I agree, for site-to-site Wireguard is perfect. With time more user
friendly clients will emerge and a mechanism for managing IP addresses
established to make that work easily as well.
David.
On Mon, Dec 4, 2017 at 11:05 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com>
wrote:
> Hi David,
>
> Thanks for testing WireGuard, and you make good points.
>
> WireGuard and IPSec are similar in some ways, as the core code is in the
> kernel and as such all addresses are manually assigned as you mention.
>
> IPSec has bolted on much "stuff" as time has gone on, Extended
> Authentication (XAUTH) and Mode Configuration (MODE-CFG) to support dynamic
> pools for client configuration via a user space daemon.
>
> I have tested a commercial VPN provider Mullvad.net which supports
> WireGuard VPN "clients" where their "server" end automatically assigns a
> 10.0.0.0/8 private /32 address for each client. A static one-time
> configuration, works very nicely.
>
> Another approach would be to standardize on a IPv6 ULA "fd" address scheme
> for the local client address, possibly generated from a hash of the
> PublicKey.
>
> For site-to-site AstLinux constellations, there is no better VPN solution
> than WireGuard, IMHO.
>
> It will take some time for Android, iOS, ChromeOS, etc. to provide
> WireGuard solutions, but Android is almost there now, both user-space and
> kernel implementations.
>
> Lonnie
>
>
> On Dec 4, 2017, at 9:02 AM, David Kerr <da...@kerr.net> wrote:
>
> > Having played with Wireguard I think that it is very good underlying
> technology to implement VPN. It seems to be very robust and tolerates
> roaming (client's IP address changing) very well. But there are missing
> pieces before it is ready for mainstream adoption.
> >
> > The biggest issue that I see is that client IP addresses (whether IPv4
> or IPv6) needed to be managed manually.... if you have a dozen clients
> connecting in to the one server, each of these clients must have an IP
> address manually assigned and configured at the client, and the server
> needs to know what IP address was assigned and if there are any conflicts
> (two clients use the same IP address) then I guess the results are
> "undefined". Right now there is no way to have the server manage a pool of
> IP addresses and push out to the client a IP address when it connects,
> whether that IP is dynamically determined by the server or manually
> configured for each client on the server. Wireguard could never be
> deployed on a large scale without this.
> >
> > Managing IP addresses should not be a kernel task. So I suspect the raw
> VPN technology will get embedded into the kernel and solving IP address
> management will be left to some user space utility. I just don't know if
> it will require some supporting capability in the kernel or not.
> >
> > David
> >
> >
> >
> > On Sun, Dec 3, 2017 at 3:44 PM, Michael Knill <
> michael.kn...@ipcsolutions.com.au> wrote:
> > Great thanks Lonnie. Im looking forward to it. Very cool!
> >
> > Regards
> > Michael Knill
> >
> > -----Original Message-----
> > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
> > Date: Monday, 4 December 2017 at 1:39 am
> > To: AstLinux List <astlinux-users@lists.sourceforge.net>
> > Subject: Re: [Astlinux-users] AstLinux Pre-Release:
> astlinux-1.3-3534-c5e366
> >
> > Hi Michael,
> >
> > > Wow (WireGuard) looks super easy to set up.
> >
> > Indeed, the easiest VPN you ever have setup, particularly for
> site-to-stie scenarios routing networks across the VPN.
> >
> >
> > > So is it ready for production?
> >
> > I have had in production a remote AstLinux box (SIP / HTTPS) over
> WireGuard for a few weeks now ... works perfectly, never missed a beat,
> different ISP at each end.
> >
> > Officially, I would look for a 1.0.0 release and acceptance into the
> mainline Linux kernel as milestones indicating WireGuard's
> production-readyness ... should happen soon, but not yet.
> >
> > Definitely worth testing now.
> >
> > Lonnie
> >
> >
> >
> > On Dec 2, 2017, at 10:26 PM, Michael Knill <michael.knill@ipcsolutions.
> com.au> wrote:
> >
> > > Wow looks super easy to set up. So is it ready for production?
> > >
> > > Regards
> > > Michael Knill
> > >
> > > -----Original Message-----
> > > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> > > Reply-To: AstLinux Developers Mailing List <astlinux-devel@lists.
> sourceforge.net>
> > > Date: Sunday, 3 December 2017 at 10:13 am
> > > To: AstLinux List <astlinux-users@lists.sourceforge.net>
> > > Cc: AstLinux Developers Mailing List <astlinux-devel@lists.
> sourceforge.net>
> > > Subject: [Astlinux-devel] AstLinux Pre-Release:
> astlinux-1.3-3534-c5e366
> > >
> > > Announcing Pre-Release Version: astlinux-1.3-3534-c5e366
> > >
> > > Particularly notable is the addition of the WireGuard VPN.
> > >
> > > The AstLinux Team is regularly upgrading packages containing security
> and bug fixes as well as adding new features of our own.
> > >
> > > -- WireGuard VPN, new package; an extremely simple yet fast and modern
> VPN that utilizes state-of-the-art cryptography.
> > > http://doc.astlinux-project.org/userdoc:tt_wireguard_vpn
> > >
> > > -- Asterisk 13 version bump to 13.18.3
> > >
> > > These pre-release images are for those who would like to take
> advantage of the AstLinux development before the next official release, as
> well as providing testing for the project.
> > >
> > > The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can
> be found under the "Development" tab of the AstLinux Project web site ...
> > >
> > > AstLinux Project -> Development
> > > http://www.astlinux-project.org/dev.html
> > >
> > > While these images are considered 'stable', the lack of testing will
> not make these images suitable for critical production systems.
> > >
> > > If you should come across an issue, please report back here.
> > >
> > > AstLinux Team
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
> _________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
