[Swan-dev] simple setup

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Oct 8 18:47:21 UTC 2018


On Sat 2018-10-06 09:26:09 +0300, Kim B. Heino wrote:
> Back to topic: Webgui will not make libreswan simple to setup for first
> time user. It makes it even more complex.

I agree with the goals of this thread.  I've been nudging Paul for over
a year now with the hopes of getting something running that "just works"
with something as close to an "{apt|dnf} install libreswan" as possible.

I recognize that where authentication is important, there will need to
be some additional config -- at least to identify the relevant peers --
but i'm happy to automate those bits as much as we can.

I agree with Kim that a web interface is *not* the way to go.  wireguard
configuration files are pretty simple, dumb .ini-file style configs that
identify peers by public key.

Below is the most complex example from wg(8):

           [Interface]
           PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
           ListenPort = 51820

           [Peer]
           PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
           Endpoint = 192.95.5.67:1234
           AllowedIPs = 10.192.122.3/32, 10.192.124.1/24

           [Peer]
           PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
           Endpoint = [2607:5300:60:6b0::c05f:543]:2468
           AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

           [Peer]
           PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
           Endpoint = test.wireguard.com:18981
           AllowedIPs = 10.10.10.230/32


(note that even the "Endpoint" lines aren't necessary for the the
passive side (the "server") of a VPN connection)

Can libreswan offer something comparably simple for users whose goal is
a "VPN"?  Or, if libreswan sees that targeted use case as not-in-scope,
is there some other use case that libreswan can offer a comparably
compelling minimalist configuration?

    --dkg


More information about the Swan-dev mailing list