WireGuard VPN update, Over on the WireGuard mailing list:
Jason wrote: "WireGuard has been merged into Dave Miller's net-next tree. That means when Linus Torvalds opens up his tree for Linux 5.6, Dave will send a pull request to Linus, and WireGuard will wind up in Linux 5.6. This is big news and very exciting." Additionally, 12 days ago, Jason merged the syncconf command [2] into master, which is significant for us since AstLinux's seamless "WireGuard Reload" for adding/removing/updating peers uses this feature. Finally, somewhat related, over the weekend the interwebs were excited about a possible vulnerability ... [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. https://seclists.org/oss-sec/2019/q4/122 While this CVE is more client related, AstLinux's AIF firewall (Arno's Iptables Firewall) already mitigates such an attack. Kudos to Arno and his design decisions he made many years ago. Lonnie > On Sep 7, 2019, at 6:02 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> > wrote: > > Thanks Lonnie for the info. Very helpful. I'm a big fan too which is why I > asked the question. > > After weighing up the pros and cons, I think that I'm going to start using it. > In not concerned from a security perspective as its all unclassified traffic > anyway already running over the public internet. > And I have done enough testing that I feel quite comfortable with its > stability. > > The worst case scenario is that if I do have problems, I just need to move > the sites over to another VPN technology which would not affect the overall > architecture of the solution very much. > > Thanks all. > > Regards > Michael Knill > > On 8/9/19, 12:01 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: > > > >> On Sep 7, 2019, at 3:25 AM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >> Hi Group >> >> In previous discussions I hinted on wanting to build a full telephony >> network with softswitch and with our significant growth in the last couple >> of months, I believe the time has come to kick it off. >> The problem is that although I have had zero issues with Wireguard and its >> perfect for what I need, its not classified as stable and I'm just concerned >> about using it in production (even though I already am!). OpenVPN is nice >> and stable but the failover time is just not as good and it's a dog to set >> up. >> >> So just wondering what other people think? >> I looking at 100+ sites terminating onto a Softswitch. >> >> Regards >> Michael Knill > > As you know I'm a big fan of WireGuard, and in fact is the only VPN I use > anymore, but I will not suggest to make such an important design decision for > your business, only my opinion. > > Here is the current status on the various WireGuard repos: > > https://www.wireguard.com/repositories/ > > The Linux kernel repo is noted as "Complete" (completes its goal mostly > and is actively maintained). > > From what I read [1], WireGuard would be in the mainline Linux Kernel by > now if it weren't for the internal squabbling on how to organize a new "zinc" > crypto library WireGuard uses which supersedes some older crypto libraries in > the kernel. If not for that, the WireGuard tunnel part would have been in the > Linux kernel (officially) for some time now. Hopefully the crypto squabbling > will get resolved soon. Linus likes WireGuard. > > WireGuard, OpenVPN and IPsec/NAT-Traversal all provide a VPN tunnel over > UDP, but the simplicity and efficiency of WireGuard in the Linux kernel > stands out over the others. > > But, also keep in mind that AstLinux's seamless "WireGuard Reload" for > adding/removing/updating peers is in Jason's repo [2], but has not yet been > merged to WG's master (AstLinux includes it as a patch [3]) ... though this > is only a tweak to the "wg" tool and not to the kernel module. > > Lonnie [1] https://lkml.org/lkml/2019/3/25/443 [2] https://git.zx2c4.com/WireGuard/commit/?h=jd/syncconf [3] https://github.com/astlinux-project/astlinux/blob/master/package/wireguard/wireguard-0900-syncconf.patch _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
