Thanks Lonnie for the info. Very helpful. I'm a big fan too which is why I
asked the question.
After weighing up the pros and cons, I think that I'm going to start using it.
In not concerned from a security perspective as its all unclassified traffic
anyway already running over the public internet.
And I have done enough testing that I feel quite comfortable with its stability.
The worst case scenario is that if I do have problems, I just need to move the
sites over to another VPN technology which would not affect the overall
architecture of the solution very much.
Thanks all.
Regards
Michael Knill
On 8/9/19, 12:01 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
> On Sep 7, 2019, at 3:25 AM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Hi Group
>
> In previous discussions I hinted on wanting to build a full telephony
network with softswitch and with our significant growth in the last couple of
months, I believe the time has come to kick it off.
> The problem is that although I have had zero issues with Wireguard and
its perfect for what I need, its not classified as stable and I'm just
concerned about using it in production (even though I already am!). OpenVPN is
nice and stable but the failover time is just not as good and it's a dog to set
up.
>
> So just wondering what other people think?
> I looking at 100+ sites terminating onto a Softswitch.
>
> Regards
> Michael Knill
As you know I'm a big fan of WireGuard, and in fact is the only VPN I use
anymore, but I will not suggest to make such an important design decision for
your business, only my opinion.
Here is the current status on the various WireGuard repos:
https://www.wireguard.com/repositories/
The Linux kernel repo is noted as "Complete" (completes its goal mostly and
is actively maintained).
From what I read [1], WireGuard would be in the mainline Linux Kernel by
now if it weren't for the internal squabbling on how to organize a new "zinc"
crypto library WireGuard uses which supersedes some older crypto libraries in
the kernel. If not for that, the WireGuard tunnel part would have been in the
Linux kernel (officially) for some time now. Hopefully the crypto squabbling
will get resolved soon. Linus likes WireGuard.
WireGuard, OpenVPN and IPsec/NAT-Traversal all provide a VPN tunnel over
UDP, but the simplicity and efficiency of WireGuard in the Linux kernel stands
out over the others.
But, also keep in mind that AstLinux's seamless "WireGuard Reload" for
adding/removing/updating peers is in Jason's repo [2], but has not yet been
merged to WG's master (AstLinux includes it as a patch [3]) ... though this is
only a tweak to the "wg" tool and not to the kernel module.
Lonnie
[1] https://lkml.org/lkml/2019/3/25/443
[2] https://git.zx2c4.com/WireGuard/commit/?h=jd/syncconf
[3]
https://github.com/astlinux-project/astlinux/blob/master/package/wireguard/wireguard-0900-syncconf.patch
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
