I spent another half-day or so reading about the latest advancements in configuration and best practices before updating my configurations for last year's Ars Technica OpenVPN guide.īy rather sharp contrast, I created working, stable, documented configurations for a scalable, secure WireGuard network in about six hours on a Sunday afternoon. Much of this greater simplicity in setup and configuration is due to WireGuard's deliberate, principled rejection of cryptographic agility. A few years later, I needed another week or two of trawling the Internet for how-tos and piecing them together in order to build a large-scale OpenVPN-based network. With that said, it took me a few days of careful, determined, and dedicated reading, implementation, and testing before I understood OpenVPN well enough to really have any idea what I was doing. I don't want to sugarcoat this: VPNs aren't simple, and WireGuard doesn't suddenly make them a kindergarten project. I'd love to be able to replace them with something that just works. ![]() I've spent more of my time crafting and maintaining watchdog scripts that carefully check for, kill -9, and restart OpenVPN daemons than I like to think about. OpenVPN features ping and ping-restart configuration arguments that should take care of this for you, but they don't. But if you want to manage a network with hundreds of clients, all of which should automatically manage their own always-on tunnels, it's a big problem. This probably won't happen frequently enough for you to notice if you only have a few tens of clients, and most of those are manually operated by a human clicking something to connect and disconnect their tunnel as needed anyway. One of my biggest operational beefs with OpenVPN is how its tunnels can either crash or hang. Two orders of magnitude fewer lines of code mean a lot less attack surface to find flaws in.Ī much smaller codebase also means code that's more likely to work the way it's supposed to. WireGuard weighs in at around 4,000 lines of code this compares to 600,000 total lines of code for OpenVPN + OpenSSL or 400,000 total lines of code for XFRM+StrongSwan for an IPSEC VPN. Fewer lines of codeĪ little more research gave me some insight into why Torvalds might have been so uncharacteristically positive. If you think "maybe it isn't perfect, but" is damning with faint praise, you clearly aren't familiar with Torvalds' acerbic writing style. That was enough to get me to sit up and pay attention. Linus Torvalds, on the Linux Kernel Mailing List So how did WireGuard rattle my cage hard enough to get me to actually play with it? It had something you almost never see: a positive comment about its code from none other than Linus Torvalds. I use OpenVPN heavily I'm thoroughly familiar with it, and it scratches most of my VPN-related itches pretty well. I've seen a few new VPN designs pop up in the last few years- ZeroTier and Tinc come to mind-and each time, I've thought, "I should really look into that." And then I haven't. All of that might lead you to ask: in a world that already has IPSEC, PPTP, L2TP, OpenVPN, and a bewildering array of proprietary SSL VPNs, do we need yet another type of VPN? OK, but why? ![]() It's also designed to be easily portable between operating systems. The software is free and open source-it's licensed GPLv2, the same license as the Linux kernel-which is always a big plus in my book. WireGuard is a new type of VPN that aims to be simpler to set up and maintain than current VPNs and to offer a higher degree of security.
0 Comments
Leave a Reply. |