[Swan-dev] simple setup
Paul Wouters
paul at nohats.ca
Mon Oct 8 22:07:14 UTC 2018
On Mon, 8 Oct 2018, Daniel Kahn Gillmor wrote:
> I agree with the goals of this thread. I've been nudging Paul for over
> a year now with the hopes of getting something running that "just works"
> with something as close to an "{apt|dnf} install libreswan" as possible.
Thanks for doing that. We are still working on making OE easier to use.
> I agree with Kim that a web interface is *not* the way to go. wireguard
> configuration files are pretty simple, dumb .ini-file style configs that
> identify peers by public key.
Note that it is not a fair comparison, as wireguard does a lot of
configuration out of band, such as DNS servers. It also hardcodes ports
and keys.
> Below is the most complex example from wg(8):
>
> [Interface]
> PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
> ListenPort = 51820
>
> [Peer]
> PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
> Endpoint = 192.95.5.67:1234
> AllowedIPs = 10.192.122.3/32, 10.192.124.1/24
So this translates to:
conn peer-to-peer
left=%defaultroute
leftrsasigkey=0xXXXXXXXXXXX
leftsubnets=10.192.122.3/32,10.192.124.1/24
right=192.95.5.67
rightrsasigkey=0YYYYYYYY
auto=start
(assuming I'm reading the meaning of AllowedIPs right)
That 7 lines versus 7 lines. It's really not that more complicated. It
is a myth. In fact, the whole demultiplexing / port usage of WG is more
complexity :P
The one thing I do dislike is our %defaultroute and %any values. It
would be nice if we could orient based on the private/public key and
pickup the IPs automatically. Still, that only saves you 1 line.
> Can libreswan offer something comparably simple for users whose goal is
> a "VPN"? Or, if libreswan sees that targeted use case as not-in-scope,
> is there some other use case that libreswan can offer a comparably
> compelling minimalist configuration?
I'm not sure how we can be more minimum then this, it is the same as
wireguard.
Clearly we need a better marketing strategy and fancy website so people
will understand it better. But again, IKE/IPsec is not harder then
wireguard. We just have many more different kinds of deployments and
additional optional features.
Now, when you are talking about a real remote access VPN, I do agree
it is a little more complicated then desired:
conn vpn.nohats.ca
left=%defaultroute
leftcert=letoams.nohats.ca
leftsubnet=0.0.0.0/0
rightid=@vpn.nohats.ca
right=vpn.nohats.ca
rightsubnet=0.0.0.0/0
narrowing=yes
ikev2=insist
leftmodecfgclient=yes
It would be nice if this could become:
conn vpn.nohats.ca
type=remote-access-vpn
leftcert=letoams.nohats.ca
right=vpn.nohats.ca
Paul
More information about the Swan-dev
mailing list