On Mon, 8 Oct 2018, Daniel Kahn Gillmor wrote:
I agree with the goals of this thread. I've been nudging Paul for over
a year now with the hopes of getting something running that "just works"
with something as close to an "{apt|dnf} install libreswan" as possible.
Thanks for doing that. We are still working on making OE easier to use.
I agree with Kim that a web interface is *not* the way to go. wireguard
configuration files are pretty simple, dumb .ini-file style configs that
identify peers by public key.
Note that it is not a fair comparison, as wireguard does a lot of
configuration out of band, such as DNS servers. It also hardcodes ports
and keys.
Below is the most complex example from wg(8):
[Interface]
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820
[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
Endpoint = 192.95.5.67:1234
AllowedIPs = 10.192.122.3/32, 10.192.124.1/24
So this translates to:
conn peer-to-peer
left=%defaultroute
leftrsasigkey=0xXXXXXXXXXXX
leftsubnets=10.192.122.3/32,10.192.124.1/24
right=192.95.5.67
rightrsasigkey=0YYYYYYYY
auto=start
(assuming I'm reading the meaning of AllowedIPs right)
That 7 lines versus 7 lines. It's really not that more complicated. It
is a myth. In fact, the whole demultiplexing / port usage of WG is more
complexity :P
The one thing I do dislike is our %defaultroute and %any values. It
would be nice if we could orient based on the private/public key and
pickup the IPs automatically. Still, that only saves you 1 line.
Can libreswan offer something comparably simple for users whose goal is
a "VPN"? Or, if libreswan sees that targeted use case as not-in-scope,
is there some other use case that libreswan can offer a comparably
compelling minimalist configuration?
I'm not sure how we can be more minimum then this, it is the same as
wireguard.
Clearly we need a better marketing strategy and fancy website so people
will understand it better. But again, IKE/IPsec is not harder then
wireguard. We just have many more different kinds of deployments and
additional optional features.
Now, when you are talking about a real remote access VPN, I do agree
it is a little more complicated then desired:
conn vpn.nohats.ca
left=%defaultroute
leftcert=letoams.nohats.ca
leftsubnet=0.0.0.0/0
[email protected]
right=vpn.nohats.ca
rightsubnet=0.0.0.0/0
narrowing=yes
ikev2=insist
leftmodecfgclient=yes
It would be nice if this could become:
conn vpn.nohats.ca
type=remote-access-vpn
leftcert=letoams.nohats.ca
right=vpn.nohats.ca
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
