuard, are handling this issue.
> Lonnie has tested Mullvad recently, maybe he can comment.
>
> https://www.azirevpn.com/wireguard
> https://www.mullvad.net/guides/wireguard-and-mullvad-vpn/
>
> > Managing IP addresses should not be a kernel task. So I suspect the raw
> VPN technology will get embedded into the kernel and solving IP address
> management will be left to some user space utility. I just don't know if
> it will require some supporting capability in the kernel or not.
> >
> > David
> >
> >
> >
> > On Sun, Dec 3, 2017 at 3:44 PM, Michael Knill <
> michael.kn...@ipcsolutions.com.au> wrote:
> > Great thanks Lonnie. Im looking forward to it. Very cool!
> >
> > Regards
> > Michael Knill
> >
> > -----Original Message-----
> > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
> > Date: Monday, 4 December 2017 at 1:39 am
> > To: AstLinux List <astlinux-users@lists.sourceforge.net>
> > Subject: Re: [Astlinux-users] AstLinux Pre-Release:
> astlinux-1.3-3534-c5e366
> >
> > Hi Michael,
> >
> > > Wow (WireGuard) looks super easy to set up.
> >
> > Indeed, the easiest VPN you ever have setup, particularly for
> site-to-stie scenarios routing networks across the VPN.
> >
> >
> > > So is it ready for production?
> >
> > I have had in production a remote AstLinux box (SIP / HTTPS) over
> WireGuard for a few weeks now ... works perfectly, never missed a beat,
> different ISP at each end.
> >
> > Officially, I would look for a 1.0.0 release and acceptance into the
> mainline Linux kernel as milestones indicating WireGuard's
> production-readyness ... should happen soon, but not yet.
> >
> > Definitely worth testing now.
> >
> > Lonnie
> >
> >
> >
> > On Dec 2, 2017, at 10:26 PM, Michael Knill <michael.knill@ipcsolutions.
> com.au> wrote:
> >
> > > Wow looks super easy to set up. So is it ready for production?
> > >
> > > Regards
> > > Michael Knill
> > >
> > > -----Original Message-----
> > > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> > > Reply-To: AstLinux Developers Mailing List <astlinux-devel@lists.
> sourceforge.net>
> > > Date: Sunday, 3 December 2017 at 10:13 am
> > > To: AstLinux List <astlinux-users@lists.sourceforge.net>
> > > Cc: AstLinux Developers Mailing List <astlinux-devel@lists.
> sourceforge.net>
> > > Subject: [Astlinux-devel] AstLinux Pre-Release:
> astlinux-1.3-3534-c5e366
> > >
> > > Announcing Pre-Release Version: astlinux-1.3-3534-c5e366
> > >
> > > Particularly notable is the addition of the WireGuard VPN.
> > >
> > > The AstLinux Team is regularly upgrading packages containing security
> and bug fixes as well as adding new features of our own.
> > >
> > > -- WireGuard VPN, new package; an extremely simple yet fast and modern
> VPN that utilizes state-of-the-art cryptography.
> > > http://doc.astlinux-project.org/userdoc:tt_wireguard_vpn
> > >
> > > -- Asterisk 13 version bump to 13.18.3
> > >
> > > These pre-release images are for those who would like to take
> advantage of the AstLinux development before the next official release, as
> well as providing testing for the project.
> > >
> > > The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can
> be found under the "Development" tab of the AstLinux Project web site ...
> > >
> > > AstLinux Project -> Development
> > > http://www.astlinux-project.org/dev.html
> > >
> > > While these images are considered 'stable', the lack of testing will
> not make these images suitable for critical production systems.
> > >
> > > If you should come across an issue, please report back here.
> > >
> > > AstLinux Team
>
> Michael
>
> http://www.mksolutions.info
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
