https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287653
--- Comment #2 from Paige Thompson <pa...@paige.bio> ---
(In reply to Marek Zarychta from comment #1)
Hey--
I actually moved on from this and settled on wireguard for now but for what
this is worth i actually was hoping to get dco working between FreeBSD machines
but I couldn't figure out how to get it to work even with both machines being
FreeBSD. disable-dco would be fine but there's seldom ever a case where I want
to settle for less when in theory I could have better. Honestly I wanted to use
IPSEC with racoon but the problem I seemed to be having with that was NAT and
using NAT-T the correct way (or there's something else wrong.There are issues
with that depending on whether you use transport or tunnel; and depending on
fragmentation settings.
I'll probably revisit this at some point but I just used wireguard it works
even though I don't really care for it that much--it works, though part of the
configuration I'm doing with rc.local:
rc.conf takes care of standing up the interface and configuring it
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
options=80000<LINKSTATE>
inet 192.0.2.1 netmask 0xfffffffe
inet6 fcff:56::192:0:2:1 prefixlen 64
groups: wg
fib: 56
tunnelfib: 255
nd6 options=101<PERFORMNUD,NO_DAD>
rc.local associates the keys and remotes with the interface:
wg setconf wg0 /usr/local/etc/wireguard/wg0.conf
you can close this if you want but in more than a decade of using OpenVPN I've
never felt so defeated as I have by ovpn(4) moreover I don't think it's capable
in it's current state of functioning in the way I need it to (where it is
assigned to fib 56 and uses FIB 255 for the tunnel)--wireguard just *barely* is
and not only that but the best I could come up with was to add the last command
for it's setup to rc.local. I looked around for quite a while and I've found
some evidence of people who have used it at different points in time and I also
don't think that it's always functioned the same way because some of the
examples that I was able to piece together didn't work at all.
I don't really like using wireguard, but I'm not really keen on OpenVPN to be
honest and I feel like even ovpn at some point was a shortcut to get away from
having to deal with security associations, fragmentation with AH/ESP, NAT-T,
etc.IPSEC hasn't always been the most reliable thing from one client to the
next so there was also that but it's hard to imagine how that could be anymore
so in theory the only obstacle is figuring out how to set it up in every case.
You can close this if you want. Personally, and I know my opinions are
unpopular but I think for something that is in tree it should probably have a
little more documentation in the man page.
--
You are receiving this mail because:
You are the assignee for the bug.
